Why Non-EU Sponsors must sign Controller-Processor SCC’s with vendors in third-countries?

The EDPB in its Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR, has provided the following example of a direct collection of data and a transfer to a service provider outside the EU.

Example 2: Controller in a third country collects data directly from a data subject in the EU (under Article 3(2) GDPR) and uses a processor outside the EU for some processing activities Maria, living in Italy, inserts her name, surname and postal address by filling a form on an online clothing website in order to complete her order and receive the dress she bought online at her residence in Rome. The online clothing website is operated by a third country company that has no presence in the EU, but specifically targets the EU market. In order to process the orders received by means of the website, the third country company has engaged a non-EEA processor. In this case, the data subject (Maria) passes her personal data to the third country company and this does not constitute a transfer of personal data since the data are directly collected by the controller under Article 3(2) GDPR. Thus, the controller will have to apply the GDPR to the processing of this personal data. As far as it engages a non-EEA processor, such disclosure from the third country company to its non-EEA processor would amount to a transfer, and it will be required to apply Article 28 and Chapter V obligations so as to ensure that the level of protection afforded by the GDPR would not be undermined when data are processed on its behalf by the non-EEA-processor.

This example can apply mutatis mutandis to a situation where a Non-EU Sponsor, who’s conducing clinical trials in the EU, collects data directly from clinical trial participants that agrees to join the research study.

Nonetheless, the recently approved EUCROF code of conduct has a different position and considers that is the CRO that collects the data from the trial participants, providing multiple examples, including the following one:

• A CRO based in a non-EU country providing medical monitoring services transfers Personal Data of data subjects at EU Investigational Sites to a non-EU based Sponsor (scenario d).

In my view, if such scenario would be correct, this would overcomplicate GDPR application for Data Controllers and Processors. If we go to the example provided by the EDPB, a website in order to collect data from individuals, needs to have a Web Hosting Provider that stores and processes the data as part of its technical services, but this doesn’t make the web hosting provider the one that collects the data directly from the users and then transfers the data to the company owning the website.

Well, in clinical trials it’s about the same. A clinical trial sponsor in order to conduct a clinical trial uses multiple service providers including, Contract Research Organizations (CROs), Electronic Data Capture (EDC) Providers, eConsent and Patient Engagement Platforms, Lab and Imaging Service Providers, etc. These parties act on behalf of the Sponsor and are collecting the data for the purposes determined by the Sponsor. For the individual, the data is being given directly to the Sponsor, who can use multiple parties to process it, but it’s the Sponsor who’s responsible for any data collection and sharing.

The Health Research Authority (HRA) in the UK, has also clarified when there’s a direct data collection by the sponsor and when there’s an indirect data collection:

“The sponsor is the controller and obtains personal data directly from data subjects for research when the information is intended to be used for research purposes at the time it is collected. This includes personal data obtained on behalf of the sponsor by clinical staff at a site or a research laboratory, as well as that provided by the participant to the sponsor. When personal data is obtained directly for research, the transparency information set out in the first column of the table should be available and accessible to the data subjects at the time the personal data is collected. The sponsor is the controller and obtains personal data indirectly when the personal data was collected by a different organisation for a purpose other than research at the time it was provided by the data subject, or when the personal data was provided to a different sponsor for research.”

To conclude, in my view, GDPR application including the mechanism for cross-border transfers, shouldn’t be too complicated, and if we are able to look at the data controller as the center of the processing activities, this will make things easier and clearer for everyone to follow and implement processes and procedures aligned with the GDPR, across multiple industries.

DA.