Joint Controller Agreement Clinical Trials
It is increasingly common to find hospitals and regulators in European countries that defend the independent control model. Here, the parties defend an origin-based approach to defining the controller, where each controller is responsible for the data it inserts into the system, meaning that for the purposes of the clinical trial, the sponsor is responsible for the key coded data it inserts into the study systems, and the sites are responsible for the named data, that they insert into medical care systems (e.B e.g., the patient.B medical history). One of the most important tasks of the controller, the joint controller and the processor is that the personal data collected and processed during a clinical trial must be adequately protected. This responsibility applies regardless of whether the personal data is a regular or special category of personal data. The draft guidelines also emphasise that an organisation may be considered a controller without having access to personal data processed on its behalf and in accordance with its instructions. In practice, this means that a pharmaceutical company could be a controller if it determines the essential means and purposes for which patients` personal health data is processed by a healthcare professional, even if the company does not have access to such patient data. The relationship between the controller and the processor must be governed by a contract or other legal act, such as . B a data processing agreement. This relationship can be considered subordinate since the processor must act on the instructions of the controller and not the other way around. If a subcontractor does not act accordingly, they can be fined for non-compliance with the GDPR. In a clinical trial, a hospital must act according to the sponsor`s instructions when processing the personal data of study participants.
On the other hand, if the investigator is not involved in the design of the clinical trial protocol and merely follows and implements that protocol as developed and designed by the sponsor, the investigator is a processor and the sponsor is the controller. To answer this point, the draft directive introduces a distinction between « substantial means » and « non-essential means » for the processing of personal data. The essential means that could be determined solely by the controller include the type of personal data processed and the categories of data subjects, the duration of the processing and the recipients of the personal data. The most common circumstances in which the parties are joint controllers are when they are involved in the same processing or when the parties pursue complementary or closely related objectives. This could be the case, for example, if there is a mutual benefit of the same processing operation. Any type of entity can play the role of controller. This means that an organization, an individual or even a group of individuals can assume the role of controller. The controller exercises influence over the processing on the basis of its decision-making power.
The decision as to why and how personal data are processed may be taken solely by the controller or jointly with other bodies. However, it is always the controller who must decide on the means and purposes of the processing of personal data. A controller may be briefly defined as the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. [1] Second, some sponsors of clinical trials outside the EEA have argued that the GDPR does not apply to them at all because they do not have access to identifiable patient data. In a clinical trial, a principal investigator may be responsible for clinical research purposes, jointly with the sponsor or a subcontractor, and an independent data controller may be solely for the purposes of patients` healthcare. Therefore, it seems that the responsibilities lie with the individual actors. In this context, in this case, study sites and sponsors make important decisions about how personal data is processed in clinical trials. As a result, they can be considered as joint controllers. The relationship between the proponent and the experimental sites could be interpreted differently in cases where the proponent determines the objectives and essential elements of the means and where the researcher has very limited room for manoeuvre. »; A security measure that the parties can implement is the pseudonymization of personal data. The data is processed in such a way that the personal data can no longer be attributed to a specific study participant without the use of additional information [4]. This additional information must be kept separately and the technical and organisational measures must guarantee the anonymity of the personal data.
In a clinical trial, an example would be the pseudonymization of data collected from the sponsor`s reporting forms. For example, by the hospital or testing facility assigning a code to each study participant. The key code used is also kept separately and securely. The 29 WP attempted to clarify the situation by publishing a notice No. 1/2010 on the terms « controller » and « processor » on 16 February 2010, in which it was stated the following: In the context of a clinical trial, the sponsor is considered to be the controller, since it is the sponsor who determines why and how personal data are processed. . . .