Local laws

Yes.

The Privacy Act 1988 (Cth) (Privacy Act) makes provision for circumstances where the handling of personal information and health inform may take place where it is impracticable for researchers to obtain the individual’s consent.

This recognizes:

• The need to protect health information from unexpected uses beyond individual healthcare.
• The important role of health and medical research in advancing public health.

To promote these ends, the Privacy Commissioner (the regulator) has approved two sets of legally binding guidelines, issued by the National Health and Medical Research Council (NHMRC):

• Guidelines under Section 95 of the Privacy Act 1988, which set out procedures that Human Research Ethics Committees (HRECs) and researchers must follow when personal information is disclosed from a Commonwealth agency for medical research purposes.
• Guidelines under Section 95A of the Privacy Act 1988, which provide a framework for HRECs to assess proposals to handle health information held by organisations for health research (without individuals' consent). They ensure that the public interest in the research activities substantially outweighs the public interest in the protection of privacy.

No.

No.

The Belgian Data Protection Authority has not (yet) published specific guidelines on clinical trials or pharmacovigilance. It has, however, published guidelines on the more general topic of ‘Research’ which are available in Dutch and French. 

No.

No, the Croatian Personal Data Protection Agency has not published such a document.

The Agency for Medicinal Products and Medical Devices of Croatia has published a Guide for patients on clinical trials. In this guide it is briefly stated that the clinical trials involve processing of special categories of personal data and is additionally noted that most trials use codes instead of the name of the data subjects to ensure anonymity. The Guide is available only in Croatian language and can be found on the following link.

There is no such guideline or regulation in the Czech Republic addressing privacy matters on clinical trials and / or pharmacovigilance specifically.

Please note, in 2004 the Czech Data Protection Authority (UOOU) issued an opinion addressing privacy matters on clinical trials (which was revised in 2013).

However, due to the adoption of the GDPR and the effectiveness of the Czech Act No. 110/2019 Coll., on the processing of personal data, this opinion has become invalid and, thus, is no longer applicable.

It is further to be noted that, currently, the Czech Data Protection Authority is relying mostly upon the Opinion No. 3/2019, on questions and answers on the interaction between the Clinical Trials Regulation and the General Data Protection Regulation, issued by the European Data Protection Board (“EDPB”).

No.

A brief introduction to the area can be found on the Datatilsynet website. This text does, however, not provide any supplementary guidance, but is merely an overview of the fundamental rules and the interplay with other legislation, such as the Act on Research Ethics Review of Health Research Projects (Act no 1338 of 1 September 2020), according to which clinical trials in Denmark must be preapproved by the Ethical Committee.

Yes.

The Finnish national legislation addresses privacy matters in relation to clinical trials.

The Data Protection Act regulates processing of special category data in scientific research in section 6. The English translation of the act is available here.

The Medical Research Act regulates clinical trials, and it addresses processing of personal data in clinical trials in section 21a. The English translation of the act is available here.

The Act on Clinical Drug Trials regulates clinical drug trials, and it addresses processing of personal data in the trials in section 33. The act is only available in Finnish here.

The Medicines Act regulates medicinal products and their safe and proper use. It also regulates pharmacovigilance in chapter 4 a. The act does not address privacy directly, but it creates a legal obligation to collect personal data and a specific retention period for the data collected in section 30e. The current version of the act is only available in Finnish here.

In addition, the Finnish data protection authority has issued guidelines on its website on scientific research, which follow the requirements arising from the GDPR. These guidelines can be found here.

Yes.

Notably:

The French data protection authority (CNIL) has issued a methodology of reference (“MR”) on 3 May 2018 on personal data processing carried out in health research with the data subject’s consent (MR-001) which covers, notably clinical trials as defined by Regulation (EU) 536/2014 of the European Parliament and of the Council of April 16, 2014 on clinical trials of medicinal products for human use, and repealing Directive 2001/20/EC, except for clinical trials the person does not object to participating in, in accordance with the terms of Article 30 of the Regulation (cluster trials).

The MR-001 is available here in French.

The French data protection authority (CNIL) has issued a methodology of reference on 3 May 2018 on the personal data processing carried out in health research that does not require the data subject’s consent (MR-003) which covers, notably clinical trials in which the research subject does not object to participating, in accordance with Article 30 of Regulation (EU) 536/2014 of the European Parliament and of the Council of April 16, 2014 on clinical trials of medicinal products for human use, and repealing Directive 2001/20/EC (cluster trials).

The MR-003 is available here in French.

Controllers that commit to comply with a methodology of reference are authorized, without further formalities, to conduct their processing if they satisfy the criteria set out in said methodology of reference.

Any personal data processing that exceeds the framework of the methodology requires a specific authorization from the CNIL.

Up to 5 MR exist to date to cover various research in the health sector.

The CNIL has also published a standard on 18 July 2019 concerning the processing of personal data for the purpose of vigilance in the health sector, including pharmacovigilance. Controllers that commit to comply with this standard shall be authorized to conduct processing if they satisfy the criteria set out in these provisions. Any personal data processing that exceed the framework of the standard should filed a specific authorization request to the CNIL.

This standard is available here in French.

The French Ministry of Solidarities and Health has published Q&A on its website regarding the impact of the GDPR on clinical trials.

Not specifically.

There is a guideline on joint controllership issued by the German data protection conference (Datenschutzkonferenz) where the sponsor and the clinical trial site are exemplarily mentioned as joint controllers in accordance with Art 26 GDPR. However, without deeper legal justification. Moreover, the guideline is currently under revision. The current version can be found online (German version only).

No.

The Hellenic Data Protection Authority (“HDPA”) has not issued any guidance οn clinical trials or pharmacovigilance.

The National Ethics Committee has issued a guidance for protocols and the document with clarifications on the implementation of GDPR in the framework of clinical trials. Please note that the aforementioned documents are available only in Greek language.

On the other hand, no pharmacovigilance specific guidance / statute has been issued in the Greek jurisdiction.

No. However, the Hungarian Data Protection Authority (“NAIH”) would most probably rely on the Opinion 3/2019 of the European Data Protection Board concerning the Questions and Answers on the interplay between the Clinical Trials Regulation (CTR) and the General Data Protection regulation (GDPR) (art. 70.1.b)) adopted on 23 January 2019. Additionally, the European Commission (DG SANTE) issued a document on “Questions and Answers on the interplay between the Clinical Trials Regulation (CTR)1 and the General Data Protection regulation (GDPR)” (available at this link) after a consultation with the EDPB.

The Hungarian National Institute of Pharmacy and Nutrition also published certain answers to frequent questions related to healthcare services, which include some general recommendations related to clinical trials in line with the above-referred Opinion 3/2019. Such recommendations are available at the following link (in Hungarian only).

In addition to the above, the Clinical Pharmacology Ethical Committee of the Medical Research Council (ETT KFEB) has also published a guidance on data protection requirements for clinical trial package leaflets (available at the following link – in Hungarian only).

In Ireland, data controllers engaged in Health Research, including processing of any personal data (regardless of whether the data includes individually identifiable health data), are subject to Health Research Regulations 2018 (“HRRs”)¹ and must comply with mandatory suitable and specific measures for processing of personal data for the purposes of health research.

The Department of Health in Ireland issued “Guidance on Information Principles for informed consent for the processing of personal data for health research” (the “Guidance”) which is available here. This guidance sets out the requirement to obtain explicit consent where health data are processed for health research purposes and lists a comprehensive inventory of information which is required to be provided to the individual for such consent to be valid when they provide their personal data for health research purposes.

In January 2021, amendments to the HRRs were published (the “Amendments”)², along with a suite of guidance prepared by Department of Health, the Secretariat to the Health Research Consent Declaration Committee (HRCDC)³ and the Health Service Executive and in consultation with the Irish Data Protection Commission (“DPC”):

• Guidance on Explicit Consent Amendment
• Guidance on Pre-Screening Amendment
• Guidance on Retrospective Chart Review Amendments
• Guidance on Deferred Consent Amendments
• Guidance on Informed Consent under EU Directive Amendments

[1] S.I. No. 314 of 2018 Data Protection Act 2018 (Section 36(2)) (Health Research) Regulations 2018
[2] S.I. No. 18/2021 – Data Protection Act 2018 (Section 36(2)) (Health Research) (Amendment) Regulations 2021
[3] The HRCDC was established as part of the Health Research Regulations made under the Data Protection Act, 2018.

Yes.

The Italian Data Protection Authority (“Italian DPA”) has issued the Guidelines for Data Processing within the Framework of Clinical Drug Trials on 24 July 2008 (“Guidelines”). Although the Guidelines have been issued before the GDPR entered into force, most of their provisions are still valid and effective.

The Guidelines are available at the following link.

No, the Commission National pour la Protection des Données (National Commission for Data Protection – “CNPD”) has not published any guidelines concerning clinical trials or pharmacovigilance.

However, the CNPD refers to the European Data Protection Board’s Opinion 3/2019 concerning the Questions and Answers on the interplay between the Clinical Trials Regulation (“CTR”) and the General Data Protection regulation (“GDPR”) (art.70.1.b)) on its website, which is used as basis for interpretation of the questions herein.

Another relevant document that is taken into account by the CNPD is the Question and Answers on the interplay between the Clinical Trials Regulation and the General Data Protection Regulation published by the European Commission.

It should be taken into account that according to Grand Ducal Regulation of 30 May 2005 concerning the application of good clinical practice in conducting clinical trials for medicinal products for human use (the “GDRCT”) “detailed indications concerning the filing of the application and documents to be furnished to apply for the opinion of the ethics committee, in particular in regards to information provided to participants, as wells as the appropriate guarantees to ensure the protection of personal data, formulated by the Commission, are applicable in Luxembourg from its publication at the European Union Official Journal”.

In addition, it should be noted that Sections 63 to 65 of the Act of 1 August 2018 (the “Data Protection Act”) set general rules for processing for the purposes of scientific or historical research that can be applicable to clinical trials.

No laws in Montenegro address privacy matters specifically in clinical trials and/or pharmacovigilance as such.

Privacy matters in the context of clinical trials are not specifically regulated under healthcare or similar laws which would specifically deal with the interplay between data protection and healthcare, but enjoy only the general protection under the Personal Data Protection Law of 2008, as amended (the “DP Law”). The DP Law is at the moment unharmonized with the GDPR, even though Montenegro expects a harmonized law to be passed in the foreseeable future.

Exceptionally, the Law on Medicines (the “Law on Medicines”), as the main law dealing with medicines (including clinical trials thereof) stipulates that clinical trial of the drug is conducted in compliance with the principles of medical ethics and mandatory protection of privacy and data of participants in accordance with the regulations adopted on the basis of the Law on Medicines and the Guidelines of Good Clinical Practice. Nevertheless, mentioned regulations were not adopted and the Guidelines do not go into further detail on this matter.  

On the other hand, the relevant authorities which are associated with data protection or clinical trials have not yet adopted any specific guidelines which would explain the interplay between the two. In the absence of such, it is reasonably expected that acting in accordance with (i) the general principles of the DP Law and (ii) the international standards of data protection in clinical trials (such as the European Data Protection Board’s Opinion concerning the Questions and Answers on the interplay between the Clinical Trials Regulation (CTR) and the GDPR) would be a good way to go.

No.

The regulator of North Macedonia has not published any guidelines/regulations that address privacy matters on clinical trials and/or pharmacovigilance so far.

General laws and bylaws regulating these issues are applicable to clinical trials and/or pharmacovigilance as well, including:

• The Law on Medicines and Medical Devices (“Law on Medicines”);
• The Law on Personal Data Protection (“DP Law”);
• The Rulebook on the Necessary Documentation and the Manner of Reporting Clinical Trials of Medical Devices and Changes Occurred and, Reporting on Adverse Reactions and Events, i.e., Incidents, as well as the Conditions to be Fulfilled by Legal Entities that Perform Clinical Trials of Medical Devices (“Rulebook on Clinical Trials of Medical Devices”);
• The Rulebook on the Manner of Reporting, the Content of the Form for Reporting the Adverse Reactions to Medicines and the Manner of Organization of the Pharmacovigilance System (“Rulebook on Reporting of Adverse Reactions to Medicines”);
• The Rulebook on the manner and Procedure for Pharmacological-Toxicological and Clinical Examination of Medicines (“Rulebook on PT and Clinical Examination of Medicines”);
• The Guidelines on the Principles of Good Clinical Practice (“Principles of Good Clinical Practice”).

Yes.

The Norwegian Medicines Agency has published information regarding the Regulation (EU) No. 536/2014 which is implemented as a Norwegian regulation. They have published answers to frequently asked questions and information about transitional rules. They will provide updated information but for the time being they provide a link to the information on EMA- and European commission web pages (Clinical trial guidelines). The information can be found on this page.   

In Norway all clinical trials must be pre-authorised by the Norwegian Medicines Agency as well as by the Norwegian Research Ethics Committees (REK).

The Norwegian DPA has no guidelines regarding clinical trials in particular, but clinical trials are like all medical research regulated in the Health Research Act in addition to the clinical trials regulation.

All medical and health research projects need ethical prior approval from REK. The project manager / researcher is responsible for consulting with his or her own institution, and to clarify whether the processing of information is of such a nature that it requires a special assessment of privacy consequences.

No.

Works on the “Code of Conduct for the medical research industry” by INFARMA, the industry association that brings together the majority of pharmaceutical companies in Poland, are in progress according to the publicly available information but the draft has neither been published nor submitted for approval yet.

There are no updated guidelines issued by Data Protection Supervisory Authority “CNPD”. However, prior to General Data Protection Regulation (GDPR), CNPD published the resolution no. 1704/2015 which addresses personal data processing related aspects within the context of clinical research and resolution no. 219/2009 which addresses personal data processing related aspects within pharmacovigilance context. Although both resolutions remain accurate in terms of general principles, certain aspects are not aligned with GDPR.

In 2018 the Commission of Ethic for Clinical Trials (‘CEIC’) published a paper (hereinafter ‘CEIC Paper’), briefly addressing certain data protection issues that might arise with the processing of personal data, within the context of clinical trials. However, this seemed to be more of an informative nature, even if, considering CEIC attributions and involvement in clinical trials matters, it can be understood as a guideline for the processing of personal data in this context.

No.

No laws in Serbia address privacy matters specifically in clinical trials and/or pharmacovigilance as such.

Privacy matters in the context of clinical trials are not specifically regulated under healthcare or similar laws which would specifically deal with the interplay between data protection and healthcare, but enjoy only the general protection under the Personal Data Protection Law of 2018, which represents a general data protection law and is a copy of the GDPR in most of its text (the “DP Law”).

Exceptionally, the Law on Medicines and Medical Devices (the “Law on Medicines”), as the main law dealing with medicines and medical devices (including clinical trials thereof) stipulates that clinical trials may only be undertaken provided that, inter alia, privacy and data protection of subjects participating in the clinical trial is ensured. Nevertheless, the Law on Medicines does not go into further detail to explain any such mechanism.

Ever since the Personal Data Protection Law came into force in 2019, it sought to initiate a chain of reaction with other, sectorial laws (such as the Law on Medicines), by stipulating that they too shall be adjusted to fit the specifics of the data protection regime. However, this did not yet occur and therefore, there are no specific rules which apply to the processing in clinical trials and/or pharmacovigilance.   

On the other hand, the relevant authorities which are associated with data protection or clinical trials have not yet adopted any specific guidelines which would explain the interplay between the two. In the absence of such, it is reasonably expected that acting in accordance with (i) the general principles of the DP Law and (ii) the international standards of data protection in clinical trials (such as the European Data Protection Board’s Opinion concerning the Questions and Answers on the interplay between the Clinical Trials Regulation (CTR) and the GDPR) would be a good way to go.

Yes.

The Spanish Data Protection Commissioner (“AEPD”) in collaboration with Farmaindustria - the industry association that brings together the majority of pharmaceutical companies established in Spain – has approved the “Code of conduct regulating the processing of personal data in the field of clinical trials and other clinical research and pharmacovigilance” (the “Code”).

The Code is available in the following link.

No.

The Swedish Authority for Privacy Protection does however state on its website that a data protection impact assessment should be done with respect to processing of pseudonymized sensitive personal data relating to data subjects from research projects or clinical trials (checked 26 May 2022).

Yes.  The Health Research Authority (“HRA”) published GDPR guidance for researchers and study coordinators in 2018 that covers the following areas: (i) consent; (ii) controllers and personal data in health and care research; (iii) transparency; (iv) safeguards; (v) data subject rights; and (vi) data protection impact assessments.

In April 2022, the Information Commissioner’s Office (“ICO”) published draft guidance on the research provisions under the UK GDPR and Data Protection Act 2018 (including scientific research). This guidance covers issues including: (i) the definition of scientific research; (ii) legal basis; (iii) data subject rights; and (iv) purpose limitation / re-purposing personal data for scientific research.