Extraterritorial applicability

Do the privacy laws and regulations applicable to clinical trials in your jurisdiction provide for extraterritorial applicability?

No.

Law no. 9887 “On the Protection of Personal Data”, as amended (Data Protection Law) does not provide an extraterritorial applicability. 

However, the domestic Data Protection Law does extend to controllers located outside the territory of the Republic of Albania who process personal data with “means” located within the territory of the Republic of Albania. The law does not provide any definition of “means” however the Commissioner has confirmed verbally on several occasions that “means” shall be understood as anything from equipment (i.e., servers), apps or persons located in Albania to collect personal data.

In case the controller (i.e., sponsor) is located outside the Republic of Albania, it must appoint a designated representative located within the territory of the Republic of Albania.

Last modified 18 Oct 2022

Do the privacy laws and regulations applicable to clinical trials in your jurisdiction provide for extraterritorial applicability?

Depending on factual analysis.

The Australian Privacy Principles (the APPs) (as set out in Schedule 1 to the Privacy Act) extend to an act done, or practice engaged in, outside Australia by an organization that has an Australian link (s 5B(1A)).

An organization has an Australian link where it is:

  • An Australian citizen or a person whose continued presence in Australia is not subject to a legal time limitation
  • A partnership formed, or a trust created, in Australia
  • A body corporate incorporated in Australia, or
  • An unincorporated association that has its central management and control in Australia (s 5B(2))

An organisation that does not fall within one of those categories will also have an Australian link where:

  • It carries on business in Australia, and
  • It collected or held personal information in Australia, either before or at the time of the act or practice (s 5B(3))
Note: The phrase ‘carries on business in Australia’ in s 5B(3)(c) is not defined in the Privacy Act. However, it arises in other areas of law, including corporations and consumer law. Guidance may be drawn from judicial consideration of the phrase in those contexts.

Last modified 18 Oct 2022

n/a

Last modified 27 Feb 2023

Does the GDPR/UK GDPR apply to a clinical trial sponsor situated outside the EEA?

Yes. If a sponsor is not established in the EEA but carries out clinical trials on data subjects in Belgium this will likely amount to the sponsor  monitoring data subjects in the EEA, and, therefore, comes within the scope of the GDPR by virtue of Article 3(2)(b).

There are no particular considerations for Belgium with regard to this assessment of the territorial application of the GDPR. In any case, the facts of the case would need to be assessed against the constitutive elements of Articles 3(1) and 3(2) GDPR.

Last modified 15 Sep 2022

Do the privacy laws and regulations applicable to clinical trials in your jurisdiction provide for extraterritorial applicability?

No.

The Law on Protection of Personal Data of Bosnia and Herzegovina (the “Law”) is the main law governing data protection and privacy in Bosnia and Herzegovina (“BH”) and in the absence of guidelines/regulations specifically addressing privacy matters on clinical trials, general provisions envisaged by the Law are applicable to the clinical trials as well. The Law lacks provisions envisaging its extraterritorial effect, therefore it is generally not applicable to foreign data controllers. In addition, to the best of our knowledge, the BH Data Protection Agency (“DPA”) has never taken actions against foreign data controllers as it lacks instruments for enforcement of the Law against foreign entities. 

Last modified 18 Oct 2022

Does the GDPR/UK GDPR apply to a clinical trial sponsor situated outside the EEA?

Yes, to the extent that clinical trial participants (data subjects) are located in the EU, based on Article 3(2)(b).

In case the sponsor is not located within the EU, it must appoint a representative located within the EU, as required by Article 27 of the GDPR.

Last modified 18 Oct 2022

Does the GDPR/UK GDPR apply to a clinical trial sponsor situated outside the EEA?

Yes, to the extent that clinical trial participants (data subjects) are located in the EU, based on Article 3(2)(b).

In those cases where the sponsor is not located within the EU, it shall appoint a representative within the EU, as required by Article 27 of the GDPR.

Last modified 15 Sep 2022

Does the GDPR/UK GDPR apply to a clinical trial sponsor situated outside the EEA?

Yes, where data subjects are located within the EU, the GDPR will apply, pursuant to GDPR article 3(2)(a) and/or article 3(2)(b).

Furthermore, if data subjects are located in Denmark, the Danish Data Protection Act (the “Act”) will apply, pursuant to section 4(3)(1) of the Act, which is equivalent to article 3(2)(a) and/or section 4(3)(2) of the Act, which is the equivalent to article 3(2)(b) with the exception that the geographic scope is narrowed down from EU to Denmark.

Last modified 15 Sep 2022

Does the GDPR/UK GDPR apply to a clinical trial sponsor situated outside the EEA?

Finland does not have any country specific guidance on this matter and the general EU approach is followed.  

Article 3(2)(a) GDPR applies if the data subjects are located in the EU.   

However, since depending on a case-by-case assessment it cannot be excluded that Article 3(2)(b) would not apply instead of Article 3(2)(a). Data subjects are often offered the possibility to participate in a clinical trial and they receive compensation from this participation. Therefore, it can be assessed that the clinical trial is offered as a service and falls under the scope of Article 3(2)(a). However, in some cases Article 3(2)(b) can be applicable depending on how the clinical trial is arranged.

Last modified 18 Oct 2022

Does the GDPR/UK GDPR apply to a clinical trial sponsor situated outside the EEA?

As provided by Article 3(2)(b), if a data controller located outside the EU monitors the behaviour of data subjects located within the EU, the GDPR applies to that data controller. According to the guidelines published by the European Data Protection Board (“EDPB”) on the territorial scope of the GDPR, the application of Article 3(2)(b) encompasses a broad range of monitoring activities, including monitoring or regular reporting on an individual’s health status.

Therefore, in the context of a clinical trial, if the sponsor processes personal data of data subjects located in France, the sponsor would have to comply with the GDPR by virtue of Article 3(2)(b).

In those cases where the sponsor is not located within the EU, it shall appoint a representative within the EU, as required by article 27 of the GDPR. This is aligned with the clinical trials regulation (article 39 of the Royal Decree 1090/2015, which regulates clinical trials with medicinal products) that sets forth that when the Sponsor is located outside the EU, it shall have a legal representative within the EU.

Last modified 18 Oct 2022

Does the GDPR/UK GDPR apply to a clinical trial sponsor situated outside the EEA?

Yes, to the extent that clinical trial participants (data subjects) are located in the EU, based on Article 3(2)(b), as the sponsor is monitoring the behaviour of the data subjects. (See example “Monitoring or regular reporting on an individual’s health status“ of the European Data Protection Board in their Guidelines 3/2018 on the territorial scope of the GDPR, Version 2.1, 12 November 2019).

Last modified 25 Oct 2022

Does the GDPR/UK GDPR apply to a clinical trial sponsor situated outside the EEA?

Yes, GDPR applies to clinical trials executed by sponsors not established in the EU, to the extent that processing activities entail data processing of data subjects in the EU, subject to Article 3(2)(a) of the GDPR. In addition, Greek Law 4624/2019 supplementing the GDPR applies to the extent that data are processed within the territory of Greece.

In those cases where the sponsor is not located within the EU, it shall appoint a representative within the EU, as required by article 27 of the GDPR. This is in line with Article 74 of the Clinical Trials Regulation (CTR) – implemented by Article 13 of the Ministerial Decision Γ5α/59676 of Ministers of Finance, Development and Health (Government Gazette vol. Β, 4131/22.12.2016) – according to which a Sponsor not be established in the EU shall appoint a legal representative (natural or legal person) established within the EU territory.

Last modified 14 Sep 2022

Does the GDPR/UK GDPR apply to a clinical trial sponsor situated outside the EEA?

Yes, to the extent that clinical trial participants (data subjects) are located in the EU, based on Article 3(2)(a).

In those cases where the sponsor is not located within the EU, it shall appoint a representative within the EU, as required by article 27 of the GDPR.

Last modified 14 Sep 2022

Does the GDPR/UK GDPR apply to a clinical trial sponsor situated outside the EEA?

Yes, to the extent that the sponsor is processing personal data in the context of the activities of an establishment of a controller or processor in the EU based on Article 3(2)(a), or if clinical trial participants (data subjects) are located in the EU, based on Article 3(2)(b).

In Ireland, in cases where the sponsor is not established within the EU, it shall appoint a representative within the EU responsible for ensuring compliance with the sponsor’s obligations pursuant to the Clinical Trials Regulation and Irish implementing legislation.  

(15) Where a natural or legal person is established in the European Union as the legal representative of a sponsor not established in the Union in accordance with Article 74(1) of the Clinical Trials Regulation, that representative shall be responsible for ensuring compliance with the sponsor's obligations in the State, pursuant to the Clinical Trials Regulation and these Regulations.1

A “legal representative” means the natural or legal person established in the European Union as the legal representative of a clinical trial sponsor who is not established in the Union.

[1] S.I. No. 99/2022 - European Union (Clinical Trials on Medicinal Products for Human Use) (Principal) Regulations 2022 (Part 2, S.15)

Last modified 14 Sep 2022

Does the GDPR/UK GDPR apply to a clinical trial sponsor situated outside the EEA?

Yes, to the extent that either:

  • Clinical trial participants (data subjects) are located in the EU, based on Article 3(2)(a); or
  • Clinical trial in the EU entails the monitoring of relevant participants and/or personnel located in the EU, based on Article 3(2)(b).

In those cases where the sponsor is not located within the EU, it shall appoint a representative within the EU, as required by Article 27 of the GDPR.

Last modified 31 Aug 2022

Does the GDPR/UK GDPR apply to a clinical trial sponsor situated outside the EEA?

Since there are no specific guidelines and the practice of the CNPD is not particularly extended in this regard, the general provisions of Section 3 GDPR will apply. Therefore, the GDPR would be applicable to a Sponsor outside the EEA if it:

  • Offers goods or services to data subjects in the EU (Article 3(2)(a) GDPR);
  • Monitors the behaviour of data subjects in the EU (Article 3(2)(b) GDPR).

There are no clear rules regarding on which of the two bases the GDPR will be applicable to Sponsors not established in the EEA. The European Commission Q&A mentioned above does not shed too much light on the question either.

A case-by-case basis would therefore be necessary.

Last modified 14 Sep 2022

Do the privacy laws and regulations applicable to clinical trials in your jurisdiction provide for extraterritorial applicability?

Yes, the DP Law provides for one situation where the DP Laws applies extraterritorially.

Namely, Article 5 of the DP Law stipulates that the DP Law applies to a controller established outside Montenegro or which does not have a permanent residence in Montenegro, when the equipment used to process the personal data is located in Montenegro (unless it is being used solely for the purposes of transferring data through the territory of Montenegro).

Thus, while the DP Law formally recognizes extraterritorial applicability, there is only a narrow set of situations which would result in the applicability of the DP Law. In the clinical trials context, the extraterritorial applicability would be triggered only in situations where (i) the controller of clinical trial personal data is established someplace other than Montenegro (e.g., USA), and (ii) the equipment used to process personal data of participants in the clinical trial Montenegro (regardless of whether the participants are located in/nationals of Montenegro). Relevant equipment may include any hardware (e.g., servers, mainframes), which is used to perform processing in the clinical trial.

Last modified 19 Oct 2022

Do the privacy laws and regulations applicable to clinical trials in your jurisdiction provide for extraterritorial applicability?

Yes, the DP Law has the same extraterritorial scope as the GDPR and in accordance with Article 3 paragraph 2(a) applies to the processing of personal data of data subjects from the Republic of North Macedonia by a controller or processor not established in the Republic of North Macedonia, where the personal data processing activities are related to the (i) offering of goods and services to local consumers, regardless whether they are required to make payments, or (ii) monitoring the behaviour of the personal data subjects, if that behaviour takes place in the Republic of North Macedonia.

Consequently, by analogy with the GDPR, it can be assumed that the sponsor will be considered subject to the DP Law based on the ‘monitoring of behaviour’ limb. In some contexts, the ‘offering of goods and services’ limb may also be relevant in the context of providing the service of medical investigation to improve a patient’s health

Note that the DP Law as lex generalis is the only regulation that provides extraterritorial applicability for matters related to personal data protection, i.e., there is no specific regulation of clinical trials that provides for extraterritorial applicability.

Last modified 18 Oct 2022

Does the GDPR/UK GDPR apply to a clinical trial sponsor situated outside the EEA?

Yes, to the extent that either:

  • Clinical trial participants (data subjects) are located in the EU, based on Article 3(2)(a); or
  • Clinical trial in the EU entails the monitoring of relevant participants and/or personnel located in the EU, based on Article 3(2)(b).

The Health Research Act is considered as additional national regulation and the act applies to medical and health research on Norwegian territory, or when the research takes place under the auspices of a research manager established in Norway.

The Clinical Trials Regulation states that a sponsor located outside EEA must have a legal representative in the EEA-area and that the representative must document this authorization to the Norwegian Medicines Agency.

Last modified 31 Aug 2022

Does the GDPR/UK GDPR apply to a clinical trial sponsor situated outside the EEA?

Yes to the extent that either:

  • Clinical trial participants (data subjects) are located in the EU, based on Article 3(2)(a); or
  • Clinical trial in the EU entails the monitoring of relevant participants and/or personnel located in the EU, based on Article 3(2)(b). 

In those cases where  the sponsor is not located within the EU, it shall appoint a representative within the EU, as required by article 27 of the GDPR. This is aligned with the clinical trials regulation Article 2(37a) of the Pharmaceutical Law which regulates conducting clinical trials with medicinal products in Poland) that sets forth that when the Sponsor is located outside the EU, it shall have a legal representative within the EU.

Last modified 31 Aug 2022

Does the GDPR/UK GDPR apply to a clinical trial sponsor situated outside the EEA?

Yes, to the extent that either:

  • Clinical trial participants (data subjects) are located in the EU, based on Article 3(2)(a); or
  • Clinical trial in the EU entails the monitoring of relevant participants and/or personnel located in the EU, based on Article 3(2)(b).

In those cases where the sponsor is not located within the EU, it shall appoint a representative within the EU, as required by article 27(1) of the GDPR.

Last modified 31 Aug 2022

Does the GDPR/UK GDPR apply to a clinical trial sponsor situated outside the EEA?

Yes, the GDPR applies, to the extent that either:

  • Clinical trial participants (data subjects) are located in the EU, based on Article 3(2)(a); or
  • Clinical trial in the EU entails the monitoring of relevant participants and/or personnel located in the EU, based on Article 3(2)(b). 

In those cases where the sponsor is not located within the EU, it shall appoint a representative within the EU, as required by article 27 of the GDPR. This is aligned with the clinical trials legislation (article 67 (2) Order no. 904/2006 for the implementation of good clinical trial practices) that sets forth that when the Sponsor is located outside the EU, it shall have a legal representative within the EU.

Last modified 31 Aug 2022

Do the privacy laws and regulations applicable to clinical trials in your jurisdiction provide for extraterritorial applicability?

Yes, the DP Law provides for extraterritorial applicability.

Article 3 of the DP Law introduces substantially the same exterritorial applicability as the GDPR. In that sense, the DP Law applies to processing performed by a controller or processor with its registered office, residence or domicile in the territory of the Serbia, within the activities performed on the territory of the Serbia, regardless of whether the processing itself is performed in that territory. In the case of a controller with a registered office in Serbia, for example, whose server is located outside of Serbia and which processes data for the needs of his business, the applicability of the Law is unquestionable, and the controller is obliged to comply with the provisions of the DP Law even in relation to the data stored outside Serbia.

Also, the DP Law shall apply in cases when the controller or processor have no registered office, residence or domicile in the territory of Serbia, but process personal data of persons with residence or domicile in Serbia, if the processing operations are targeting Serbian residents/domiciled individuals by (i) offering goods or services, irrespective of whether a payment of the data subjects is required  or (ii) monitoring their behaviour (for example, by using cookie trackers).

Putting the general exterritorial applicability provisions of the DP Law in the context of clinical trials, there are considerable arguments that the processing of personal data of Serbian participants performed by sponsor (who does not have registered office in Serbia) triggers the extraterritorial applicability of the DP Law (in particular, behaviour monitoring requirement). In the absence of official governance of the Serbian privacy/clinical trials authorities, the arguments for this fall mainly on the EDPB Guidelines 3/2018 on the Territorial Scope of the GDPR, which explains that “Monitoring or regular reporting on an individual’s health status” is an example of behaviour monitoring which triggers the extraterritorial applicability of the GDPR. Given that the DP Law is basically a copy of the GDPR, the competent authorities would likely rely on how GDPR is understood by the relevant authorities and follow its example.

Last modified 19 Oct 2022

Does the GDPR/UK GDPR apply to a clinical trial sponsor situated outside the EEA?

Yes, to the extent that either:

  • Clinical trial participants (data subjects) are located in the EU, based on Article 3(2)(a); or
  • Clinical trial in the EU entails the monitoring of relevant participants and/or personnel located in the EU, based on Article 3(2)(b).

In those cases where the sponsor is not located within the EU, it shall appoint a representative within the EU, as required by article 27 of the GDPR. This is aligned with the clinical trials regulation (article 39 of the Royal Decree 1090/2015, which regulates clinical trials with medicinal products) that sets forth that when the Sponsor is located outside the EU, it shall have a legal representative within the EU.

Last modified 31 Aug 2022

Does the GDPR/UK GDPR apply to a clinical trial sponsor situated outside the EEA?

General GDPR requirements apply. In our view, both Article 3(2)(a) or Article 3(2)(b) could apply.

A factual analysis should be done with respect to the clinical trial at hand. To our knowledge, the Swedish regulator has not issued any opinion on what circumstances that should be taken into account. That would thus need to be assessed with respect to the specific trial at hand.

In those cases where the sponsor is not located within the EU, it shall also appoint a representative within the EU, as required by article 27 of the GDPR.

Last modified 31 Aug 2022

Does the GDPR/UK GDPR apply to a clinical trial sponsor situated outside the EEA?

Yes. Where clinical trial participants (data subjects) are located in the UK, the sponsor will normally be considered subject to the UK GDPR based on Article 3(2)(b) (which mirrors the wording of the same Article of the EU GDPR). In some contexts, Article 3(2)(a) may also be relevant in the context of providing the service of medical investigation to improve a patient’s health.

In such cases the sponsor is required to appoint a representative in the UK, as required by Article 27 of the UK GDPR.

Last modified 31 Aug 2022

Albania

Albania

Has the local regulator published any guidelines/regulations addressing privacy matters on clinical trials and/or pharmacovigilance? ('Regulator' may mean either the local data protection authority, or the local medicines authority.)

Yes, with regard to clinical trials. The Albanian Data Protection Commissioner (“Commissioner”) has approved Instruction no. 18 as of 03.07.2012 “On the processing of personal data in the context of clinical trials of drugs” (“Instruction no. 18”).

The instruction is available online.

No guidelines or regulations have been published with regard to pharmacovigilance.

Last modified 18 Oct 2022

Albania

Albania

Do the privacy laws and regulations applicable to clinical trials in your jurisdiction provide for extraterritorial applicability?

No.

Law no. 9887 “On the Protection of Personal Data”, as amended (Data Protection Law) does not provide an extraterritorial applicability. 

However, the domestic Data Protection Law does extend to controllers located outside the territory of the Republic of Albania who process personal data with “means” located within the territory of the Republic of Albania. The law does not provide any definition of “means” however the Commissioner has confirmed verbally on several occasions that “means” shall be understood as anything from equipment (i.e., servers), apps or persons located in Albania to collect personal data.

In case the controller (i.e., sponsor) is located outside the Republic of Albania, it must appoint a designated representative located within the territory of the Republic of Albania.

Last modified 18 Oct 2022

Albania

Albania

What is the preferred legal ground for the processing of the personal data of the participants in a clinical trial in your jurisdiction?

Article 4.2 of the Instruction no. 18 states that personal data is processed only if consented by the test subject. Therefore, consent is a mandatory legal ground for processing of the personal data. Further, based on article 4.3 of Instruction no. 18, personal data of clinical trial participants can be processed only for the following purposes:

  • If necessary for granting the registration permit of a drug;
  • To prove the clinical effect and safety of a drug during the scientific research process;
  • To reassess the efficiency and safety of a drug after its release in the market.

Last modified 18 Oct 2022

Albania

Albania

What is the legal ground for the processing of the personal data in respect of pharmacovigilance in your jurisdiction?

The processing of patients’ personal data in respect of pharmacovigilance activities is based on the existence of a legal obligation based on Article 6.1. of the Data Protection Law.

In cases of adverse effects of a certain medicine/drug, the legal ground for conducting data processing activities can also be considered the protection of vital interests of the data subject (Article 6.1.c of the Data Protection Law).

Last modified 18 Oct 2022

Albania

Albania

Indicate the role from a data protection perspective of various parties involved (i.e in respect of the processing of the personal data of the clinical trial).

Role Notes
Sponsor

Data controller of the participants' data.
Principal Investigator

Data controller of the participants’ data in connection to data processing activities that arise from the performance of investigation activities.
Clinical Trial Site

Data controller for the purpose of helping the investigation.
Monitor

Sponsor's data processor monitoring the investigation.
CRO Sponsor's data processor when performing activities that involve access by the CRO to the participants data.

Last modified 18 Oct 2022

Albania

Albania

Is key-coded clinical trial data considered personal data under your jurisdiction’s data protection laws? (Key-coded clinical trial data is where the identity of the individual clinical trial participant is replaced with a unique subject identification code, and the ‘key’ which can be used to re-identify the participant is held by the Principal Investigator.)

Yes.

There is no definition of key-coded information under the Data Protection Law, however as long as the key-coded information is accessible through a “key”, data subjects are at some point or somehow identified/identifiable regardless of who is holding the key to access the information, therefore key coded information is considered personal data under the Data Protection Law.

Last modified 18 Oct 2022

Albania

Albania

Is it possible to re-use the personal data obtained for the purposes of conducting the clinical trial? If so, what requirements need to be satisfied?

Yes.

It is possible to re-use the personal data obtained for the purpose of conducting clinical trials conditional as a general rule only upon consent of the data subject. Other legal grounds for the processing need to be satisfied in a case-by-case basis (e.g., protection of vital interests of the data subject).

Hence, if the consent and/or the legal ground for processing of data extends to the re-use/ re-processing scenario, there is no need to obtain a second consent or to conduct processing on different legal grounds as there is already a valid legal ground in place for processing of personal data i.e., in case of research for the same purpose.

In light of the above, please consider that the consents given and/or the legal ground allowing the processing of data obtained for the purpose of conducting clinical trials do not automatically and in any case, extend to the re-use of the personal data for other/latter purposes unless those are specified.

Last modified 18 Oct 2022

Albania

Albania

What requirements, if any, need to be satisfied if clinical trial data is transferred internationally?

As with health data, clinical trial data are considered sensitive data. Any processing (including transfer) of sensitive data is expressly prohibited. However, processing of sensitive data is allowed in certain exceptional cases prescribed by the Data Protection Law, among others, if the data subject has given his/her consent.

Generally speaking, international data transfer is only limited to those countries offering adequate levels of data protection as provided by the Decision of the Council of Ministers no.934, dated 2 September 2009 “On the determination of the countries which have a sufficient level of personal data protection” i.e., EU and EEA member states; signatory countries of the Strasbourg convention etc.

However, as an exception, international data transfer may take place freely even if made to a country which does not provide adequate protection provided the data subject has granted consent. Other exceptions include scenarios where the international transfer is necessary for the performance of a contract between the data subject and the data controller or in case the transfer is a legal obligation of the controller; the international transfer is necessary for protecting vital interests of the data subject; the transfer constitutes a legal requirement over an important public interest or, for exercising and protecting a legal right; the transfer is done from a register that provides information to the general public etc.

Exceptionally, if none of the scenarios above are applicable, international data transfer is also possible with the prior authorization of the Commissioner, if the Commissioner is satisfied that adequate safeguards with relation to privacy and other fundamental rights of the data subject are in place. The Commissioner can additionally provide for conditions and obligations under which the data transfer should take place.

Last modified 18 Oct 2022

Albania

Albania

Anisa Rrumbullaku

Anisa Rrumbullaku

Partner

Karanovic & Partners

T: +355 69 20 42 722[email protected]
Sirius Tartari

Sirius Tartari

Karanovic & Partners

[email protected]