Extraterritorial applicability

Do the privacy laws and regulations applicable to clinical trials in your jurisdiction provide for extraterritorial applicability?

Depending on factual analysis.

The Australian Privacy Principles (the APPs) (as set out in Schedule 1 to the Privacy Act) extend to an act done, or practice engaged in, outside Australia by an organization that has an Australian link (s 5B(1A)).

An organization has an Australian link where it is:

• An Australian citizen or a person whose continued presence in Australia is not subject to a legal time limitation
• A partnership formed, or a trust created, in Australia
• A body corporate incorporated in Australia, or
• An unincorporated association that has its central management and control in Australia (s 5B(2))

An organisation that does not fall within one of those categories will also have an Australian link where:

• It carries on business in Australia, and
• It collected or held personal information in Australia, either before or at the time of the act or practice (s 5B(3))

Note: The phrase ‘carries on business in Australia’ in s 5B(3)(c) is not defined in the Privacy Act. However, it arises in other areas of law, including corporations and consumer law. Guidance may be drawn from judicial consideration of the phrase in those contexts.

n/a

Does the GDPR/UK GDPR apply to a clinical trial sponsor situated outside the EEA?

Yes. If a sponsor is not established in the EEA but carries out clinical trials on data subjects in Belgium this will likely amount to the sponsor  monitoring data subjects in the EEA, and, therefore, comes within the scope of the GDPR by virtue of Article 3(2)(b).

There are no particular considerations for Belgium with regard to this assessment of the territorial application of the GDPR. In any case, the facts of the case would need to be assessed against the constitutive elements of Articles 3(1) and 3(2) GDPR.

Do the privacy laws and regulations applicable to clinical trials in your jurisdiction provide for extraterritorial applicability?

No.

The Law on Protection of Personal Data of Bosnia and Herzegovina (the “Law”) is the main law governing data protection and privacy in Bosnia and Herzegovina (“BH”) and in the absence of guidelines/regulations specifically addressing privacy matters on clinical trials, general provisions envisaged by the Law are applicable to the clinical trials as well. The Law lacks provisions envisaging its extraterritorial effect, therefore it is generally not applicable to foreign data controllers. In addition, to the best of our knowledge, the BH Data Protection Agency (“DPA”) has never taken actions against foreign data controllers as it lacks instruments for enforcement of the Law against foreign entities. 

Does the GDPR/UK GDPR apply to a clinical trial sponsor situated outside the EEA?

Yes, to the extent that clinical trial participants (data subjects) are located in the EU, based on Article 3(2)(b).

In case the sponsor is not located within the EU, it must appoint a representative located within the EU, as required by Article 27 of the GDPR.

Does the GDPR/UK GDPR apply to a clinical trial sponsor situated outside the EEA?

Yes, to the extent that clinical trial participants (data subjects) are located in the EU, based on Article 3(2)(b).

In those cases where the sponsor is not located within the EU, it shall appoint a representative within the EU, as required by Article 27 of the GDPR.

Does the GDPR/UK GDPR apply to a clinical trial sponsor situated outside the EEA?

Yes, where data subjects are located within the EU, the GDPR will apply, pursuant to GDPR article 3(2)(a) and/or article 3(2)(b).

Furthermore, if data subjects are located in Denmark, the Danish Data Protection Act (the “Act”) will apply, pursuant to section 4(3)(1) of the Act, which is equivalent to article 3(2)(a) and/or section 4(3)(2) of the Act, which is the equivalent to article 3(2)(b) with the exception that the geographic scope is narrowed down from EU to Denmark.

Does the GDPR/UK GDPR apply to a clinical trial sponsor situated outside the EEA?

Finland does not have any country specific guidance on this matter and the general EU approach is followed.  

Article 3(2)(a) GDPR applies if the data subjects are located in the EU.   

However, since depending on a case-by-case assessment it cannot be excluded that Article 3(2)(b) would not apply instead of Article 3(2)(a). Data subjects are often offered the possibility to participate in a clinical trial and they receive compensation from this participation. Therefore, it can be assessed that the clinical trial is offered as a service and falls under the scope of Article 3(2)(a). However, in some cases Article 3(2)(b) can be applicable depending on how the clinical trial is arranged.

Does the GDPR/UK GDPR apply to a clinical trial sponsor situated outside the EEA?

As provided by Article 3(2)(b), if a data controller located outside the EU monitors the behaviour of data subjects located within the EU, the GDPR applies to that data controller. According to the guidelines published by the European Data Protection Board (“EDPB”) on the territorial scope of the GDPR, the application of Article 3(2)(b) encompasses a broad range of monitoring activities, including monitoring or regular reporting on an individual’s health status.

Therefore, in the context of a clinical trial, if the sponsor processes personal data of data subjects located in France, the sponsor would have to comply with the GDPR by virtue of Article 3(2)(b).

In those cases where the sponsor is not located within the EU, it shall appoint a representative within the EU, as required by article 27 of the GDPR. This is aligned with the clinical trials regulation (article 39 of the Royal Decree 1090/2015, which regulates clinical trials with medicinal products) that sets forth that when the Sponsor is located outside the EU, it shall have a legal representative within the EU.

Does the GDPR/UK GDPR apply to a clinical trial sponsor situated outside the EEA?

Yes, to the extent that clinical trial participants (data subjects) are located in the EU, based on Article 3(2)(b), as the sponsor is monitoring the behaviour of the data subjects. (See example “Monitoring or regular reporting on an individual’s health status“ of the European Data Protection Board in their Guidelines 3/2018 on the territorial scope of the GDPR, Version 2.1, 12 November 2019).

Does the GDPR/UK GDPR apply to a clinical trial sponsor situated outside the EEA?

Yes, GDPR applies to clinical trials executed by sponsors not established in the EU, to the extent that processing activities entail data processing of data subjects in the EU, subject to Article 3(2)(a) of the GDPR. In addition, Greek Law 4624/2019 supplementing the GDPR applies to the extent that data are processed within the territory of Greece.

In those cases where the sponsor is not located within the EU, it shall appoint a representative within the EU, as required by article 27 of the GDPR. This is in line with Article 74 of the Clinical Trials Regulation (CTR) – implemented by Article 13 of the Ministerial Decision Γ5α/59676 of Ministers of Finance, Development and Health (Government Gazette vol. Β, 4131/22.12.2016) – according to which a Sponsor not be established in the EU shall appoint a legal representative (natural or legal person) established within the EU territory.

Does the GDPR/UK GDPR apply to a clinical trial sponsor situated outside the EEA?

Yes, to the extent that clinical trial participants (data subjects) are located in the EU, based on Article 3(2)(a).

In those cases where the sponsor is not located within the EU, it shall appoint a representative within the EU, as required by article 27 of the GDPR.

Does the GDPR/UK GDPR apply to a clinical trial sponsor situated outside the EEA?

Yes, to the extent that the sponsor is processing personal data in the context of the activities of an establishment of a controller or processor in the EU based on Article 3(2)(a), or if clinical trial participants (data subjects) are located in the EU, based on Article 3(2)(b).

In Ireland, in cases where the sponsor is not established within the EU, it shall appoint a representative within the EU responsible for ensuring compliance with the sponsor’s obligations pursuant to the Clinical Trials Regulation and Irish implementing legislation.  

(15) Where a natural or legal person is established in the European Union as the legal representative of a sponsor not established in the Union in accordance with Article 74(1) of the Clinical Trials Regulation, that representative shall be responsible for ensuring compliance with the sponsor's obligations in the State, pursuant to the Clinical Trials Regulation and these Regulations.¹

A “legal representative” means the natural or legal person established in the European Union as the legal representative of a clinical trial sponsor who is not established in the Union.

[1] S.I. No. 99/2022 - European Union (Clinical Trials on Medicinal Products for Human Use) (Principal) Regulations 2022 (Part 2, S.15)

Does the GDPR/UK GDPR apply to a clinical trial sponsor situated outside the EEA?

Yes, to the extent that either:

• Clinical trial participants (data subjects) are located in the EU, based on Article 3(2)(a); or
• Clinical trial in the EU entails the monitoring of relevant participants and/or personnel located in the EU, based on Article 3(2)(b).

In those cases where the sponsor is not located within the EU, it shall appoint a representative within the EU, as required by Article 27 of the GDPR.

Does the GDPR/UK GDPR apply to a clinical trial sponsor situated outside the EEA?

Since there are no specific guidelines and the practice of the CNPD is not particularly extended in this regard, the general provisions of Section 3 GDPR will apply. Therefore, the GDPR would be applicable to a Sponsor outside the EEA if it:

• Offers goods or services to data subjects in the EU (Article 3(2)(a) GDPR);
• Monitors the behaviour of data subjects in the EU (Article 3(2)(b) GDPR).

There are no clear rules regarding on which of the two bases the GDPR will be applicable to Sponsors not established in the EEA. The European Commission Q&A mentioned above does not shed too much light on the question either.

A case-by-case basis would therefore be necessary.

Do the privacy laws and regulations applicable to clinical trials in your jurisdiction provide for extraterritorial applicability?

Yes, the DP Law provides for one situation where the DP Laws applies extraterritorially.

Namely, Article 5 of the DP Law stipulates that the DP Law applies to a controller established outside Montenegro or which does not have a permanent residence in Montenegro, when the equipment used to process the personal data is located in Montenegro (unless it is being used solely for the purposes of transferring data through the territory of Montenegro).

Thus, while the DP Law formally recognizes extraterritorial applicability, there is only a narrow set of situations which would result in the applicability of the DP Law. In the clinical trials context, the extraterritorial applicability would be triggered only in situations where (i) the controller of clinical trial personal data is established someplace other than Montenegro (e.g., USA), and (ii) the equipment used to process personal data of participants in the clinical trial Montenegro (regardless of whether the participants are located in/nationals of Montenegro). Relevant equipment may include any hardware (e.g., servers, mainframes), which is used to perform processing in the clinical trial.

Do the privacy laws and regulations applicable to clinical trials in your jurisdiction provide for extraterritorial applicability?

Yes, the DP Law has the same extraterritorial scope as the GDPR and in accordance with Article 3 paragraph 2(a) applies to the processing of personal data of data subjects from the Republic of North Macedonia by a controller or processor not established in the Republic of North Macedonia, where the personal data processing activities are related to the (i) offering of goods and services to local consumers, regardless whether they are required to make payments, or (ii) monitoring the behaviour of the personal data subjects, if that behaviour takes place in the Republic of North Macedonia.

Consequently, by analogy with the GDPR, it can be assumed that the sponsor will be considered subject to the DP Law based on the ‘monitoring of behaviour’ limb. In some contexts, the ‘offering of goods and services’ limb may also be relevant in the context of providing the service of medical investigation to improve a patient’s health

Note that the DP Law as lex generalis is the only regulation that provides extraterritorial applicability for matters related to personal data protection, i.e., there is no specific regulation of clinical trials that provides for extraterritorial applicability.

Does the GDPR/UK GDPR apply to a clinical trial sponsor situated outside the EEA?

Yes, to the extent that either:

• Clinical trial participants (data subjects) are located in the EU, based on Article 3(2)(a); or
• Clinical trial in the EU entails the monitoring of relevant participants and/or personnel located in the EU, based on Article 3(2)(b).

The Health Research Act is considered as additional national regulation and the act applies to medical and health research on Norwegian territory, or when the research takes place under the auspices of a research manager established in Norway.

The Clinical Trials Regulation states that a sponsor located outside EEA must have a legal representative in the EEA-area and that the representative must document this authorization to the Norwegian Medicines Agency.

Does the GDPR/UK GDPR apply to a clinical trial sponsor situated outside the EEA?

Yes to the extent that either:

• Clinical trial participants (data subjects) are located in the EU, based on Article 3(2)(a); or

• Clinical trial in the EU entails the monitoring of relevant participants and/or personnel located in the EU, based on Article 3(2)(b). 

In those cases where the sponsor is not located within the EU, it shall appoint a representative within the EU, as required by article 27 of the GDPR.

Does the GDPR/UK GDPR apply to a clinical trial sponsor situated outside the EEA?

Yes, to the extent that either:

• Clinical trial participants (data subjects) are located in the EU, based on Article 3(2)(a); or
• Clinical trial in the EU entails the monitoring of relevant participants and/or personnel located in the EU, based on Article 3(2)(b).

In those cases where the sponsor is not located within the EU, it shall appoint a representative within the EU, as required by article 27(1) of the GDPR.

Does the GDPR/UK GDPR apply to a clinical trial sponsor situated outside the EEA?

Yes, the GDPR applies, to the extent that either:

• Clinical trial participants (data subjects) are located in the EU, based on Article 3(2)(a); or
• Clinical trial in the EU entails the monitoring of relevant participants and/or personnel located in the EU, based on Article 3(2)(b). 

In those cases where the sponsor is not located within the EU, it shall appoint a representative within the EU, as required by article 27 of the GDPR. This is aligned with the clinical trials legislation (article 67 (2) Order no. 904/2006 for the implementation of good clinical trial practices) that sets forth that when the Sponsor is located outside the EU, it shall have a legal representative within the EU.

Do the privacy laws and regulations applicable to clinical trials in your jurisdiction provide for extraterritorial applicability?

Yes, the DP Law provides for extraterritorial applicability.

Article 3 of the DP Law introduces substantially the same exterritorial applicability as the GDPR. In that sense, the DP Law applies to processing performed by a controller or processor with its registered office, residence or domicile in the territory of the Serbia, within the activities performed on the territory of the Serbia, regardless of whether the processing itself is performed in that territory. In the case of a controller with a registered office in Serbia, for example, whose server is located outside of Serbia and which processes data for the needs of his business, the applicability of the Law is unquestionable, and the controller is obliged to comply with the provisions of the DP Law even in relation to the data stored outside Serbia.

Also, the DP Law shall apply in cases when the controller or processor have no registered office, residence or domicile in the territory of Serbia, but process personal data of persons with residence or domicile in Serbia, if the processing operations are targeting Serbian residents/domiciled individuals by (i) offering goods or services, irrespective of whether a payment of the data subjects is required  or (ii) monitoring their behaviour (for example, by using cookie trackers).

Putting the general exterritorial applicability provisions of the DP Law in the context of clinical trials, there are considerable arguments that the processing of personal data of Serbian participants performed by sponsor (who does not have registered office in Serbia) triggers the extraterritorial applicability of the DP Law (in particular, behaviour monitoring requirement). In the absence of official governance of the Serbian privacy/clinical trials authorities, the arguments for this fall mainly on the EDPB Guidelines 3/2018 on the Territorial Scope of the GDPR, which explains that “Monitoring or regular reporting on an individual’s health status” is an example of behaviour monitoring which triggers the extraterritorial applicability of the GDPR. Given that the DP Law is basically a copy of the GDPR, the competent authorities would likely rely on how GDPR is understood by the relevant authorities and follow its example.

Does the GDPR/UK GDPR apply to a clinical trial sponsor situated outside the EEA?

Yes, to the extent that either:

• Clinical trial participants (data subjects) are located in the EU, based on Article 3(2)(a); or
• Clinical trial in the EU entails the monitoring of relevant participants and/or personnel located in the EU, based on Article 3(2)(b).

In those cases where the sponsor is not located within the EU, it shall appoint a representative within the EU, as required by article 27 of the GDPR. This is aligned with the clinical trials regulation (article 39 of the Royal Decree 1090/2015, which regulates clinical trials with medicinal products) that sets forth that when the Sponsor is located outside the EU, it shall have a legal representative within the EU.

Does the GDPR/UK GDPR apply to a clinical trial sponsor situated outside the EEA?

General GDPR requirements apply. In our view, both Article 3(2)(a) or Article 3(2)(b) could apply.

A factual analysis should be done with respect to the clinical trial at hand. To our knowledge, the Swedish regulator has not issued any opinion on what circumstances that should be taken into account. That would thus need to be assessed with respect to the specific trial at hand.

In those cases where the sponsor is not located within the EU, it shall also appoint a representative within the EU, as required by article 27 of the GDPR.

Does the GDPR/UK GDPR apply to a clinical trial sponsor situated outside the EEA?

Yes. Where clinical trial participants (data subjects) are located in the UK, the sponsor will normally be considered subject to the UK GDPR based on Article 3(2)(b) (which mirrors the wording of the same Article of the EU GDPR). In some contexts, Article 3(2)(a) may also be relevant in the context of providing the service of medical investigation to improve a patient’s health.

In such cases the sponsor is required to appoint a representative in the UK, as required by Article 27 of the UK GDPR.