Cross-border data transfer

Before an APP entity discloses personal information to an overseas recipient, the entity must take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the information (APP 8.1). There are exceptions to the requirement in APP 8.1 to take reasonable steps and to the accountability provision in s 16C.

Note: an APP entity that discloses personal information to an overseas recipient is accountable for any acts or practices of the overseas recipient in relation to the information that would breach the APPs (s 16C).

Where the clinical trial data is key-coded and it is not possible to re-identify the data, such data are not personal data and thus international data transfer regulations do not apply.

However, where the re-identification of the participants’ personal data is possible, international data transfer requirements including adequate guaranteed measures must be met if the recipient is in a country which does not offer an adequate level of protection according to the GDPR (this especially concerns requirements set out by Article 44 et seq. GDPR together with the ECJ Schrems II decision).

Unless the data is anonymized, data transfers outside the European Union are in principle prohibited, unless an adequate level of protection is ensured through an adequacy decision or appropriate safeguards (e.g. standard contractual clauses) are applied or a derogation under Article 49 GDPR exists. Where standard contractual clauses are used, a transfer impact assessment must be performed.

Pursuant to the Law, heath data, i.e., clinical trial data, falls under the category of special data, whose processing (which also implies transfer) is generally prohibited. However, processing of special data is allowed if inter alia the data subject has explicitly granted their consent.

Under the assumptions that the data subject has granted their consent, and that the data processing agreement is concluded between the controller and the processor, health data may be transferred to another country that implements adequate safeguards for personal data set by the Law.

Adequacy of safeguards is evaluated on the basis of specific characteristics of each particular transfer, such as the types of personal data, purpose and period of the processing, country to which data is to be transferred, statutory rules in force in the respective country and other relevant circumstances.

Generally, it is considered that the EU countries and signatories to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, undertake adequate safeguards, so that the data may be transferred to them.

Further, personal data may also be transferred to a country which does not provide adequate safeguards in the aforementioned sense, among others in the following cases envisaged by the Law: (i) prior consent was obtained from the person whose data are transferred and the person was informed on the potential consequences of the data transfer; (ii) the disclosure of personal data is necessary for fulfilling the contract between the data subject and the controller or the fulfilment of pre-contractual obligations undertaken at the request of the person whose data are processed.

Exceptionally, even if none of the aforementioned cases is applicable, the data can be legitimately transferred out of BH if the DPA approves such transfer if a data controller in that country provides adequate safeguards for the protection of privacy and fundamental rights and freedoms of individuals or provision of similar rights arises from the provisions of a special agreement.

If it is impossible for the recipient of key-coded clinical trial data to have access to a key needed for decoding, such data will not be considered as personal data in the scope of the GDPR, and thus, strict EU regulations regarding international transfers of personal data are not applicable.

If, however, the data can be considered as “personal data” as defined by the GDPR (and the CJEU’s decision cited above), international data transfers may only be carried out in full compliance with the GDPR, and should be based on either:

• Appropriate safeguards (most commonly the EU Commission Standard Contractual Clauses coupled with a transfer impact assessment); or
• A derogation under Article 49 GDPR.  For example, it may be possible to justify transfers of personal data necessary for pharmacovigilance purposes on the basis of Article 49(1)(d) (important reasons of public interest).

 

Assuming the clinical trial data is not anonymized, transfers to countries outside of the EU which do not benefit from an adequacy decision approved by the EU Commission should be based on either:

• Appropriate safeguards (most commonly the EU Commission Standard Contractual Clauses coupled with a transfer impact assessment; or
• A derogation under Article 49  GDPR.  For example, it may be possible to justify transfers of personal data necessary for pharmacovigilance purposes on the basis of Article 49(1)(d) (important reasons of public interest).

Where clinical trials are conducted on the basis of section 10(1) of the Danish Data Protection Act (see also question 4 above), international transfer of clinical trial data constituting personal data requires prior approval from the Danish Data Protection Agency. This also applies to disclosure of biological material and disclosure of information for the purpose of publication in recognized scientific journals or similar, regardless if the recipient is within our outside EU.

Where clinical trials are conducted using a different legal basis than section 10 of the Danish Data Protection Act, the general rules on export of personal data as laid down in chapter V of GDPR must be observed. Therefore, the data exporter must ensure that the data subjects will – also in the countries to which data are exported – enjoy a level of protection that is essentially equivalent to the level of protection within EU. This will always involve the application of a valid transfer mechanism as per GDPR article V, but would also require supplementary measures in situations, where the legislation in the countries of destination does not provide sufficient protection, as per the ruling of the European Court of Justice in the case C-311/18. 

Key-coded data will still be considered personal data, but key-coding may serve as a supplementary measure (as referred to above), provided that the key is protected by measures ensuring that it can never become available to the data importers.

The transfer needs to be made in accordance with GDPR Chapter V, meaning that the transfer should be based on appropriate safeguards, for example standard contractual clauses and appropriate supplementary safeguards should be implemented if needed. 

Subject to recent development further to Schrems II decision, the MR-001 and MR-003 provides the following:

Data that indirectly identifies research subjects and data that directly or indirectly identifies research professionals may be transferred out of the European Union when the transfer is strictly necessary to conduct the research or to exploit its results and complies with Chapter V of the GDPR.

The transfer may be made in connection with the commitment to comply with this  methodology when any of the following conditions is satisfied:

• The transfer is made to a country or an international organization recognized by the European Commission as providing an adequate level of protection, in accordance with Article 45 of the GDPR (adequacy decision);
• The transfer is made subject to the appropriate safeguards listed in Article 46(2) of the GDPR (in particular: standard data protection clauses approved by the European Commission, binding corporate rules, codes of conduct, and certification mechanisms);
• In the absence of an adequacy decision or appropriate safeguards, the transfer may be based on one of the exceptions set out in Article 49 of the GDPR when such a transfer is not repetitive, concerns only a limited number of data subjects, and is not structured.

The controller must have informed the data subjects in advance of the transfer of their personal data to third countries outside the European Union, of the existence or absence of an adequacy decision or appropriate safeguards, and of the means to obtain a copy of the appropriate or suitable safeguards in accordance with Article 13(1)(f) of the GDPR.

In those cases where  the clinical trial data is key-coded and it is not possible to re-identify the data, the information received by the recipient would not be considered as personal data, and thus, the regulations that apply to international transfers of personal data are not applicable.

In those cases where the re-identification of the participants’ personal data is possible, international data transfer shall count with adequate guarantee measures if the recipient is located in a country which does not offer an adequate level of protection to GDPR. In particular, the requirements under Art 44. et seqq. GDPR alongside the Schrems II case law of the European Court of Justice shall be met.

Provided that re-identification of the participants’ personal data is possible and therefore data protection legislation is applicable, restrictions laid down in Chapter V of the GPDR and conditions set forth therein shall apply.

This means that personal data, including health data, can be lawfully transferred in case one of the following requirement is met:

• There is a European Commission Adequacy Decision, stating that the recipient country provides adequate protection for individuals’ personal data; or
• The data exporter and importer (i) adopted appropriate safeguards pursuant to Articles 46 et seq. of the GDPR (e.g. Standard Contractual Clauses, Binding Corporate Rules, etc.), (ii) conducted a proper transfer impact assessment pursuant to EDPB’s recommendations 1/2020, and (iii) implemented further adequate contractual, organizational, and technical measures, as needed according to said transfer impact assessment.

Moreover, Article 49 of the GDPR provides for possible exceptions to the above-mentioned requirements, that can be applied only whether specific circumstances are met.

In those cases where the clinical trial data is key-coded and it is not possible to re-identify the data (i.e. the personal data is anonymous), the information received by the recipient would not be considered as personal data, and thus, the regulations that apply to personal data (incl. international transfers thereof) are not applicable.

In those cases where the re-identification of the participants’ personal data is possible, cross-border transfers must be carried out in accordance with Articles 45 et seq. of the GDPR.  This means that personal data, including health data, can be lawfully transferred in case one of the following requirement is met:

• There is a European Commission Adequacy Decision, stating that the recipient country provides adequate protection for individuals’ personal data; or
• The data exporter and importer (i) adopted appropriate safeguards pursuant to Articles 46 et seq. of the GDPR (e.g. Standard Contractual Clauses, Binding Corporate Rules, etc.), (ii) conducted a proper transfer impact assessment pursuant to EDPB’s recommendations 1/2020, and (iii) implemented further adequate contractual, organizational, and technical measures, as needed according to said transfer impact assessment.

Moreover, Article 49 of the GDPR provides for possible exceptions to the above-mentioned requirements, that can be applied only whether specific circumstances are met.

In those cases where it is not possible to re-identify the data subject, i.e. where the health data collected is truly anonymized, the information received by the recipient would not be considered as personal data, and thus, the regulations that apply to international transfers of personal data are not applicable.

In those cases where the re-identification of the participants’ personal data is possible, i.e. where the health data are pseudonymized, international data transfer rules (as set out in Chapter V of GDPR) shall be applicable to any transfers outside of the EEA or to a jurisdiction or international organization which is not subject to an adequacy decision.

In short, these data transfers must be subject to appropriate safeguards, required country assessments and adequate technical and security measures if the recipient is located in a country which does not offer an adequate level of protection to GDPR.

Assuming the clinical trial data is not anonymized, cross-border transfers must be carried out in accordance with Articles 45 et seq. of the GDPR.  This means that personal data, including health data, can be lawfully transferred in case one of the following requirement is met:

• There is a European Commission Adequacy Decision, stating that the recipient country provides adequate protection for individuals’ personal data; or
• The data exporter and importer (i) adopted appropriate safeguards pursuant to Articles 46 et seq. of the GDPR (e.g. Standard Contractual Clauses, Binding Corporate Rules, etc.), (ii) conducted a proper transfer impact assessment pursuant to EDPB’s recommendations 1/2020, and (iii) implemented further adequate contractual, organizational, and technical measures, as needed according to said transfer impact assessment.

Moreover, Article 49 of the GDPR provides for possible exceptions to the above-mentioned requirements, that can be applied only whether specific circumstances are met.

As no specific guidelines have been approved in Luxembourg, the general requirements for international transfers of Article 45 and following GDPR have to be followed:

• If the country offers an adequate level of protection as assessed by the European Commission, then no transfer tool will be necessary.
• If the country does not offer an adequate level of protection, then the appropriate measures (transfer tools) have to be put in place.

The Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data published by the EDPB are a good instrument for compliance. Also the CNPD has published its Guidelines on International Data Transfers that should be followed.

In any case, it should be borne in mind that this only would apply where there is personal data concern. If the data transferred is completely anonymized or provided only in aggregate, as it could be the case for many clinical trials, then the GDPR rules will not be applicable.

Key-coded non-personal data

Transfer of clinical trial key-coded data which does not enjoy status of personal data is not subject to the transfer provisions of the DP Law.

Personal data

On the other hand, transfer of personal data arising from clinical trial is subject to the general transfer provisions of the DP Law.

Under the DP Law, personal data may be transferred to countries or international organizations which provide for an adequate level of personal data protection exists, but only subject to the approval of the DPA. The DPA issues such approval only where it establishes that adequate measures for the protection of personal data are undertaken (criteria for the adequacy assessment include, for example, the type of the data and the statutory rules in force in the country to which the data is to be transferred).

However, in certain cases the DPA's approval is not required for data transfers out of Montenegro, as explicitly prescribed by the DP Law (e.g., if the data subject consented to the transfer and was made aware of possible consequences of such transfer, or the data is transferred to the European Union or European Economic Area or to any country that the EU Commission has determined ensure adequate level of the data protection).

The DP Law prescribes different rules on cross-border data transfer, depending on the country of the recipient.

When transferring personal data, including clinical trial data, to the EU or EEA, the data controller or processor must notify the local data protection authority at least 15 days before the transfer occurs.

Transferring personal data to a third country or international organization may be conducted only if the local data protection authority deems that the third country or international organization provides adequate levels of protection. The DP Law prescribes the following safeguards: (i) transfer of data based on an adequacy decision; (ii) transfers of data which are subject to appropriate safeguards; (iii) binding corporate rules; (iv) transfers or disclosure pursuant to international agreements. In specific situations, such transfer may occur upon fulfillment of certain conditions prescribed with the DP Law (such as explicit consent of the data subject, execution of a contract between the controller and data subject, etc.).

In practice, the local data protection authority insists on approving each of the above transfers. Furthermore, since 01 January 2022, the data protection authority requires that each request for approval of cross-border data transfer, aside from the legal ground for such transfer, is also accompanied by a Transfer Impact Assessment. Note that an approval is not required if the controller uses binding corporate rules of the group to which the controller belongs, if the same have been approved by the European Commission.

Transfer of clinical trial data would be dependent on the general rules in the GDPR and national regulation regarding the duty of confidentiality. 

If an international study the participants abroad will be considered parties in the project and the P.I must make sure the data is processed in compliance with the GDPR internationally. 

In those cases where the clinical trial data is key-coded and it is not possible to re-identify the participants (see our answers above), the information transferred would not be considered as personal data, and thus, the regulations that apply to international transfers of personal data would not be applicable.

In those cases where the re-identification of the participants’ personal data is possible, international data transfer must comply with Art. 45 and further of the GDPR, in particular, if the recipient is located in a country which does not offer an adequate level of protection to GDPR, appropriate safeguards must be ensured.

No specific local laws nor guidelines in this regard, other than GDPR and EDPB’s guidelines were published on this subject.

Assuming that re-identification of the participants’ personal data is possible, international transfers shall comply with GDPR requirements.

International data transfer shall be based on adequate safeguards if the recipient is located in a country which does not offer an adequate level of protection for personal data.

Key-coded non-personal data

Transfer of clinical trial key-coded data which does not enjoy status of personal data is not subject to the transfer provisions of the DP Law.

Personal data

On the other hand, transfer of personal data arising from clinical trial is subject to the general transfer provisions of the DP Law. Transfer provisions in the DP Law generally follow the ones from the GDPR, and provide that controller or processor may rely on the following mechanisms to convey a lawful transfer:

1. Transfer based on adequate level of protection – A transfer of personal data to another country may be performed without prior approval if it is determined that such other country provides an adequate level of protection of personal data. In short, this includes all European countries, as well as the ones which are included on the EU’s or the Serbian Government’s list of countries providing an adequate level of data protection.
2. Transfer with appropriate safeguards – In order to undertake a lawful transfer in territories which do not fulfil adequate level of protection, controller and/or processor will have to ensure that any of the safeguards are implemented (including e.g., standard contractual clauses (SCCs) prepared by the Serbian Data Protection Authority (the “DPA”), binding corporate rules (BCRs) or codes of conduct (CoCs)).
3. Transfer in specific situations (so-called residual mechanism) – such as data subject’s explicit consent, necessity for the establishment, exercise or defence of legal claims, legitimate interests etc.

It is practically important to notice that unlike the GDPR, the DP Law insists on appropriate authorisation of the relevant transfer safeguards/legal grounds (e.g., SCCs, BCRs, CoCs) by the DPA/Serbian authorities, rather than by the EU Commission/EU supervisory authorities.

For example, the SCCs, BCRs and codes of conduct can be used for transfers from Serbia to third countries, but only if they are approved by the DPA, meaning that the ones approved by the EU authorities would not be sufficient.

Finally, the DP Law recognises only the Controller-to-Processor SCCs, while the European Commission’s SCCs cover all mutual relations between controllers and processors (Controller-to-Processor, Controller-to- Controller, Processor-to-Controller, and Processor-to-Processor), and enable more than two parties to join in on the clauses.

In those cases where the clinical trial data is key-coded and it is not possible to re-identify the data, the information received by the recipient would not be considered as personal data, and thus, the regulations that apply to international transfers of personal data are not applicable.

In those cases where the re-identification of the participants’ personal data is possible, international data transfer shall count with adequate guarantee measures if the recipient is located in a country which does not offer an adequate level of protection to GDPR. Thus, cross-border transfers must be carried out in accordance with Articles 45 et seq. of the GDPR.  This means that personal data, including health data, can be lawfully transferred in case one of the following requirement is met:

• There is a European Commission Adequacy Decision, stating that the recipient country provides adequate protection for individuals’ personal data; or
• The data exporter and importer (i) adopted appropriate safeguards pursuant to Articles 46 et seq. of the GDPR (e.g. Standard Contractual Clauses, Binding Corporate Rules, etc.), (ii) conducted a proper transfer impact assessment pursuant to EDPB’s recommendations 1/2020, and (iii) implemented further adequate contractual, organizational, and technical measures, as needed according to said transfer impact assessment.

Moreover, Article 49 of the GDPR provides for possible exceptions to the above-mentioned requirements, that can be applied only whether specific circumstances are met.  

In those cases where the clinical trial data is completely anonymized and it is not possible to re-identify the data, the information received by the recipient would not be considered as personal data, and thus, GDPR's restrictions that apply to international transfers of personal data are not applicable.

In those cases where the re-identification of the participants’ personal data is possible, international data transfer shall count with adequate guarantee measures if the recipient is located in a country which does not offer an adequate level of protection to GDPR.

Assuming the clinical trial data is not anonymized, transfers to countries outside of the UK which do not benefit from an adequacy decision approved by the UK Government¹ should be based on either:

• Appropriate safeguards (most commonly either (i) the EU Commission Standard Contractual Clauses, as amended by the UK International Data Transfer Addendum; or (ii) the UK International Data Transfer Agreement).
• A derogation under Article 49 UK GDPR.  For example, it may be possible to justify transfers of personal data necessary for pharmacovigilance purposes on the basis of Article 49(1)(d) (important reasons of public interest).

[1] At the date of writing, this includes all EU and EEA states, as well as all countries benefitting from an EU Commission adequacy decision in force as at 31 December 2020.