Do the new EDPB’s Guidelines have an impact on the health sector?
August 24, 2021
The European Data Protection Board (« EDPB ») recently issued the final version of its guidelines 07/2020 on the concepts of controller and processor in the General Data Protection Regulation (« GDPR »).
Originally, the first guidance on that matter was issued by its predecessor, the Article 29 Working Party (“29 WP”) in 2010. In the meantime, the GDPR entered into force and raised new concerns, remaining unsolved by the initial guidelines.
Hence, the EDPB released a new draft version last year that were opened to public consultation. Last July 7th, the finalized version was adopted, considering the different stakeholder’s’ feedbacks.
In a nutshell
The main goal aims to provide a consistent approach throughout the European Economic Area with further clarifications following the public consultation.
The final version does not change fundamentally regarding the last draft version. It is still organized in two main parts:
- The first one highlights the definition of the notion of controller, processor and joint controllers with practical examples.
- The second one emphasizes the consequences related to the allocation of the different roles such as the contractual requirements.
Overall, only punctual precisions through additional wordings and examples have been implemented.
What is relevant for the health sector?
1) Devices and health apps
Considering the growing evolution of health apps, EDPB has set forth clarifications on the role qualification on that matter. In case where a health app provider and an app developer decide to set up a project involving other parties (e.g.: hospital, …), their role qualification will differ regarding the characteristics and means of the processing activities.
Sensu stricto, each party (app provider, app developer, hospital…) separately process personal data as separate controller.
In the case where the purpose is jointly determined by each of the party and they agree on having common purpose for the processing, they would be considered as joint controllers even though the app provider is the only one proposing the essential means (accepted afterwards by the others). Once the research is completed, each of them may benefit from the processing in their own activities.
By contrast, if the health app provider has simply been asked by the others to perform the processing without having any purpose on its own and merely processing on behalf of the other parties, it would be considered as processor even if it was entrusted with the determination of the non-essential means.
2) The clinical trials
Regarding the clinical sector, the rationale remains unchanged. The determination of the role qualification still relies on a case-by-case analysis with a specific focus on the means of the processing and the involvement of parties in the drafting of the protocol.
It is worth noting that for purpose of patient care, the investigator as health care provider remains, in any case, a separate controller.
As per EDPB, the investigator would be considered as joint controller along with the sponsor when they collaborate on the drafting of the study protocol and agree on the essential means of the processing for the purpose of research.
By contrast, the investigator would be considered as processor and the sponsor as controller when the investigator does not participate to the drafting of the protocol and when such protocol is only designed by the sponsor itself.
What is still unclear regarding the clinical sector?
Despite the recent clarifications provided by the EDPB, the concept of role qualification in the scope of clinical trials is far from clear cut and some questions remain unsolved.
Notably, it appears EDPB assesses the role qualification in clinical trials between the ‘investigator’ and the sponsor while its predecessor, 29 WP, envisioned it between the ‘trial centres’ and the sponsor.
This difference is quite tricky since the sites (or trial centres) constitute the infrastructures where the trial-related activities are conducted (e.g.: hospital…) whereas the investigator is the natural person who conducts the clinical trial at the sites. Isn’t the EDPB approach to restrict its opinion on the role qualification of the investigator (avoiding the question of the site) too simplistic? Additionally, this approach does not cover all clinical trial scenarios. Depending on the contractual agreements in place and the national specificities, the investigator could be considered as an employee of the site and consequently, could no longer be considered neither controller nor processor. Hence, the role qualification of the site is still unsolved and leaves clinical trial actors with uncertainties…
The EDPB stressed that it intends to provide further guidance in relation to clinical trials through the forthcoming guidelines on processing of personal data for medical and scientific research purposes.
Awaiting the release of such guidance, parties to clinical trials should duly consider the determination of their relationships and the role qualification of each one, bearing in mind the applicable national specificities. In this case, the contractual agreements in place will play a key role as documentation and justification of their positions regarding their role qualification.
If you are an organisation operating in the Health sector looking for advice or additional information on this subject, contact MyData-TRUST. We will be pleased to assist you.