On February 2nd, the European Data Protection Board published a series of responses related to inquiries prepared by the European Commission (justice and consumer section). These consultations are aimed at the EDPB solving questions about the protection of personal data used in clinical research.
The document is divided into six different sections that are developed in various paragraphs and contain answers to questions ranging from ethical issues, informed consent to anonymization processes, and the collection and processing of personal data obtained in medical research.
Regarding informed consent and data processing, special focus is placed on its legal basis and on the distinction between informed consent and the legal basis of consent required under the standards of the General Data Protection Regulation, both terms being, complementary to such protection; and the need to have a special consent from the patient when there is no other way out than to resort to the treatment that the research is developing, to improve the quality of life of the subject.
The same happens when data controllers conduct clinical trials in different State Members of the EU, and it is necessary to homogenize the legal basis of all of them -when conducting the project- to comply with the GDPR standards and their own localisms.
An interesting topic that the document tries to elucidate, although it will be left to a later consultation, is the possibility of extending the consent of the owner of the data – the subject of the trial – extracted in one trial, for other trials of the same nature.
Regarding obtaining broad consent in terms of clinical trials, the EDPB refers in a certain way to recital 33 of the GDPR, in order to minimize the requirements of specific consent when the purpose of the data processing cannot be determined at an initial stage of harvest.
Finally, the document refers to relative issues such as 1) the use of the information obtained directly from the owner of the data for other purposes than those originally reported and if necessary and in which cases -and how-, must comply with the requirement of transparency; 2) the application of processes of pseudonymization and anonymization of personal data in clinical trials; 3) the processing of specific categories of data and their treatment on a large scale during clinical trials.
For further information or professional advice regarding clinical trials, legal requirements, compliance, and data protection, you can contact our Moeller’s Legal Department Members in charge of this area through our Relationship Managers Vivien Racy and/or Vivianne Cardoso, following this link.
Protection of personal data is an issue that has gained relevance in the last year in all parts of the world. An example of this phenomenon is the implementation of the General Regulation of Personal Data (GDPR) in the European Union in 2018 or the new laws, modifications to the current ones or judicial decisions on the matter, that Latin American countries began to implement to be in accordance with the community regulations.
In this respect, in a recent judicial ruling, the Supreme Court of Justice of the Nation of Mexico (SCJN) analyzed the pertinent period to keep personal data within the Law for the Protection of Personal Data in Possession of Obligated Subjects of the State of Guerrero and determined the invalidity of a portion of the regulations since it established generic terms for the preservation of personal data.
In this sense, the Court understood that this generic term was in violation of the right to the protection of these data, since the treatment of them requires individualization in each specific case, so to decide what deadlines to apply should be attended to the applicable provisions in the matter in question.
As a result of the aforementioned resolution, the Supreme Court ordered the Institute of Transparency, Access to Information and Protection of Personal Data of the state of Guerrero to issue, within 90 days, the guidelines to which the general law of the corresponding subject refers. Finally, it is important to note that this decision was applied to other states such as Jalisco, Michoacán and Sinaloa, in which the Institute of Transparency, Public Information and Protection of Personal Data was notified to adapt its regulations to this criterion, since it was improperly extended the term to one year, in the local law.
Source: www.elpuntocritico.comRead More
General Data Protection Regulation (GDPR)
On May 25, 2018 the European Union, after its approval in Parliament and its European Council, came into force the General Data Protection Regulation (GDPR), in order to unify the regulations of all the Member States on the matter. Faced with this new regulation, which affects both, citizens and European companies, the complex exit of the United Kingdom from the Union, for which a new date has been set for October 31st* of this year, is one of the biggest concerns for the community companies that operate in the Anglo-Saxon country.
Hypotheses about Brexit
Faced with this situation, different hypotheses are presented taking into account whether the English House of Commons decides to leave the EU with an agreement, also known as the “Soft Brexit”, or without agreement, giving way to a “Hard Brexit”.
In the event that the exit situation happens within an agreement, or the so-called “Soft Brexit”, the GDPR will continue to be applicable during the transition period set by the aforementioned agreement, creating a period of transposition of laws as a result. From that date, the United Kingdom would have until December 31st, 2021 to sign new treaties with the European Union, including those related to data protection.
On the other hand, if no exit agreement is reached, it would lead to what is known as “Hard Brexit”, whereby the UK’s relationship with the EU would be similar to that maintain with the United States, where “safe harbor” agreements are required as well as the compliance with another series of requirements to allow the acquisition and handling of data of European citizens and companies.
In other words, a legal vacuum would be created for all European companies that currently operate with data in the United Kingdom for a period of time, until the signing of new agreements on the subject.
Conclusion about GDPR and Brexit
Therefore, taking into account the present scenario and the continuous postponement of the famous Brexit, during the current year, it is certain that the departure of the United Kingdom from the EU will not be calm and peaceful, affecting different aspects of the community system, such as the protection and control in the exchange of data.
Thus, the most advisable for companies that handle European data is to comply with both the GDPR and the previous regulations, the Organic Law of Protection of Personal Data (LOPD), to avoid any type of conflict during this transition.
* After the postponement of Brexit for 04/12/2019, the departure from Great Britain is delayed until 10/31/19, in order to offer six months extra time to reach an agreement that allows an orderly departure.
Source: www.zonamovilidad.esRead More
Artificial Intelligence and GDPR
The interaction of Personal Data Protection and Artificial Intelligence (AI) becomes particularly interesting when issues arise from the use of personal data with AI.
General Data Protection Regulation (GDPR)
The new General Data Protection Regulation (GDPR) of the European Union (EU), which entered into force on 25 May 2018, aims to give control to citizens of and residents in the EU over their personal data.
Regarding Artificial Intelligence, in particular, GDPR aims to create transparency rights and safeguards against automated decision-making, meaning decisions that are made by machines when personal data is used.
In essence, GDPR states that:
- When companies collect personal data, they have to say what it will be used for, and not use it for anything else.
- Companies are supposed to minimize the amount of personal data they collect and keep, limiting it to what is strictly necessary for those purposes stated. They also are supposed to put limits on how long they hold that data, too.
In short, companies must tell people what data they hold on them, and what’s being done with it.
- Companies should be able to alter or get rid of people’s personal data if requested.
- If personal data is used to make automated decisions about people in an AI system, companies must be able to explain the logic underpinning the algorithm used for the decision-making process, i.e., the general functionality of the automated system.
In particular, Article 22 of the GDPR grants individuals the right to contest a completely automated decision if it has legal or other significant effects on them.Read More