Data Requests in the Early Days

The GDPR came into force on the 25th of May 2018. RegIntel’s main focus at that tiem was Legal Representative services supporting clinical trials on behalf of non-EU sponsors, mainly from the USA.  After some analysis we decided to offer GDPR services in addition to Legal Representative services to our clients. Initially we offered advice, but also Data Protection Representative Services and an outsourced DPO service. Compiling required documentation, Data Protection Impact Assessments (DPIAs) and Records of Processing activities) ROPAs as well as helping clients to get into basic compliance are activities was part of the package.

The first challenge to a client came in the form of a data subject request (DSR) a few months after the GDPR came into force. This involved a small US clinical startup running a study on an anti-viral in the Germany involving a human challenge trial (HCTs). Two hundred healthy volunteers were sequestered for part of the study, which lasted 120 days including follow-up. The design was randomised placebo-controlled phase IIb study. The study took place in stages during which some study subjects were able to communicate with one another at the facility.

The site conducting the study identified itself as a separate independent data controller, which was reflected in a thin Data Processing Agreement (DPA) type addendum to the original Clinical Trial Agreement, which otherwise simply stated a commitment by the parties to abide by GDPR. The agreement predated the date of coming into force of GDPR and the study itself straddled this date. Exports were based on the EU–US Privacy Shield.

The data subject, apparently aware of potentially new data access rights under GDPR, requested a copy of their laboratory blood results from the study site investigator. This request was initially declined until the data subject threatened to notify the local Federal Data Protection Agency. At this point the investigator, after consultation with their Data Protections Officer, decided to provide the requested data and notified the sponsor/controller. This was day 21 since the initial request. The investigator also indicated that a second data subject had made a similar request, apparently after communicating with the initial requestor.

This produced some understandable consternation with the sponsor, who requested a high-level meeting with the investigator and their DPO, as well as others at the site (business managers, clinical specialists). The investigator agreed to defer the request by 30 days, and limit the amount of data to be provided, with test results involving the research drug and its breakdown products excluded.

The rationale from the site was that the processing was based on consent in accordance with the Informed Consent Form, which did not contain any statements limiting data protection rights. Ultimately the same data was provided to the second data requestor, and on foot of this ICFs were undated to include limitations to data protection rights under article 89.

At the end of the study it was decided to exclude the two data requestors from the study report doe to potential bias; it was concluded that it might have been possible for the data requestors to infer if they were on drug or placebo.

This process provided a useful introduction to the pitfalls of both inadequate contracts (provision of how to handle data requests) and incomplete description of rights and limits to rights in the ICF, at a time when the EDPB had to yet provided any guidance and the CTR was not yet in force.