In the European Union, the conduct of pharmacoepidemiologic studies needs to respect applicable Union data protection rules, namely the General Data Protection Regulation (EU) 2016/679 (GDPR) and Member State laws adopted in line with the GDPR (for example further conditions or limitations with regard to the processing of genetic data, biometric data or data concerning health), which apply to processing carried out by organisations and bodies operating within the EU (for more details regarding the territorial scope of the GDPR, see EDPB Guidelines 3/2018 on the territorial scope of the GDPR, Article 3). Regulation (EU) 2018/1725 (EUDPR) apply to the personal data processing by Union institutions, bodies, offices and agencies.
Personal data is information that relates to an identified or identifiable individual. An identifiable individual is one who can be identified, directly or indirectly. Where it is possible to identify an individual directly from the information being processed, then that information is personal data. Where an individual cannot be directly identified from that information, it is still important to consider whether the individual is identifiable. For this, all the information being processed should be taken into account together with all the means reasonably likely to be used to identify that individual.
Special categories of personal data need more protection because they concern sensitive information. They include amongst others information revealing racial or ethnic origin, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. Special categories of personal data can only be processed if specific conditions set out in Article 9 of GDPR and Article 10 of EUDPR are met.
EudraLex - EU pharmaceutical legislation – the regulatory information for human medicines on the EMA website, the Good pharmacovigilance practices and ENCePP provide for methodological and ethical standards and ensure that private interests do not prevail over the general interest of public health. In this context, the Union data protection legislation is an enabler that promotes high data protection standards whilst providing the foundation for scientific research for the purpose of development, authorisation and supervision of medicinal products.
For interventional research, Directive 2001/20/EC and the Guidelines for Good Clinical Practice (Commission Directive 2005/28/EC) apply. Directive 2001/20 EC will be repealed when the Clinical Trials Regulation (Regulation (EU) No 536/2014) comes into application. It will also apply to trials authorised under the previous legislation if they are still ongoing three years after the Regulation has come into operation. In addition, marketing authorisation holders (MAHs) and investigators must follow relevant national guidance of those Member States where the study is being conducted. To explain the interplay between the Clinical Trials Regulation and the GDPR the European Commission has published dedicated Questions and Answers.
Post-Authorisation Safety Studies (PASS) may be interventional or non-interventional. They may be conducted voluntarily or imposed on the marketing authorisation holder (MAH). Article 36 of the Commission Implementing Regulation (EU) No 520/2012 specifies that for post-authorisation safety studies (PASS) imposed as an obligation, MAHs shall ensure that all study information is handled and stored in a way that ensure the confidentiality of the study records of the study subjects. Section VIII.B.6. of the GVP Module VIII - Post-authorisation safety studies (Rev. 3) recommends that these provisions should also be applied to PASS that are voluntarily initiated, managed or financed by a MAH.
The ISPE Good pharmacoepidemiology practice provides recommendations on the protection of human subjects and refers to the ISPE guidelines on Data Privacy, Medical Record Confidentiality, and Research in the Interest of Public Health. It also recommends that the plans for protecting human subjects should be described in a stand-alone section of the study protocol.
The Data Protection Authorities (DPAs) of the Member States are competent for monitoring and enforcing the application of the GDPR. They are the natural interlocutors and first point of contact for the public, businesses and public administrations for questions regarding the GDPR. The Data Protection Authorities' role includes informing controllers and processors of their obligations and raising the general public’s awareness and understanding of the risks, rules, safeguards and rights in relation to data processing.
The European Data Protection Board (EDPB) is an independent European body which is composed of representatives of the national DPAs (of all Union and EEA Member States) and the EDPS. The EDPB is established by Art 68 of the GDPR and is empowered to make binding decisions towards national DPAs to ensure the consistent application of Union data protection law. The EDPB may also issue general guidance (including guidelines, recommendations and best practice). Certain guidance adopted by the predecessor of the EDPB, the Article 29 Working Party (WP) are still applicable and provide interpretation of data protection principles under Union law.