An overview of the Code

The Code, which has been promoted by FarmaIndustria (which is the Spanish national pharmaceutical industry association), sets out how clinical drug trial sponsors and contract research organisations ('CROs') that opt to subscribe to the Code should apply data protection legislation in the fields of clinical and biomedical research and pharmacovigilance.

While the Code applies only within Spain, it is hoped that it will be an important benchmark throughout the EU, in that it is the first code in this field to obtain approval within the EU. It is also a demonstration of the Spanish pharmaceutical industry's commitment to data protection.

Member organisations' obligations under the Code

Membership of the Code is voluntary. Data controllers and processors who opt to subscribe to the Code undertake to comply with it. The main obligations on member organisations are as follows:

• They must publicise their membership: Trial sponsors must state in the trial protocol and other trial documentation that they subscribe to the Code. Similarly, pharmaceutical companies must state their membership of the Code on the consent form (where consent is required) and in other documentation.
• They must provide training: FarmaIndustria and Code members must provide training on data protection for staff and professionals who process personal data.
• They must comply with the protocols on data processing in clinical trials and pharmacovigilance.

Data processing in clinical trials

The key features of the protocol established by the Code on the processing of personal data in clinical trials and other clinical investigations are as follows:

• Coded data: The protocol applies only to the processing of coded data (given that, in practice, there is no processing of uncoded personal data).
• Lawful basis for processing: The general legal basis for processing data in the clinical trials field is the need to comply with legal obligations, and the research subject's consent to the processing of their data is not required. This is without prejudice to the requirement to obtain the data subject's informed consent to taking part in a clinical trial or research study.
• Information to be provided to participants: The information on data protection must be provided separately (in accordance with Articles 13 and 14 of the GDPR and Article 11 of the LOPDGDD) from the information in the patient information document to be provided to the patient under the clinical trials regulations such as Royal Decree 1090/2015 of 4 December 2015 Governing Clinical Drug Trials, Drug Trial Ethics Committees and the Spanish Clinical Studies Register.
• Data controllers and processors: The protocol clarifies the roles of the various parties involved in data processing. It establishes that both the research sponsor and the clinic or principal investigator are controllers for the purposes of their respective data processing activities, that each data controller is responsible for complying with the obligations arising from their activities, and that they will not be jointly and severally liable for breaches by the other party. It identifies the main data processors in clinical research contexts as the CROs, auditors, customer service providers, and providers of sample collection or sample transport services, among others.
• Reuse of data: The protocol addresses the secondary use of data obtained in the context of one research study for the purposes of subsequent research studies; as a general rule, the consent of the research participants is not required in such cases (since it is covered by paragraph (c) of the seventeenth additional provision of the LOPDGDD).
• Trusted third party: The protocol includes the concept of trusted third party. A trusted third party is someone who is not involved in the clinical research who can be employed to encode the research participants' personal data, thereby ensuring that the sponsor is unable, either on its own or with the aid of the researcher, to re-identify participants.
• Accountability obligations: The protocol details the accountability obligations that arise when processing data for research purposes.
• International data transfers: The protocol clarifies the situation concerning international transfers of personal data. It states that where the data has been anonymised by the transferring sponsor, thus making it completely impossible for a data transfer recipient in a third country outside the European Economic Area to re-identify research participants, the regulations governing international data transfers (in essence, Article 44 and following of the GDPR) will not apply. However, where it would be possible to re-identify participants, appropriate safeguards must be put in place if the recipient country does not provide a level of protection equivalent to that of the GDPR.
• Other data sources: There is particular emphasis on the importance of real world evidence in developing innovative products that address unmet medical needs and in supporting the safe and effective use of medicinal products once they are available on the market.
• Standard forms: There are various annexes containing model data protection clauses, standard formats for recording processing activities and replying to subject access requests, and model confidentiality undertakings, for use in regulating the legal relationships between the various participants.

Data processing in the field of pharmacovigilance

The key features of the protocol on processing personal data in the field of pharmacovigilance are as follows:

• Coded data: The protocol sets out the different circumstances under which pharmaceutical companies process coded or uncoded personal data, and the rules that apply in each case.
• Lawful basis for processing: The protocol defines the general legal basis for processing, which likewise comes under the need to comply with legal obligations, in conjunction with the duty to ensure high standards of quality and safety in healthcare, medicinal products and medical devices.
• Pharmacovigilance protocol: A uniform pharmacovigilance protocol is established which differentiates between the various channels used to notify adverse reactions (e.g. by phone, electronically or via social networks) and between the different individuals who provide notifications.
• Data disclosures: Disclosures of personal data in the field of pharmacovigilance are covered in detail, with particular emphasis on disclosures within the same corporate group.
• Accountability obligations: The protocol details the accountability obligations that arise when processing data in the field of pharmacovigilance.
• Exercise of rights: A detailed protocol is provided on managing and processing requests to exercise rights of access, rectification or erasure or to restrict processing.
• Standard forms: There are various annexes containing model data protection information clauses, standard formats for replying to interested parties, making notifications and recording processing activities, and model contracts between pharmaceutical companies and the CROs that carry out pharmacovigilance activities using coded data.

Compliance and monitoring of the Code

An independent Code of Conduct Governing Body ('CCGB') is responsible for monitoring member organisations' compliance with the Code. The CCGB's main functions are:

• to examine and rule on applications for membership, and to maintain the register of member organisations;
• to disseminate, interpret, and enforce the Code and to monitor its application, carrying out an annual program of both systematic and random reviews or audits;
• to reply to enquiries from member organisations concerning compliance with the Code; and
• to issue a report every four years on any amendments that may be needed to the Code and to propose appropriate amendments, so as to ensure that the content of the Code continues to meet the needs of an ever-changing environment and responds to developments in data protection legislation and case law.

Moreover, the CCGB will also carry out the following procedures:

• mediation - a voluntary procedure is available, free of charge, to facilitate the out-of-court settlement of data protection complaints made by interested parties against member organisations; and
• disciplinary procedures - the CCGB may decide to open disciplinary procedures in three situations, including:
• where a decision issued in the dispute resolution procedure described above imposes a particular obligation on a member organisation, and the organisation fails to comply with the obligation within the timeframe stipulated in the decision;
• where the CCGB becomes aware of the existence of the evidence of lack of compliance, for example as a result of the systematic and random reviews and audits provided for in the Code; and
• where the CCGB becomes aware that a member organisation has failed to deal with a large number of requests to exercise data rights.

Moreover, regarding the handling of complaints referred to the CCGB by the AEPD, where the AEPD forwards a complaint by an interested party to the CCGB, it will be dealt with under the mediation procedure described above.

To take the steps required to implement its decisions and without prejudice to the sanctioning powers of the AEPD, the CCGB may impose the following sanctions:

• For minor breaches: A written warning.
• For serious breaches: A written warning and temporary suspension from membership of the Code until the breach is shown to have been remedied.
• For very serious breaches: A written warning, publication of the sanction, and temporary suspension from membership of the Code for a period of one to three years. Exceptionally, in cases of very serious breaches involving particularly serious legal infringements and high levels of culpability, the sanction may result in the expulsion of the member organisation.

In addition to these sanctions, member organisations will be required to remedy or correct any faults or irregularities that have been identified and to rectify any inappropriate circumstances or conduct.

Bárbara Sainz de Vicuña Senior Associate
[email protected]
Isabela Crespo Vitorique Senior Associate
[email protected]
Mercedes Ferrer Bernal Associate
[email protected]
GÓMEZ-ACEBO & POMBO ABOGADOS, S. L. P., Madrid