1. Governing Texts

1.1. Legislation

The origins of the relationship between the pharmaceutical regulation and personal data protection regulation in Spain date back to the Organic Law 5/1992 on the Regulation of Automated Processing of Personal Data ('the 1992 Data Protection Law'). The 1992 Data Protection Law already envisaged health-related data to be subject to a special degree of protection, requiring consent from data subjects and/or a 'legal authorisation/clearance' to be processed legally.

The Organic Law 15/1999 on the Protection of Personal Data (only available in Spanish here)  ('the Data Protection Law of 1999') and Royal Decree 1720/2007 Developing the Data Protection Law of 1999 constituted the Spanish legal instruments necessary to implement the Data Protection Directive (95/46/EC).

All of these legal instruments were suitable at the time to address traditional scenarios of health-related data processing, in areas such as conducting of clinical trials, medical investigation or pharmacovigilance. However, in this day and age, emerging technologies enable a huge range of possible business models involving health-related personal data, posing a wide range of potential risks for data subjects' privacy.

The entry into force of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') has suddenly changed the very foundation of the legal regime on this matter.

In Spain, Organic Law 3/2018, of 5 December 2018, on the Protection of Personal Data and Guarantee of Digital Rights (only available in Spanish here) ('the Data Protection Law of 2018') has developed some of the provisions that the GDPR had left open to EU Member States.

However, the Spanish data protection authority ('AEPD') has not yet issued any formal guidelines on this topic as a whole, offering only:

• guidelines for patients and users of the Spanish National Healthcare System (only available in Spanish here);
• a technical note on the information duty and other accountability measures regarding apps on physical activity, well-being and health for mobile devices (only available in Spanish here);
• a report on the adaptation of privacy policies with the GDPR (only available in Spanish here), dated before the entry into force of the GDPR and the Data Protection Law of 2018.

The Catalonian data protection authority ('APDCAT') has issued two legal reports specifically on this matter since the entry into force of the GDPR and the Data Protection Law of 2018.

In addition, the regulation of the health and pharma sectors in Spain is composed by an ensemble of different legal instruments, which include the implementing laws of indirectly effective EU Directives. Many of such laws are not, in fact, generally concerned with data protection, but may nonetheless apply to data processing activities, depending on the specific nature of such activities.

Among the most important EU regulations concerning health-related data are the GDPR and the Regulation (EU) No 536/2014 of 16 April 2014 on Clinical Trials on Medicinal Products for Human Use, and Repealing Directive 2001/20/EC ('CTR').

As for those Spanish legal instruments which should be considered as directly impacting privacy and data protection, the Data Protection Law of 2018 makes specific mention in its 17^th Additional Provision that some of the legal exceptions for the processing of health-related personal data, envisaged by Article 9(2) of the GDPR, will apply when so provided in the relevant Spanish legal provisions.

In particular, the exceptions provided in Article 9(2)(g-j) of the GDPR ((g) exceptions for public interest, (h) managements of health or social care, (i) public interest in the area of public health, and (j) scientific, statistical or historical research purposes), will apply in the event that processing of health-related data is expressly envisaged by one of the following acts:

• Law 14/1986, of 25 April 1986, on General Healthcare (only available in Spanish here);
• Law 31/1995, of 8 November 1995, on the Prevention of Risks at Work (only available in Spanish here);
• Law 41/2002, of 14 November 2002, Regulating Patient Autonomy and Rights and Obligations Regarding Clinical Information and Documentation (only available in Spanish here);
• Law 16/2003, of 28 May 2003, on the Cohesion and Quality of the National Health System (only available in Spanish here);
• Law 44/2003, of 21 November 2003, on the Organisation of Healthcare Professions (only available in Spanish here) ('the Law on Healthcare Professions Organisation');
• Law 14/2007, of 3 July 2007, on Biomedical Research (only available in Spanish here) ('the Biomedical Research Law');
• Law 33/2011, of October 4 2011, on General Public Health (only available in Spanish here);
• Law 20/2015, of 14 July 2015, on the Organisation, Supervision and Solvency of Insurance and Reinsurance Companies (only available in Spanish here);
• Royal Legislative Decree 1/2015, of 24 July 2015, Approving the Revised Text of the Law on Guarantees and Rational Use of Medicines and Medical Devices (only available in Spanish here); and
• Royal Legislative Decree 1/2013, of 29 November 2013, Approving the Revised Text of the General Law on the Rights of Persons with Disabilities and their Integration into Society (only available in Spanish here).

In this regard, it seems the Spanish legislator has established a set of legal exceptions through the application of a rather conservative interpretation of the GDPR. However, it would appear a difficult task to determine the applicability of any particular exemption of Article 9(2) of the Data Protection Law of 2018, when only aided by a reference to 'the processing activities envisaged' by the above-listed legal instruments, considering that the nature of such processing activities may vary greatly.

In this sense, it is fundamental to point out that the accountability principle of the GDPR requires that each and every processing activity is individually evaluated, in order to determine whether any of the legal bases or exemptions for the processing of special categories of data apply. For this reason, it may be difficult to ascertain which specific exemption should be applicable to the numerous possible data processing activities envisaged by the aforementioned legal instruments.

1.2. Supervisory authorities

There are several supervisory authorities with enforcement competencies in Spain. The main supervisory authority regarding personal data protection is the AEPD.

In relation to health-related matters, the following entities are the supervisory authorities in Spain:

• the Spanish Agency for Medicines and Medical Devices ('AEMPS'), which is the main authority for ensuring safety of medicines, medical devices and healthcare products, including pharmacovigilance and the assessment and authorisation of clinical trials;
• the Spanish Society of Public Health and Healthcare Administration ('SESPAS'), an organisation dedicated to the improvement of health and healthcare services for the Spanish population; and
• the General Secretariat for Health and Consumer Affairs, a body within the Ministry of Health, Consumer Affairs and Social Welfare, which is responsible for carrying out functions relating to public health, inter-territorial coordination, inspection, healthcare planning, management and organisation of the healthcare professions and development and implementation of pharmaceutical policies. It is also in charge of other areas relating to the public financing, pricing of medicines and medical devices, and the implementation of activities aimed at translating innovation and research developments.

It should also be noted that the enforcement of health-related regulations is carried out by the competent authorities of the 17 autonomous regions of Spain in their respective regions.

1.3. Guidelines

The AEMPS has issued the following guidelines affecting privacy and data protection since the entry into force of the GDPR:

• Instruction Document of the Spanish Agency of Medicines and Medical Devices for Conducting Clinical Trials in Spain ('AEMPS' Clinical Trial Guidelines'); and
• Annex VIIIC. Revised instructions for updating the section 'Protection of personal data' within the information to be provided to data subjects through the informed consent for clinical trials (only available in Spanish here).

The AEPD has issued the following legal report since the entry into force of the GDPR affecting health-related processing activities:

• Legal report No. 073667/2018, on the Impact of the GDPR on Biomedical Investigation (available only in Spanish here) ('the Report on GDPR Impact on Biomedical investigation'); and
• Report From the State Legal Service Department on Processing Activities Relating to the Obligation For Controllers from Private Companies and Public Administrations to Report on Workers Suffering from Covid-19.

The APDCAT has issued the following opinions since the entry into force of the GDPR affecting health-related processing activities:

• Opinion on the Use of Pseudonymised Health Data in Biomedical Research;
• Opinion on Data Processing in Health Research; and
• Guidelines on data protection for patients and users of healthcare services (only available in Spanish here and in Catalonian here)

1.4. Definitions

Below are included some of the most relevant definitions included in the main legal instruments affecting the processing of health-related personal data.

Definitions from the GDPR

Data subject: Any identified or identifiable natural person. The GDPR elaborates that an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Genetic data: Personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.

Biometric data: Personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.

Special categories of personal data: Article 9(1) of the GDPR categorises certain sensitive types of data as 'special categories of personal data', the processing of which is prohibited, subject to certain exceptions provided for in Article 9(2) of the GDPR. The special categories of personal data are: racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic data; biometric data for the purpose of uniquely identifying a natural person; data concerning health; and data concerning a natural person's sex life or sexual orientation.

Consent: Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. With regards to the processing of special categories of data, consent must be explicit.

Definitions from the biomedical research law

Biobank: A non-profit, public or private establishment hosting a collection of biological samples designed for diagnostic or biomedical research purposes and organised as a technical unit with criteria of quality, order and destination.

Consent: An expression of free and conscious will, validly issued by a capable person, or by his authorised representative, preceded by the appropriate information.

Genetic data: Information on the hereditary characteristics of an identified or identifiable person obtained by nucleic acid or other scientific analysis.

Definitions from the Royal Decree 1090/2015, of 4 December 2015, Regulating Clinical Trials with Medicines, the Committees on the Ethics of Medicines Research and the Spanish Registry of Clinical Studies (only available in Spanish here) ('the Clinical Trials Decree')

Informed consent: The free and voluntary expression by a clinical trial subject of his or her willingness to participate in a given clinical trial, after having been informed of all aspects of the trial that are relevant to his or her decision to participate or, in the case of minor or incapable trial subjects, an authorisation or agreement by their legally appointed representatives to include them in the clinical trial.

Clinical study: Any investigation intended to:

• discover or verify the clinical, pharmacological or other pharmacodynamic effects of one or more medicinal products;
• identify any adverse reactions to one or more medications; or
• study the absorption, distribution, metabolism and excretion of one or more drugs, with the aim of determining the safety and/or efficacy of those drugs.

Clinical trial: Any clinical study complying with any of the following conditions: it is assigned beforehand to a specific therapeutic strategy, which is not part of the normal clinical practice of the Member State concerned; the decision to prescribe investigational drugs is made along with the decision to include the subject in the clinical trial; or diagnostic or follow-up procedures are applied to trial subjects that go beyond usual clinical practice.

2. Clinical Research and Clinical Trials

2.1. Data collection and retention

Under the GDPR, personal data concerning health is considered as a special category of personal data pursuant to Article 9. Therefore, the processing of health-related data is prohibited unless one of the exceptions provided for by Article 9(2) of the GDPR applies.

As outlined in the section on Legislation above, the 17th Additional Provision of the Data Protection Law of 2018 envisages a number of legal instruments that may apply in the processing of health-related personal data. According to the 17th Additional Provision, the processing activities described within such legal instruments will be considered as falling under the exceptions of paragraphs (g), (h), (i) and (j) of Article 9(2) of the GDPR (each one to the relevant exception applies).

Under the GDPR, the processing of special categories of personal data may only be carried out if one of the exceptions of Article 9(2), and one of the legitimate bases for processing data outlined in Article 6(1) of the GPDR concurrently apply.

Using consent as a legitimate basis for processing may imply a certain level of risk of being considered unlawful, according to the European Data Protection Board ('EDPB') in the Opinion 3/2019 concerning the Questions and Answers on the Interplay between the Clinical Trials Regulation and the General Data Protection Regulation ('the EDPB's Opinion on the Interplay between the CTR and the GDPR') which states, in paragraphs 20 and 21, that even when to all intents and purposes the conditions of informed consent under the CTR are fulfilled, a 'clear situation of imbalance of powers between the participant and the sponsor/investigator' will mean that consent in not 'freely given' within the meaning of the GDPR. The EDPB therefore suggests that the circumstances of a clinical trial ought to be subject to particularly thorough examination before consent is relied upon as a legal basis for the processing of personal data for the purposes of the research of such a trial.

In addition, specific data collection criteria and good practices for the processing of data are outlined in the AEMPS' Clinical Trial Guidelines, such as the pseudonymisation of patients through ID codes within the documentation of the clinical trials.

As regards retention periods, no specific term is set in any Spanish legal instrument related to health-related personal data. Therefore, pursuant to the 'storage limitation' principle enshrined in Article 5(1)(e) of the GDPR, personal data processed must be stored for no longer than is necessary for the purposes for which the personal data are processed, but may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes.

In this sense, retention periods of health-related data gathered in clinical trials should be aligned to the retention periods set by any relevant legal instrument. As stated by the AEMPS in the AEMPS' Clinical Trial Guidelines, a 25 year period will be applicable to any clinical trial subject to the Clinical Trials Decree.

2.2. Consent

The EDPB's Opinion on the Interplay between the CTR and the GDPR contains specific guidance on the topic of consent, distinguishing between the 'informed consent' required by CTR and the 'explicit consent' required by GDPR.

According to the EDPB, the CTR's provisions on informed consent 'respond primarily to core ethical requirements of research projects involving humans deriving from the Helsinki Declaration,' and its main purpose is to 'ensure the protection of the right to human dignity and the right to integrity of individuals,' but 'it is not conceived as an instrument for data protection compliance.'

Therefore, the CTR's conception of consent should not be confused with the conception of consent as a legal ground for the processing of data under the GDPR. and in any event, each of them should be obtained in compliance with their respective legal requirements. Under the GDPR 'consent must be freely given, specific, informed, unambiguous, and explicit consent is required when the processing of special categories of data, such as health data, are involved.'

Moreover, as outlined in the previous section of this Guidance Note, the EDPB considers the use of consent as legal basis for the processing of personal data unlawful in any situation where there is an imbalance of powers between the sponsor/investigator and the data subjects involved in clinical trials. Examples provided by the EDPB of situations where an imbalance of powers exists include:

• when participants of clinical trials are not in good health conditions;
• when participants of clinical trials belong to an economically or socially disadvantaged group; or
• when participants of clinical trials are in any situation of institutional or hierarchical dependency.

Data controllers should bear such criteria in mind when intending to rely on the data subject's consent as a legal basis for the processing of their personal data in a clinical trial. Nonetheless, the Data Protection Law of 2018 expressly provides for the possibility of data subjects granting consent to the processing of their personal data with medical and biomedical investigation purposes.

Withdrawal of consent

As for the withdrawal of consent, the EDPB reiterates the distinction between the CTR and the GDPR, stating that 'the withdrawal of the informed consent, under Article 28(3) of the CTR, must not be confused with the withdrawal of consent under the GDPR.' It is important to note that withdrawal of informed consent under CTR does not prohibit the further processing of data obtained before such withdrawal.

By contrast, withdrawal of consent under the GDPR (which data subjects can exercise at any given time) means that the data controller must stop any processing activities carried out over the personal data obtained to that point, unless another legitimate basis for processing can be established.

Therefore, if a participant of a clinical trial withdrawn their consent, any processing activities for purposes of research must be terminated, but other processing activities carried out under any legitimate basis other consent may lawfully continue.

Pursuant to Article 13 of the GDPR, data subjects participating in clinical trials should be provided with information regarding the processing of their data. In this respect, the 17th Additional Provision of the 2018 Data Law clarifies that such information must be published in an easily accessible section of the business website of the sponsor/investigator, and that data subjects must be notified by electronic means of the existence of such information.

Children and other persons lacking legal capacity

With regard to individuals without legal capacity, specific conditions for the processing of their personal data apply. As a general rule, individuals without legal capacity cannot give valid consent for the processing of their personal data.

However, the GDPR establishes certain specific conditions applicable to the consent of children in Article 8. Specifically, Article 8 provides for the possibility that children may give consent for the processing of their personal data in relation to the offer of information society services. In such a situation, consent given by children at least 16 years old, or of an age no lower that 13 years old provided by Member States for such purposes. The Data Protection Act of 2018 sets the threshold at 14 years old. The processing of the personal data of children below this age require the consent of the person holding parental responsibility over the child.

However, even in this scenario, the EDPB's Opinion on the Interplay between the CTR and the GDPR should be taken into account: if there is any situation of imbalance between controller and child data subjects, consent given by the latter may not be considered as valid.

2.3. Data obtained from third parties

The Data Protection Law of 2018 contains provisions relating to 'reutilisation of personal data for health and biomedical research purposes.' It provides that the reutilisation of health-related data for such purposes will be considered lawful when, once consent has been obtained from the data subject for a specific purpose, such data is reutilised for purposes or areas of research related to the area in which the initial study was conducted.

Furthermore, in such scenarios, the controller must publish the information relating to the processing of the data subject's data required by Article 13 of the GPDR, in an accessible section of the business website of the sponsor/investigator. In addition, the data subjects must be notified by electronic means of the existence of such information.

The Data Protection Law of 2018 expressly establishes the use of pseudonymised personal data for health-related and biomedical investigation purposes as a lawful practice, in circumstances where the following conditions are fulfilled:

• there exists a technical and operational separation between the researching team and those who execute the pseudonymisation and storage the re-identification information;
• the pseudonymised personal data is accessible to the research team only when:
  • there is a confidentiality agreement in place including the commitment not to re-identify the data; and
  • specific security measures are adopted to avoid re-identification and third parties unauthorised access; and
• re-identification could only be performed when an actual and specific danger is detected, either for the health of an individual, the individual's rights or in order to provide proper healthcare assistance.

3. Pharmacovigilance

Under the legal regime prior to the entry into force of the GDPR, the vast majority of data protection obligations which specifically referred to pharmacovigilance were contained in the Self-Regulatory System for Data Protection: Code of Conduct in the Pharmaceutical Industry ('the Code of Conduct'), originally published by Farmaindustria in 2014, the national business association of the pharmaceutical industry, which has been adopted by the vast majority of pharmaceutical companies in Spain and endorsed by the AEPD.

The Code of Conduct based the processing of personal data from patients on pseudonymisation, assigning ID codes to patients of clinical trials, clinical research and pharmacovigilance. Where this mechanism is successfully implemented, the Code of Conduct suggests that no processing of personal data takes place, with the ID codes anonymising the relevant processed data.

However, such opinion may no longer be considered lawful under the provisions of the GDPR, namely in consideration of the definition of 'pseudonymisation' given by Recital 26, which states that 'personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person.'

If this definition is suitably applied, the ID codes advocated by the Code of Conduct, which are assigned to patients participating in a clinical trial, or whose personal data might be processed as consequence of a pharmacovigilance obligation, should be considered as personal data, even when pseudonymised, with the legal consequence that the provisions of the GDPR should be applicable to its processing.

Neither the AEPD, nor Farmaindustria have issued further guidance, guidelines or opinions on this issue since the entry into force of the GDPR.

4. Biobanking

The establishment of biobanks requires the authorisation of the competent health authorities of the autonomous region in which the biobank is to be located. If a biobank is to be constituted with national scope, the Ministry of Science, Innovation and Universities will also have specific powers for surveillance and control.

The minimum requirements for the establishment of biobanks are outlined in Royal Decree 1716/2011, of 18 November 2011, Establishing the Basic Requirements for the Authorisation and Operation of Biobanks for the Purposes of Biomedical Research and the Treatment of Biological Samples of Human Origin, and Regulating the Operation and Organisation of the National Register of Biobanks for Biomedical Research (only available in Spanish here) ('the Biobanks Decree'). Such requirements may be summarised as follows:

• The biobank must:
  • be able to justify the biomedical interest for its operationalisation;
  • have appointed the relevant individuals in charge of the scientific direction and the responsibility for the data;
  • be attached to two external committees, one of scientific nature and the other of ethical nature;
  • have the necessary mechanisms and safeguards in place to guarantee the preservation of the samples in adequate conditions;
  • have registered the relevant personal data file in the registry of the supervisory authority; and
• the activity of the biobank cannot be onerous.

However, it should be noted that the last requirement has been superseded by the GDPR, which dictates that the obligation to register the personal data protection file before the supervisory authority is no longer required. As the Biobanks Decree has not been updated since the entry into force of the GDPR, and no guidance in relation to biobanks has since been issued by the AEPD or the AEMPS, it is uncertain whether any such notification obligation still remains in force.

Taking into account the abovementioned legal developments, processing activities carried out by biobanks will only be subject to the relevant provisions of the data protection legislation on processing of health-related personal data, as no additional guidance or prohibitions have been developed as of today.

5. Data Management

The current legal position with regards to the obligations of the data controller in relation to the processing of health-related personal data is largely derived from the GDPR's accountability principle, as well as the data protection principles enshrined in Article 5 of the GPDR, which obliges data controllers to constantly review, and be able to prove, compliance with the relevant provisions related to personal data protection. Pursuant to the GDPR, the sensitivity of the particular category of personal data being processed is determinative of the extent of legal obligations that the data controller is required to comply with.

In this sense, the processing of health-related personal data may only be considered lawful where both an Article 9(2) exemption and an Article 6 legitimate grounds for processing concurrently apply. Other obligations include the maintenance of a record detailing all the relevant processing activities, and the implementation of appropriate technical and organisational measures to ensure a level of security appropriate to the risk taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing.

Among such measures to be implemented, pseudonymisation has long been considered key, according to well-established practices relating to the processing of health-related personal data. However, following the entry into force of the GDPR, data controllers must now review the key risks of their processing activities, and comply with the particular obligations set by the GDPR for the processing of special categories of personal data, such as conducting a Data Protection Impact Assessment ('DPIA').

The AEPD considers the performance of a DPIA mandatory when processing the special categories of personal data referred to in Article 9(2) of the GDPR, pursuant to the AEPD's List of the Types of Data Processing that Require A Data Protection Impact Assessment Under Art 35(4).

Although not updated to GDPR, the Biomedical Research Law contains various provisions on the processing of health-related personal data for research and investigation purposes. the Biomedical Research Law prohibits the use of the personal data for purposes other than those consented to by the data subject, and, in particular, establishes that any transfer to third parties not related to medical investigations will require the prior, express and written consent of the affected individual.

Similarly, the disclosure of any information obtained from data subjects which may affect their relatives will require the prior, express and written consent of all the affected individuals. The Biomedical Research Law also prohibits the secondary processing of personal data for biomedical purposes when the data was collected for other purposes, unless express consent is provided from the affected data subject, regardless of whether or not such data has been anonymised.

However, a specific exception is provided by Article 58(2) of the Biomedical Research Law, which permits processing without data subject's consent, in circumstances where:

• obtaining such consent is not possible or involves an unreasonable effort;
• such processing has been expressly approved by the Research Ethics Committee;
• the research is of general interest;
• the research is conducted by the same institution that requested consent for the collection of the samples;
• the research would be less effective or not possible without the identifiable data of the data subject;
• there is not an express objection to the processing of such data; and
• confidentiality of personal data is ensured.

As previously mentioned, the Biomedical Research Law has not been subject to any particular amendments since the entry into force of the GDPR. However, according to the Report on GDPR Impact on Biomedical investigation, the pre-GDPR legal regime on biomedical investigation would not be affected by the GDPR. This affirmation may well be subject to future discussion, given previously-discussed, recent AEPD interpretations of the GDPR.

Lastly, the Data Protection Law of 2018 imposes a specific obligation on healthcare centres which are legally obliged to store patients' medical records to appoint a DPO, with the only exception of healthcare professionals developing its professional activity on an individual basis.

6. Outsourcing

There are two main types of organisation to which sponsors may wish to outsource clinical trials or biomedical investigations, in situations where such sponsors do not have the means to collect, store or delete patients' samples, or where they require the aid of a third party to analyse the relevant information. The two such types of organisation are:

• Contract Research Organisations ('CROs'), which are usually hired to conduct clinical trials on behalf of sponsors, and are able even to conduct all the necessary phases of the clinical trial; and
• public/private medical centres and hospitals, which have greater capacity to be involved in both biomedical investigation and in clinical trials.

It is necessary to determine the particular position of each relevant party in relation to data processing activities carried out. According to the GDPR, an entity will be considered as data controller when determining the purposes and means of a particular data processing activity, and a data processor when processing personal data on behalf of the data controller.

What is key to understand is that almost every entity may have to carry out certain activities which involve 'determining the purposes and means of the processing of personal data,' such as when attempting to comply with legal obligations of the entity or using personal data for secondary purposes (even when anonymised).

Therefore, even a medical centre gathering samples for a clinical trial on behalf of a sponsor (i.e. as data processor) might have to carry out certain processing activities in order to comply with its legal obligations (e.g. obligations regarding the permitted time period for storing samples). Consequently, the medical centre would be considered a data processor in consideration of the collection of the samples, but would also be considered a data controller in relation to the storage of samples as consequence of a legal obligation.

In certain scenarios, in which both the medical centre and the sponsor may determine the means and purposes of a particular processing, a 'joint liability agreement' should be subscribed by both parties, as they would be considered as joint controllers according to Article 26 of the GDPR. Regarding other processing activities carried out by a processor in strict compliance with the means and purposes set by the data controller, a 'data processing agreement' should govern the relationship between the parties.

7. Data Transfers

According to the GDPR, international transfers (outside the European Economic Area), including those involving health-related personal data, will be considered lawful only if certain conditions apply.

An international transfer may be based on an adequacy decision, where the European Commission ('the Commission') has decided that a particular third country, territory or international organisation ensures an adequate level of protection for personal data. The update list of adequacy decisions can be accessed here.

In the absence of an adequacy decision, transfers may be also based on the assessment of appropriate safeguards, without requiring any specific authorisation from a supervisory authority by means of one of the following legal mechanisms:

• a legally binding and enforceable instrument between public authorities or bodies;
• binding corporate rules, pursuant to Article 47 of the GDPR;
• standard data protection clauses ('SCC') adopted by the Commission (the current version of the SCC can be accessed here);
• SCC adopted by a supervisory authority and approved by the Commission;
• an approved code of conduct, pursuant to Article 40 of the GDPR; or
• an approved certification mechanism, pursuant to Article 42 of the GDPR.

Subject to authorisation of the competent supervisory authority, transfers may also be based on:

• contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or
• provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.

In the absence of an adequacy decision or appropriate safeguards, an international transfer may take place according to the conditions specified in Article 49(1) of the GDPR, which include the condition that the data subject has explicitly consented to the transfer, having been informed of the possible risks of such transfer.

Lastly, the Data Protection Law of 2018 outlines, in Article 42, which transposes Article 46(3) of the GDPR, circumstances where the international transfer must be authorised by the supervisory authority, and sets a maximum period of authorisation of six months.

8. Breach Notification

Pursuant to Article 33 of the GDPR, data controllers must notify any data breach involving personal data to the supervisory authority (the AEPD in the case of Spain), without undue delay and in any event within a maximum of 72 hours after becoming aware of it. In the event that this deadline is not met, such notification must be accompanied by reasons for the delay. The notification should include:

• the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
• the details of the company's data protection officer (if any) or a contact individual to obtain more information;
• a description of the potential consequences of the data breach; and
• the measures taken or proposed to be taken in order to mitigate the data breach.

This obligation must be fulfilled notwithstanding any other notification obligations to which the data controller may be subject, such as notifying the competent Computer Security Incident Response Team ('CSIRT'), or the competent health authorities in cases involving health-related personal data.

In this same sense, Article 34 of the GDPR requires the data controller to assess the potential risk of the data breach for the rights and freedoms of the data subjects whose personal data have been affected, and to disclose to such data subjects the risk of a data breach where the result of the assessment reveals a high risk. Such communication to the affected data subjects is not necessary if:

• the data controller has implemented appropriate security measures for the personal data to be unintelligible, such as strong encryption;
• the data controller takes subsequent measures to mitigate the risks; or
• the personal communication to data subjects involves disproportionate effort, in which case a public communication should be issued.

The Data Protection Law of 2018 establishes varying degrees of severity in relation to potential infringements of the notification obligation. Under the Data Protection Law of 2018, the following categories of infringement are considered severe:

• failure on the part of processors to notify controllers;
• failure on the part of controllers to notify the supervisory authority; and
• failure to notify data subjects when required by the supervisory authority.

On the other hand, the Data Protection Law of 2018 considers the following infringements as minor:

• incomplete, defective or delayed notifications;
• non-compliance with data breach documentation; and
• failing to notify data subjects when the data breach poses a high risk (where there has been no express demand from the supervisory authority).

9. Data Subject Rights

Data subjects' rights are laid down in Chapter III of the GDPR, namely in Articles 12 to 23.

The Data Protection Law of 2018 expressly provides, in Section 2(e) of the 17^th Additional Provision, certain restrictions on the GDPR data subject rights where personal data is processed for health research purposes. In particular, the rights to access (Article 15), rectification (Article 16), restriction of processing (Article 18) and the right to object (Article 21) may be restricted in circumstances where:

• these rights are exercised directly against researchers or research centres using anonymised or pseudonymised data;
• the exercise of such rights relates to the results of the investigation; and
• the research is aimed at an essential public interest related to national security, defence, public security or other important objectives of general public interest, as prescribed by law.

Rather than establishing specific rights for minors, the GDPR provides strict consent requirements for the processing or minors' personal data (see the section on Consent above for further information).

Finally, it should be noted that, pursuant to Recitals 27, 158 and 160, the GDPR does not apply to the personal data of deceased persons. However, Article 3 of the Data Protection Law of 2018 includes provisions on deceased persons' personal data, which provide that:

• de facto related individuals or relatives of the deceased person may communicate with the data controller (or processor if applicable) in order to request access, rectification or erasure of the deceased's person personal data, unless expressly prohibited by a law or by the deceased person itself;
• certain individuals or institutions, which may have been expressly designated by the deceased person, will also be entitled with the same rights; and
• in the event of the death of a minor, their legal representatives or the Public Prosecutor's Office will be entitled with the same rights.

10. Penalties

Article 83 of the GDPR envisages two levels of monetary penalties, depending on the severity and type of the infringement:

• Administrative fines of up to €10 million, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher; and
• Administrative fines of up to €20 million, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

In addition, Article 58(2) of the GDPR grants a series of corrective powers to supervisory authorities, such as the power to issue warnings and reprimands, and temporary or definitive bans on processing activities, and the power to suspend data flows or even the withdraw data protection certifications. In addition, the Data Protection Law of 2018 establishes that any monetary penalty imposed on a legal person in excess of €1 million will be published in the Spanish Official Gazette, including the identification of the infringing party and the nature and amount of the penalty.

11. Other Areas of Interest

Telemedicine

Although no specific regulations on telemedicine have been enacted in Spain, there are a number of companies providing such services, which are regulated by the following legal instruments:

• the Directive 2000/31/EC of 8 June 2000 on Certain Legal Aspects of Information Society Services in Particular Electronic Commerce in the Internal Market (Directive on Electronic Commerce) and its Spanish implementing Act, Law 34/2002, of 11 July, on Information Society Services and Electronic Commerce) (only available in Spanish here);
• the Law on Healthcare Professions Organisation;
• Directive 2011/24/EU of 9 March 2011 on the Application of Patients' Rights in Cross-border Healthcare and its Spanish implementing Act, Royal Decree 81/2014 of 7 February, Establishing Rules to Guarantee Cross-Border Healthcare, and Amending Royal Decree 1718/2010 of 17 December, on Prescription and Dispensation Orders (only available in Spanish here); and
• soft-law regulations, such as the Code of Medical Ethics of the General Council of Medical Associations of Spain, issued in 2011 (only available in Spanish here).

Rafael Garcia Del Poyo Partner
[email protected]
Samuel Martinez Partner
[email protected]
Osborne Clarke, Madrid