Czech Republic: Health and Pharma Overview
1. Governing Texts
In the Czech Republic, the processing of personal data for scientific research and the provision of healthcare products and services, including the conduct of clinical trials, is governed by both EU and national laws. Clinical trials regularly require the processing of health, genetic, and biometric data, which constitute special categories of personal data and, thus, enjoy higher protection.
The General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') is the foundation of data protection law in the EU. The applicable Czech law is to a great extent implementation of EU regulations and directives on personal data protection. Act No. 110/2019 Coll. on Personal Data Processing ('the Act') adapts and specifies the principles and requirements set out in the GDPR. It implements all the GDPR standards, but it has been amended to adjust to the national context.
The Regulation (EU) No 536/2014 of 16 April 2014 on Clinical Trials on Medicinal Products for Human Use, and Repealing Directive 2001/20/EC (the 'Clinical Trials Regulation') which harmonises the regulatory framework for clinical trials in the EU, became applicable on 31 January 2022. For one year, until 31 January 2023, clinical trial sponsors can still choose whether to submit an initial clinical trial application in line with the current system (under the Directive relating to the Implementation of Good Clinical Practice in the Conduct of Clinical Trials on Medicinal Products for Human Use (Directive 2001/20/EC) or via the new Clinical Trials Information System ('CTIS').
The Clinical Trials Regulation and Act No. 378/2007 Coll., on Pharmaceuticals, (only available in Czech here) lay down specific rules for the processing of personal data in the course of clinical trials, for example, informed consent.
The health and pharmaceutical sector are regulated by the following acts, which may also contain specific rules to complement the GDPR:
- Act No. 372/2011 Coll., on Health Services and Conditions for their Provision ('Act on Health Services') (only available in Czech here);
- Act No. 373/2011 Coll., on Specific Health Services (only available in Czech here);
- Act No. 374/2011 Coll., on the Medical Rescue Service (only available in Czech here);
- Regulation (EU) 2017/745 on Medical Devices Regulation ('Medical Devices Regulation');
- Regulation (EU) 2017/746 on In Vitro Diagnostic Medical Devices ('In Vitro Diagnostic Medical Devices Regulation');
- Act No. 89/2021 Coll., on Medical Devices ('Act on Medical Devices') (available only in Czech here)
- Act No. 268/2014 Coll., on Medical Devices in vitro ('Act on In Vitro Diagnostic Medical Devices Act') (only available in Czech here); and
- Act No. 48/1997 Coll., on Public Health Insurance (only available in Czech here).
The aforementioned legislation is accompanied by several more specific decrees, such as:
- Decree No. 98/2012 Coll., on Medical Documentation ('Decree on Medical Documentation') (only available in Czech here);
- Decree No. 463/2021 Coll., on more detailed conditions for conducting clinical trials of medicinal products for human use (only available in Czech here); and
- Decree No. 226/2008 Coll., on good clinical practice and detailed conditions for the clinical evaluation of medicinal products ('Decree on good clinical practice and detailed conditions for the clinical evaluation of medicinal products') (only available in Czech here).
1.2. Supervisory authorities
The Office for Personal Data Protection ('UOOU') is the independent supervisory body for compliance with data protection regulations in the Czech Republic. Its main tasks are to monitor and enforce the application of personal data regulation, i.e. to act as a supervisory authority, and to raise public awareness of personal data protection.
The responsibilities of the UOOU consists of:
- supervising compliance with the obligations in the area of processing personal data;
- receiving suggestions and complaints about breaches of the obligations in the processing of personal data and informs about their handling;
- investigating offences, among others, on the basis of information received from another supervisory authority or other public authority; and
- imposing fines.
Educational and consultative role
The UOOU provides individual consultation as well as consultation to representatives of professional, trade, and industry associations on the application of the GDPR. In particular, it provides answers to questions in relation to lawful processing of personal data and interpretation of other obligations imposed on controllers and processors.
The UOOU publishes the more widely usable outputs of its consultation activities on its website and organises a public debate on draft guidance material addressed to the general public of data controllers. Furthermore, the UOOU provides advice to the Parliament of the Czech Republic, the Government and other bodies and institutions in connection with legislative activities.
The responsibilities in the Czech health system, including the pharmaceutical system and clinical trials, are divided among several bodies, including:
- Ministry of Health of the Czech Republic, which is the main authority at the state level, in charge of the regulatory framework and its supervision;
- National Institute of Health, established to prepare the basis for national health policy, to protect and promote health and to provide methodological and reference activities in the field of public health protection; and
- State Institute for Drug Control ('SÚKL'), which evaluates the evidence of efficacy, quality and safety of the medicinal product.
SÚKL issues and updates guidelines for the submission and conduct of clinical trials with medicinal products, including:
- Methodological recommendation on the content of the contract for clinical trials of medicinal products for human use;
- Opinion of the Department of Clinical Trials of Medicinal Products of SÚKL on ongoing clinical trials and clinical trials not yet started in connection with COVID-19 (only available in Czech here); and
- Information text requirements for evaluation / informed consent bodies (KLH-22 Version 4) (only available in Czech here).
The European Medicines Agency (‘EMA’) has issued guidelines for compliance with good clinical practice, including:
- Guideline on good clinical practice (ICH E6 (R2);
- Guideline on the Content, Management and Archiving of the Clinical Trial Master File (Paper and/or Electronic); and
- Guideline on Good pharmacovigilance practices.
The Ethics Committee of SÚKL (the "Ethics Committee") has issued guidelines on the conduct of clinical trials, including:
- the requirements for documents submitted to the application for authorisation of Part II of a clinical trial ('KLH-CTIS-01') (only available in Czech here); and
- Rules of Procedure of the Ethics Committee of SÚKL (only available in Czech here).
The Ministry of Health also issued special guidelines regarding vaccination against COVID-19, such as:
- Guidance on Medical Record Keeping and Informed Consent (only available in Czech here).
Biometric data: Personal data resulting from specific technical processing relating to the physical, physiological, or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data (Article 4 of the GDPR).
Data concerning health: Personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his/her health status (Article 4 of the GDPR).
Consent: Any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he/she, by a clear affirmative action, signifies agreement to the processing of personal data relating to him/her (Article 4 of the GDPR).
Clinical trial: A clinical study which fulfils any of the following conditions (Article 2(2)(2) of the Clinical Trials Regulation):
- the assignment of the subject to a particular therapeutic strategy is decided in advance and does not fall within normal clinical practice of the Member State concerned;
- the decision to prescribe the investigational medicinal products is taken together with the decision to include the subject in the clinical study; or
- diagnostic or monitoring procedures in addition to normal clinical practice are applied to the subjects.
If during the transition period until 31 January 2023, a clinical trial application is filed under the current regulatory scheme in line with the repealed Directive 2001/20/EC on Implementation of Good Clinical Practice in the Conduct of Clinical Trials on Medicinal Products for Human Use ('Clinical Trials Directive'), its medicines must be approved by the SÚKL and at least one ethics committee (e.g. ethics committee for multicentric clinical trials or ethics committee established at a health care institution). The assessment of the evaluated medicine and the organisation of the study is carried out by the expert staff of SÚKL in cooperation with experts in the clinical field for which the medicine is intended.
The subject of the assessment is, in particular, the risk-benefit ratio, i.e. the potential risk for patients versus the potential benefit of the study (not only for individuals, but for the population as a whole), the assessment of the study design (i.e. the selection of patients, the system of visits, the chosen controls and examinations, the dosage and duration of treatment, the set objectives and the selection of parameters to demonstrate them), on the basis of which objective and valid results can be obtained from the study, and, last but not least, the assessment of the quality of the drugs used.
The ethics committees focus in particular on assessing the ethical aspects of the study, the selection of the physicians according to their qualifications and experience, and the choice of the chosen site, its suitability and its facilities in the context of the proposed clinical trial. Their task is to assess the provision of protection and rights of the subjects, the provision of insurance and the appropriateness of any information material for patients or healthy volunteers.
Effective as of 31 January 2022, a new portal and database the CTIS is introduced which enables a centralised, single electronic submission of a clinical trial application. There is only one national ethics committee established at SÚKL for the new regulatory system. Ethics Committee of SÚKL issued KLH-CTIS-01 which in detail stipulates the requirements governing documents to be submitted with Part II of the application for clinical trial authorisation which is subject to national assessment.
Legal grounds for processing personal data
Embryonic stem cell research
Act No. 227/2006 Coll, on Research on Human Embryonic Stem Cells and Related Activities (only available in Czech here) regulates stem cell research in the Czech Republic. Embryonic stem cell research may be conducted on embryonic stem cell ('ES cell') lines that have been imported into the country or derived from surplus IVF embryos not older than seven days. Donor informed consent is required. Embryonic stem cell research is permitted if it is proved that the research will advance scientific or medical knowledge, lead to the development of new treatments or cures for serious diseases and in situations where the expected scientific benefits cannot be reached by other methods. Reproductive cloning is banned.
The processing of personal data in the course of clinical research and clinical trials must comply with EU and national data protection laws. In particular, the GDPR prescribes that there must be a lawful basis for all processing of personal data. Health, genetic, and biometric data are considered special categories of personal data and, thus, shall not be processed pursuant to Article 9(1) of the GDPR. However, Article 9(2) of the GDPR provides for exemptions from the general prohibition. Accordingly, the processing of health, genetic, and biometric data in the course of a clinical trial may be legitimate, if either the data subject has given explicit consent (Article 9(2)(a) of the GDPR), or the processing is necessary for reasons of public interest (Article 9(2)(g), (i), or (j) of the GDPR).
According to Section 16(1) of the Act when processing personal data for scientific purposes, the controller or processor shall ensure compliance with specific measures to protect the interests of the data subject which are appropriate to the context and purposes of the processing.
Such measures can include, in particular:
- keeping records of all operations of collection, insertion, alteration and erasure of personal data which enables to identify the individual carrying out the operation and the retention of those records for at least 2 years after the operation has been carried out;
- informing individuals processing personal data of their data protection obligations;
- pseudonymisation of personal data;
- encryption of personal data; and
- a process for regularly testing, assessing, and evaluating the effectiveness of the technical and organisational measures in place to ensure the security of processing etc.
The retention of health, genetic, and biometric data is legitimate under Article 9(2)(i) of the GDPR, if the retention is prescribed by EU or Member State law. In the Czech Republic, the general statutory rule is that personal data may be retained for scientific purposes for as long as it is necessary. Most statutory obligations to retain data, however, prescribe minimum retention periods. With regards to clinical trials, for example, upon completion of the clinical trial, the investigator shall ensure that the source documents are retained in accordance with the rules on the retention of medical records, the subject identification codes shall be retained for at least 15 years in accordance with Section 9 of Decree on good clinical practice and detailed conditions for the clinical evaluation of medicinal products. As this is only a minimum retention period, these documents may also be retained longer.
Before the collection of personal data, the controller must provide to the data subject all information according to Article 13 of the GDPR.
To participate in a clinical trial, subjects must give their informed consent. The informed consent is newly set out in Article 29 of the Clinical Trials Regulation which describes in detail the framework and requirements for preparing an informed consent.
The Clinical Trials Regulation also contains specific provisions for the following group of clinical trial subjects:
- consent for cluster trials;
- consent for minors or incapacitated people;
- consent for pregnant or breastfeeding women;
- consent for other vulnerable populations; and
- consent during trials in emergency settings.
The Clinical Trials Regulation does not affect the national provisions concerning incapacitated individuals and minors. Under the recent amendment to the Act on Medical Devices, the consent to data processing must be given by a legal representative of a minor person, unless the minor is mentally and voluntary mature enough to be able to fully understand all possible consequences.
Individuals with limited legal capacity, Aas well as other groups of individuals in a "subordinate or dependent position", can only be subjects of a clinical trial only under specific additional conditions set out in the Medicinal Products Act.
Further requirements concerning the informed consent are set out in the guidelines - The requirements for documents submitted to the application for authorisation of Part II of a clinical trial, issued by the Ethics Committee of SÚKL.
According to Article 9(2)(j) of GDPR the consent for processing personal data is not required for scientific research purposes in appropriate range to the aim pursued, with respect to the essence of the right to data protection and provision of appropriate and specific safeguards to protect the fundamental rights and interests of the data subject (such as pseudonymisation, encryption etc.).
2.3. Data obtained from third parties
If personal data is obtained from third parties, the controller shall provide the data subject with the information according to Article 14 of the GDPR, such as:
- the identity and contact details of the controller;
- the purposes of the processing for which the personal data are intended and the legal basis for the processing;
- the categories of personal data concerned; and
- the intention, if any, of the controller to transfer the personal data to a recipient in a third country or an international organisation etc.
With regard to clinical trials, this obligation does not apply insofar as the provision of such information proves impossible or would involve a disproportionate effort.
EU law requires each marketing authorisation holder, national competent authority, and the EMA to operate a pharmacovigilance system. The overall EU pharmacovigilance system - EudraVigilance database, operates through cooperation between the EU Member States, the EMA, and the European Commission. Reports by all stakeholders have to be submitted to the EudraVigilance database directly via centralized reporting system within time limits stipulated by the law: serious adverse reactions within 15 days, non-serious within 90 days.
SÚKL operates the pharmacovigilance system of the Czech Republic, through which:
- collect information on the risks of medicinal products for human use to patients' health or public health, including information on adverse reactions associated with the use of medicinal products in accordance with or contrary to their marketing authorisation and adverse reactions associated with the handling of medicinal products in the workplace;
- evaluate the information referred to in point (a) and consider options for reducing and preventing risks associated with the use of medicinal products for human use; and
- take measures to amend, suspend or cancel the marketing authorisation, prohibit the sale or use of medicinal products or withdraw them from the market.
SÚKL processes the data provided for the purpose of recording and processing adverse reaction reports on the basis of Section 93a and 93b of Act No. 378/2007 Coll., on Pharmaceuticals on Medicinal Products. The personal data are not stored for a long period of time and are anonymised immediately after receipt of the report.
There is no special legislation regarding biobanking. The general provisions of GDPR and the Act is used, together with Act No. 296/2008 Coll., Act on Ensuring the Quality and Safety of Human Tissues and Cells Intended for Use in Humans and on Amendments to Related Acts ('Human Tissues and Cells Act') (only available in Czech here), the Act on Health Services, and Act No. 285/2002 Coll., on Donation, Collection and Transplantation of Tissues and Organs and on Amendments to Certain Acts ('Transplantation Act') (only available in Czech here), depending on what kind of samples the biobank preserves.
Samples of biological material are stored in biobank exclusively in pseudonymised form, i.e. using a meaningless numerical code that does not allow direct identification of a specific individual. A specific individual can only be identified by a competent individual of the biobank. Health data is processed only to the extent necessary. The data shall be processed for the time necessary for the purposes of scientific research.
The data controller is obliged to:
- apply deliberate and standard data protection;
- appoint a data protection officer (not applicable to all controllers);
- conduct a data protection impact assessment and prior consultation;
- report personal data breaches to the Data Protection Authority and notify personal data breaches to the data subject (data subjects); and
- keep records (not applicable to all controllers).
Personal data may only be processed in the following circumstances:
- the data subject has given consent to the processing for one or more specific purpose;
- the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of a data subject prior to entering a contract;
- the processing is necessary for the compliance with a legal obligation to which the controller is subject;
- the processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- the processing is necessary to for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
- the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
Providing information to family members:
The patient must be advised of the possibility to designate the persons to whom the health information will be disclosed. Similarly, the patient has the right to designate persons to whom the information may not be disclosed. Both decisions by the patient must be recorded in the medical record. The documentation may also indicate whether the designated persons may consent or not to the provision of health services to the patient if the patient is unable to do so. It is also a matter of specifying how the information can be communicated to those persons (by telephone, email, SMS, etc.).
There are legal exceptions to the above rule of providing information with the patient's consent. In particular, if there is no previously expressed wish and at the same time the patient is not able, due to their state of health, to communicate the list of individuals to whom the information can be communicated, then individuals close to the patient have the right to receive the information.
Data security requirements:
When it comes to medical documentation, appropriate measures need to be put in place to increase data protection. This includes the data pseudonymisation, data encryption, ensuring data and service resilience, ensuring data recoverability and regular testing of established processes.
The GDPR provides specific rules for the outsourcing of data processing activities. In particular, controllers must sign a data processing agreement with any third party that processes personal data on their behalf (Article 28(3) of the GDPR). The GDPR provides a set of mandatory clauses to be contained in such agreement, including technical and organisational measures, increasing communication between the two parties, and determining which party bears the risk upon non-compliance of an obligation (Article 28(3) of the GDPR).
With regard to the processing of personal data, Article 25 of the GDPR recommends, taking into account the state of the art, the cost of implementation, the nature, scope, context and purposes of the processing, as well as the different likely and different risks to the rights and freedoms of natural persons entailed by the processing, the implementation of appropriate technical and organisational measures, such as pseudonymisation and data minimisation. Article 32 further mentions as appropriate measures:
- encryption of personal data;
- ensuring the continued confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability of and access to personal data in a timely manner; and
- a regular testing process.
The GDPR sets out the principle that the free movement of personal data in the European Union is neither restricted nor prohibited for the protection of natural persons in relation to the processing of personal data. However, this premise cannot be considered as a legal ground to transfer personal data to any controller or at any time.
The possibility of transferring personal data without restrictions in the European Union relates to institutional security, i.e. it is expressed that the same high standard of legal framework for the protection of personal data in the processing of personal data applies in the countries of the European Union and thus there is no need for additional institutional security. The controller must have a legal reason for the actual transfer to another controller, as the transfer is also one of the processing activities.
The controller must also have a legal reason if he or she transfers personal data to a country outside the European Union, in which case the conditions for the transfer of personal data must also be met in terms of institutional security.
If the controller wishes to transfer personal data to another controller in a country outside the European Union, institutional protection must be ensured, i.e. personal data cannot (with exceptions) be transferred to countries where sufficient legal protection of personal data is not ensured or the controller has not adopted instruments to ensure such protection during the transfer.
The European Commission may decide that a particular country ensures an adequate level of protection of personal data. In such case, no specific authorisation is required, and no administrative obstacles are imposed on the transfer of personal data.
In the absence of a European Commission decision on the adequacy of the level of protection of personal data in a given country, personal data may only be transferred to a third country if the receiving controller has provided appropriate safeguards and provided that enforceable data subject rights and effective legal protection for the data subject are available. These appropriate safeguards include in particular binding corporate rules and standard contractual clauses. Apart from the above-mentioned cases (instruments) of transfer of personal data, personal data can be transferred to a third country if at least one of the conditions listed in Article 49(1) of the GDPR is met. For example, in case of informed explicit consent of the data subject or if such transfer is necessary for the performance of a contract between the data subject and the data controller.
As a general rule, it is mandatory for a data controller to notify the competent supervisory authority of any personal data breach (Article 33(1) of the GDPR).
If a personal data breach occurs, the controller must report the breach to the UOOU without undue delay and preferably within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Therefore, only incidents that pose a risk to the rights and freedoms of natural persons are reported, not minor matters that are not risky.
For example, the use of pseudonymisation or encryption may eliminate the potential risk altogether and therefore relieve the controller of the need to report the case to the supervisory authority. However, the level of risk must always be assessed, even if pseudonymisation or encryption has been used.
In the notification, the data controller must describe the nature of the breach, the measures taken, the likely consequences and must also provide the contact details of the Data Protection Officer ('DPO'), if one has been established.
Where a security breach poses a high risk to the rights and freedoms of the data subject, the controller is obliged to notify the data subject of the incident. The controller does not have to do so if it has applied precautionary measures that render personal data unreadable to any unauthorised individual (e.g. encryption or leaked pseudonymised data without a link to the data subject) or has applied follow-up measures to ensure that the high risk is no longer likely to occur. The obligation to notify the data subject of a security incident to the controller will not arise even if it would require disproportionate effort. However, in such a case, data subjects must be informed in an equally effective manner by means of a public notice.
9. Data Subject Rights
The GDPR brings some new rights for patients and legal representatives, but their application in the healthcare sector has certain limitations due to special legislation in the Act on Health Services:
- right to know what personal data (whether obtained with or without the data subject's consent) and how it is processed by the healthcare provider;
- if an error or incompleteness is found in your personal data, you have the right to have the provider correct or complete the incomplete personal data without undue delay;
- the right to erasure or in other words the "right to be forgotten". This right is understandably very limited in the healthcare sector, as the authorisation to process personal data, including the length of time they may be processed in connection with the provision of health services or for statistical purposes, derives from the Act on Health Services and Decree on Medical Documentation. It is in the patient's interest that his/her medical records are complete and can be used as a basis for further treatment and, for example, to deal with alleged or actual misconduct by staff; and
- other rights - the right to restriction of processing, the obligation to notify erasure or rectification, the right to portability, the right to object, the right not to be subject to automated decision-making, including profiling, the right to lodge a complaint with a supervisory authority, etc.
Each health service provider must have a designated person responsible for the processing of personal data.
The imposition of administrative fines must be effective, proportionate and dissuasive. Administrative fines shall be imposed according to the circumstances of each individual case.
It is therefore essential that not every infringement of the GDPR must be subject to a fine, but the controller whose processing operations have infringed the GDPR may be admonished or ordered to comply with the data subject's request. The controller may also be ordered, among others, to bring the processing into compliance with the GDPR, etc. Thus, it is not true that every infringement of the GDPR will constitute the imposition of an administrative fine.
The GDPR provides for administrative fines of up to (Article 83 of the GDPR):
- €10 million, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher, for infringing provisions on the obligations of a controller, processor, certification body or monitoring body; and
- €20 million, or in the case of an undertaking, up to 4% of the total worldwide annual turnover for the preceding financial year, whichever is higher, for infringing provisions on the basic principles for processing, data subjects’ rights, transfer of personal data to a recipient in a third country or international organisation, or non-compliance with an order or a limitation on processing by the supervisory authority.
The division into two groups of administrative fines reflects the importance of the obligations breached, with the higher group containing obligations whose breach is expected to have a higher impact on the data protection rights guaranteed by the GDPR. The lower rate includes, for example, breaches of provisions relating to records of processing activities or data protection impact assessments, while the higher rate includes, for example, breaches of obligations governing the principles and lawfulness of processing, the conditions of consent to the processing of personal data, the conditions for processing special categories of personal data and the rights of the data subject.
11. Other Areas of Interest
The Czech Republic is still waiting for a comprehensive and comprehensive legal regulation of telemedicine. The first steps should be an amendment to the Act on Health Services or the forthcoming Act on Electronic Healthcare (only available in Czech here).
Special rules apply in accordance with:
- Medical Devices Regulation;
- In Vitro Diagnostic Medical Devices Regulation;
- Act on Medical Devices; and
- Act on In Vitro Diagnostic Medical Devices.
Kamila Seberova Counsel
Wolf Theiss, Prague