Basic Context of the CoC
The CoC (so far only available in Spanish here) is a national code of conduct promoted by Farmaindustria (the national business association of the pharmaceutical industry) that regulates how data protection rules impact the development of clinical trials and compliance with pharmacovigilance obligations.
It applies to the processing activities of adhered Sponsors and Clinical Research Organizations (CROs) in Spain under the jurisdiction of the Spanish Data Protection Authority, AEPD. The provisions of the CoC do not apply to investigations already initiated prior to the CoC taking full effect. However, it will be considered good practice to take the appropriate measures to bring those investigations in line with the CoC.
The Spanish DPA has also published a report approving the CoC.
We analysed the impact of the CoC in clinical trials here.
The purpose of pharmacovigilance is the identification, quantification, evaluation and prevention of the risks involved in the use of medicines, thus allowing the monitoring of possible adverse effects medicines may cause. In this context, the detection and reporting of any adverse reactions becomes extremely important.
In this context, all relevant parties must comply with data protection laws while also being subject to and meeting pharmacovigilance obligations. Traceability duties entail singling out individuals and the processing of personal data (coded or not). The main purposes to process data for pharmacovigilance are:
- The communication of information on the adverse reaction to the competent Spanish and European authorities;
- The analysis of the information about the reaction and its evolution to assess the risk/benefit ratio of the product; and
- Compensation to the patient who has suffered an adverse reaction.
Collection of data regarding an adverse event
While referring to the general GDPR principles, the CoC provides several graphics describing how pharma companies receive adverse event notices and how they should act upon receiving them via telephone, postal service, social networks, in person and electronic means. It also provides for templates to respond, depending on who carries them out (healthcare professionals, patients or their representatives, or third parties).
Having these procedures documented is important to support compliance with the GDPR.
Where the pharma company receives coded data, the collection of directly identifiable information should be avoided (or even deleted). Mechanisms and procedures must be in place for this purpose.
Legal basis of processing activities and applicable derogation to process health data
The fact that pharmacovigilance duties are regulated has a direct impact on legal basis / derogation for processing health data. The CoC expressly states that the processing is necessary for reasons of public interest in the area of public health and art. 9.2 (i) will apply. The legal basis would be compliance with a legal obligation (art. 6.1(c) GDPR), or even the data subject’s vital interest (art. 6.1(d) GDPR) in some severe cases.
While data subjects’ consent is not required for pharmacovigilance purposes, they must be informed about the processing of their data for this purpose.
According to pharmacovigilance obligations, and only for the purpose of complying with the same, data shall be kept at least for a period of 10 years after the expiration of the worldwide commercialisation authorisation (including the 5 year period related to pharmacovigilance system master file).
Record of processing activities
Pharma companies must have a duly completed record of processing activities in accordance with art. 30 GDPR, including the pharmacovigilance purpose (it is not mandatory to have separate “entries” for the same medicine). Where the personal data is coded, this must be indicated therein, establishing that no access to directly identifiable data is processed.
Access to the data by other parties
There are many different data flows to other companies or authorities arising from pharmacovigilance obligations:
Before going into detail regarding communication of data to third parties, there are general obligations that need to be met:
- Data subjects (not only patients) need to be informed of the recipients of the personal data under arts. 13 and 14 GDPR (controllers, processors or joint controllers). If the recipient is a data processor, this information can be included as a general reference to the services provided by such processor.
- The recipients (including group companies) need to be include in the records of processing activities.
- Where the information is anonymised (i.e. irreversibly altered in a way that the recipient cannot, by any means, re-identify the individual), which is easier in cases where the pharma company receives coded data, no additional measures a required in terms of data sharing and international data transfers.
Access by processors
Where data is provided to data processors (or accessed by them) in the context of the services provided to pharma companies and acting on the latters’ behalf, the parties shall enter into an agreement based on art. 28 GDPR (a data processing agreement) including express reference to the data storage regime. In addition, if the processor has been appointed to carry out pharmacovigilance duties under applicable laws, the agreement shall include the obligation to comply with the procedures envisaged in the CoC. Where the recipient qualifies as an independent controller, there is no formal need to enter into any specific agreement, but it is highly recommended.
The agreement with the processor must indicate if the information is coded.
The processor must always indicate, when contacting a notifier, that its acts on behalf of the pharma company.
The aforementioned applies in cases of commercial licensing authorization and sale agreements with a third party.
Disclosures to relevant authorities
The main pharmacovigilance obligations entail sharing personal data with EU (EudraVigilance data base) and Spanish authorities in compliance with legal obligations. These communications do not raise many concerns apart from the general duties above.
Disclosures to companies of the group (intragroup data flows)
Pharmacovigilance laws require the rightsholder of the authorization to designate a responsible entity for the purposes of pharmacovigilance in the European Union, who will be in charge of setting up and maintaining the system. Thus, it is possible that multinational groups may have a single responsible point of contact for pharmacovigilance in the European Union (i.e. not necessarily located in Spain). This single point of contact would centralize all information regarding pharmacovigilance within the group including personal data related to adverse effects.
The CoC indicates that the legal bases for these data flows are the need for each entity in the group to comply with legal obligations (including the obligation to centralize responsibility for pharmacovigilance), as well as the group’s legitimate interest in sharing data for administrative purposes (ex. Recital 48 GDPR), after carrying out the due balancing test.
Disclosures to insurance companies
Companies are permitted to share personal data with insurers when they are required by law to have a civil liability insurance policy in place to cover damages, based on the need to comply with a legal obligation.
International transfers to countries outside the EU
There are no special requirements with respect to international data transfers (in general, cases in which the recipient is not based in the EU or EEA). A safeguard under the GDPR is required for this purpose. The CoC expressly refers to the derogation under art. 49 1(d) GDPR (i.e. the transfer is necessary for important reasons of public interest) for cases in which the non-EU/EEA recipient is obliged by local laws to notify data to third country health authorities.
The pharma company needs to carry out a transfer impact assessment in order to verify that personal data will be safe in that third country, taking into account local laws, practices, etc.
Data subject rights
Under GDPR, data subjects can exercise several rights with respect to data protection, including the rights of access, rectification, erasure, objection, portability and the restriction of processing.
Two disclaimers are in order before making some considerations:
- Objection and portability rights are not applicable as the processing activities related to pharmacovigilance are based on the compliance with laws.
- This section only deals with GDPR rights and not other rights under clinical or medical laws.
While general GDPR rules apply in this regard, the following should be highlighted:
- Individuals should always receive a reply within the terms provided in the GDPR (within one month). Even where individuals do not have a right (e.g. portability), or the right has been exercised by mistake to the wrong pharma company, or in cases where the pharma company only has codified or anonymized data (and, therefore, cannot identify patients); the recipient of the rights request must reply denying the request.
- Data subjects need to be provided with the possibility to exercise data subjects rights by informing them via privacy notices, and they shall be addressed and responded by electronic means (except if the data subject prefers other means).
- When the CRO has been designated to handle pharmacovigilance obligations, but not designated to respond to data subjects’ rights under GDPR, the CRO shall provide the pharma company with the request within 48 hours of receipt.
- The pharma company can also not satisfy a rights request when the request refers to the conclusions reached on an adverse event, and not to the data subject’s personal data.
The CoC provides many templates of responses to data subjects’ rights requests, including different scenarios (see list of annexes below). In addition, it describes the general procedure to be followed upon receiving a request.
Particularities related to data protection rights arising from compliance with pharmacovigilance’s duties
Right to rectification: In this context, it may not be common that data are not accurate, so this right would generally refer to updating contact data.
Right to erasure: It will be generally restricted insofar as the legal basis of the processing consists in complying with legal obligations.
Right to restriction of processing: Upon receiving a request of restriction of processing, the pharma company would need to relocate the affected personal data in a different information system, so users that could generally access this data may be prevented from doing so during the deadlines to respond to the request.
Finally, the CoC provides for the following annexes including templates with the main content to comply with data protection obligations (mainly information duties) with regard to pharmacovigilance:
- Informative clause (via telephone) for the referral of the notification to the pharmacovigilance department.
- Informative clause on the management of the adverse reaction for the patient or legal representative.
- Informative clause (via telephone) on the management of the adverse reaction for the third party.
- Informative clause (via telephone) on the management of the adverse reaction for the healthcare professional.
- Informative clause (electronic means) on the management of the adverse reaction for the patient or legal representative.
- Informative clause (electronic means) on the management of the adverse reaction for the third party.
- Informative clause (electronic means) on the management of the adverse reaction for the healthcare professional.
- Template of response requesting the affected person to correct their request.
- Template of response to the affected person for those cases in which it is necessary to extend the period established by law.
- Template of response to be sent by the CRO to the affected person informing them that their request has been notified to the pharmaceutical company.
- Template of response to data subject’s right of access.
- Template of response to be sent to the data subject in case of processing a large amount of information.
- Template of response to be sent to the data subject to deny their right of access.
- Template of response to data subject’s right of rectification.
- Template of response to be sent to the data subject to deny their right of rectification.
- Template of response to data subject’s right of erasure.
- Template of response to be sent to the data subject to deny their right
- of erasure.
- Template of response to data subject’s right to restriction of processing.
- Template of response to be sent to the data subject to deny their right to restriction of processing.
- Informative clause (via telephone) on the management of the adverse reaction with coded data for the healthcare professional.
- Informative clause (electronic means) on the management of the adverse reaction with coded data for the healthcare professional.
- Informative clause (postal means or in person) on the management of the adverse reaction with coded data for the healthcare professional.
- Records of processing activities template in relation to pharmacovigilance.
- Minimum content to be included in contracts between pharma companies and CROs undertaking pharmacovigilance activities with coded data.
- Template of response to data subjects’ rights received by pharma companies undertaking pharmacovigilance activities with coded data.