General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is the privacy legislation which applies throughout the entire European Union. It stipulates the requirements that have to be met when processing (collecting, using and retaining) personal data and the rights of data subjects. You can find information about the consequences of the GDPR for medical scientific research below.

What type of data does the GDPR apply?

The GDPR applies to the processing of ‘personal data’. All data that can be traced back to an individual falls into the category of personal data. Encoded or pseudonymised data is also personal data and is covered by the GDPR. The GDPR only no longer applies when data is completely anonymised and no longer traceable to an individual. Strict requirements have to be met before  anonymization is achieved. More information on this topic  (in Dutch) can be found on the website of  the Data Protection Authority.

Do research subjects have to give re-consent for the use of their personal data in ongoing studies?

No. In research within the scope of the Medical Research Involving Human Subjects Act ( “WMO”) explicit consent is already asked from the subjects for the processing of their personal data in the context of the study. This is done on the basis of a corresponding text in the Subjects Information Form ( “PIF”) and the  informed consent form. This is consent is asked separately from the consent for participation in the study that is required by  the WMO. Consent for the processing of personal data must be explicitly  asked  and is not implied by or can not be derived from the consent for participation in the study. . The quality of the consent as currently obtained is such that it meets the GDPR requirements. It is not necessary to ask subjects who participate or have participated in approved studies  within the scope of the WMO for re-consent for the  processing of their personal data.  

Has the information about the processing of personal data been changed in the PIF?

Yes. The previous template PIF already contained information on the processing of  personal data in studies. Due to the GDPR that information needs to be refined and clarified. It is alsno necessary to supplement the information with contact information for the ‘controller’, contact information of the ’data protection officer’ and a referral to a location where more information on the ‘rights of data subjects’ can be found. These additions have been included in the current template PIF. Please also consult the Q&A.

How should subjects be informed about their new privacy rights?

The GDPR stipulates that data subjects are given more rights than before when their personal data is being processed, and that data subjects must be informed appropriately about such processing. There is no added value in describing data subjects rights  in a general way in the PIF or adding them to the PIF as an appendix. . Therefore  the current template PIF only contains  a reference to reliable information about data subjects rights on the website of the Dutch Data Protection Authority. Please  also consult the Q&A.

Should a modified PIF be used for subjects who are included in an ongoing study on or after 25 May 2018?

No. For a PIF approved by an accredited MREC before the GDPR was applicable, the Central Committee on Research Involving Human Subjects (CCMO) is of the opinion  that it is sufficient to comply  with the GDPR. That version can also be used for new subjects who are yet to be included in the study. However it will be  important to provide all research subjects with the required additional information (contact details of the controller and data protection officer, and where to find further information about the ‘rights of the data subject’) in an appropriate way. An  ‘appropriate way’ can be that the subjects are made aware of the location where they can find  such information for instance during contact moments and – if desired – also receive such information in writing. It is recommended to document  how and when this additional information was provided to the subjects. This  additional information does not have to be submitted to the MREC as an amendment or notification.

How should participants in ongoing or completed studies that fall within the scope of WMO be informed about their new privacy rights?

The PIFs used for ongoing and completed research could be insufficient  in the provision of information on all aspects  required by the GDPR. This particularly concerns the information about the controller, the data protection officer and the ‘rights of the data subject’. When providing additional information to  current or former participants on these points, it is important to choose  form and means tailored to the needs of the participants  and – where possible – link it to general information campaigns about rights under the GDPR. For the time being, the CCMO is not in favour of approaching those participants individually in writing with additional information.  . In our estimation, a combination of a general information campaign about the GDPR and modified information on the websites of parties involved in research that falls within the scope of the WMO (institutions and pharmaceutical businesses) can achieve the desired result.

What does the GDPR mean for the use of personal data for future research?

The GDPR requires that the consent for the processing of personal data must be sufficiently specific. Since at the time consent is requested for using personal data in future research, there are usually not enough specifics on what that research will involve, there may be a problem in getting legally valid  specific consent. When drafting the GDPR this was recognised as a problem and it was stated that legally valid consent for ‘future-use’ of personal data can be given, provided that such future-use is defined in general terms. This can for example be done by defining  the scope of the field of research (for example a specific condition and/or a specific treatment) for which the personal data may be ‘future-used’. In situations where future-use of the personal data falls outside that scope, consent will have to be requested again, or the exemption clause for the use of personal data for scientific research without permission of the data subject must be applicable.

When is a contract between controller and processor necessary?

A contract meeting all the requirements of the GDPR is necessary if a ‘data controller’ entrusts the processing of personal data entirely or in part to another party, the processor. The activities of the processor should be restricted to  processing of personal data on behalf of the controller and should not involve  other activities.

For example, if a researcher (controller) calls in an external laboratory to do analyses of bodily materials, this external laboratory is not considered to be  a processor. An agreement should be made on the confidential handling of personal data obtained from the analyses, but not necessarily have to contain  all the GDPR requirements for a contract between controller and processor.

For research commissioned by, for example, a pharmaceutical company, the relationship between that sponsor  and the participating centres is that  joint controllers responsible  for the processing of personal data in the study. The GDPR requires  that mutual agreements must be made about how personal data is processed and how confidentiality is guaranteed. However this is not  a  contract as required between controller and processor. . Currently, the Clinical Trial Agreement (CTA) working group of the Dutch Clinical Research Foundation (DCRF) is working on the adjustments that have to be included in the research contract between the sponsor and the participating centre.

Where can I find more (general) information about the GDPR?

You can find more (general) information about the GDPR (in Dutch) on the website of the Dutch Data Protection Authority.

It should be taken into account  that both the amended text of the PIF about the processing of data as well and the insights and considerations of the CCMO as expressed are based on information about the GDPR (and its interpretation) that is available at this moment in time. Information on the interaction between the GDPR and the legislation and regulations for research is also still scarce. This means that the CCMO cannot exclude the possibility that the information and recommendations that it is now making available may need to be adjusted at a later date. Should that be the case, the CCMO will actively call the attention of those concerned to these adjustments.