In brief

The Spanish Data Protection Authority (AEPD) has recently approved the first industry code of conduct under the General Data Protection Regulation (GDPR). This industry code has been promoted by Farmaindustria and it governs the processing of personal data in the field of clinical trials and other clinical research and of pharmacovigilance, when they are conducted in Spain.

In more detail

The GDPR encourages the setting up of self-regulatory systems by associations which represent groups of data controllers or processors, in order to supplement and tailor the general provisions laid down in the GDPR. Adhesion to a code of conducted adopted as part of this self-regulatory system can be used to support the existence of sufficient guarantees of compliance with the GDPR.

In this sense, Farmaindustria (the trade association representing innovative pharmaceutical companies established in Spain) has adopted a new code of conduct regulating the processing of personal data in the field of clinical trials and other clinical research and of pharmacovigilance (“Code of Conduct“), after approval by the AEPD.

The Code of Conduct replaces a previous code adopted by Farmaindustria back in 2009 under the former data protection regulations, and is presented to the members of Farmaindustria for them to voluntarily adhere thereto. Indeed, Annex 1 to the Code of Conduct contains a template of application of adherence.

With regard to the content of this Code of Conduct, the following should be noted:

• The Code of Conduct will apply to sponsors of clinical trials, whether they are associated to Farmaindustria or not, and to clinical research organizations (CROs) in Spain, insofar as they adhere to the Code of Conduct and process personal data to perform clinical research or to comply with pharmacovigilance.

This will not apply, though, to research initiated before the Code of Conduct comes into full effect.

• The Code of Conduct sets out a standard operating procedure (SOP) for clinical trials and related research. It establishes that no data protection consent is needed once the participant has agreed to join the clinical trial. The information obligations remain. This SOP regulates, inter alia, the secondary uses of personal data for further research without the participant’s consent or the duty of active responsibility especially when it comes to security breaches. The SOP also incorporates templates of data protection clauses to be used in the agreements between the sponsor and other research players.
• As regards pharmacovigilance, the Code of Conduct sets forth different rules based on whether the personal data is identifying data or, on the contrary, codified data. Moreover, the Code of Conduct lays down a uniform protocol on pharmacovigilance with specificities based on the channel and the person who makes the notification, and with special rules in case the adverse reaction comes to the company’s knowledge through social media.
• The Code of Conduct designates a so-called Code of Conduct Governing Body (OGCC) to monitor compliance of the adhered companies with the Code of Conduct and to liaise with the AEPD on behalf of Farmaindustria. The OGCC will remain independent from Farmaindustria.
• The Code of Conduct foresees a specific disciplinary regime which applies to adhered companies without prejudice to the legal provisions set forth in the GDPR and the Spanish Organic Law 3/2018 (LOPDGDD).
• The Code of Conduct establishes a voluntary and free dispute settlement system before which data subjects can file claims for infringement of data protection rights by any of the adhered companies. Claims will not be admitted when the AEPD or the Spanish courts are hearing them.
• The Code of Conduct will be reviewed as needed. In any case, the Code of Conduct shall be reviewed and (if applicable) updated every 4 years.