Search for:
Cybersecurity, Data and Tech

Spain: Spanish Data Protection Authority approves the first industry code of conduct to enable compliance of clinical research and pharmacovigilance with the GDPR

By 4 Mins Read

In brief

The Spanish Data Protection Authority (AEPD) has recently approved the first industry code of conduct under the General Data Protection Regulation (GDPR). This industry code has been promoted by Farmaindustria and it governs the processing of personal data in the field of clinical trials and other clinical research and of pharmacovigilance, when they are conducted in Spain.

In more detail

The GDPR encourages the setting up of self-regulatory systems by associations which represent groups of data controllers or processors, in order to supplement and tailor the general provisions laid down in the GDPR. Adhesion to a code of conducted adopted as part of this self-regulatory system can be used to support the existence of sufficient guarantees of compliance with the GDPR.

In this sense, Farmaindustria (the trade association representing innovative pharmaceutical companies established in Spain) has adopted a new code of conduct regulating the processing of personal data in the field of clinical trials and other clinical research and of pharmacovigilance (“Code of Conduct“), after approval by the AEPD.

The Code of Conduct replaces a previous code adopted by Farmaindustria back in 2009 under the former data protection regulations, and is presented to the members of Farmaindustria for them to voluntarily adhere thereto. Indeed, Annex 1 to the Code of Conduct contains a template of application of adherence.

With regard to the content of this Code of Conduct, the following should be noted:

  • The Code of Conduct will apply to sponsors of clinical trials, whether they are associated to Farmaindustria or not, and to clinical research organizations (CROs) in Spain, insofar as they adhere to the Code of Conduct and process personal data to perform clinical research or to comply with pharmacovigilance.

This will not apply, though, to research initiated before the Code of Conduct comes into full effect.

  • The Code of Conduct sets out a standard operating procedure (SOP) for clinical trials and related research. It establishes that no data protection consent is needed once the participant has agreed to join the clinical trial. The information obligations remain. This SOP regulates, inter alia, the secondary uses of personal data for further research without the participant’s consent or the duty of active responsibility especially when it comes to security breaches. The SOP also incorporates templates of data protection clauses to be used in the agreements between the sponsor and other research players.
  • As regards pharmacovigilance, the Code of Conduct sets forth different rules based on whether the personal data is identifying data or, on the contrary, codified data. Moreover, the Code of Conduct lays down a uniform protocol on pharmacovigilance with specificities based on the channel and the person who makes the notification, and with special rules in case the adverse reaction comes to the company’s knowledge through social media.
  • The Code of Conduct designates a so-called Code of Conduct Governing Body (OGCC) to monitor compliance of the adhered companies with the Code of Conduct and to liaise with the AEPD on behalf of Farmaindustria. The OGCC will remain independent from Farmaindustria.
  • The Code of Conduct foresees a specific disciplinary regime which applies to adhered companies without prejudice to the legal provisions set forth in the GDPR and the Spanish Organic Law 3/2018 (LOPDGDD).
  • The Code of Conduct establishes a voluntary and free dispute settlement system before which data subjects can file claims for infringement of data protection rights by any of the adhered companies. Claims will not be admitted when the AEPD or the Spanish courts are hearing them.
  • The Code of Conduct will be reviewed as needed. In any case, the Code of Conduct shall be reviewed and (if applicable) updated every 4 years.
Categories:
Author

Montserrat has extensive experience in pharmaceutical and health law, as well as in compliance, contract law, licensing, competition law and acquisitions in the pharmaceutical sector. She is the coordinator of the healthcare practice in the Barcelona office.
She assists healthcare companies throughout the life cycle of healthcare products (drugs, IVD and medical devices, combination products, cosmetics and food supplements), from R&D to commercialization and more specifically in the areas of clinical trials (agreements, regulatory procedures, processing of personal data), market access (pricing and reimbursement), products and companies regulations (MA/CE-marking, vigilances, required licenses, product classification, labelling), commercial relations between healthcare industries (distribution, (co)promotion, manufacturing, supply, licensing, partnership agreements), relations with healthcare professionals and/or patients including compliance (anti-gift and transparency laws); communication and advertising, e-health (connected devices, telemedicine, hosting of health data) and product liability. Her practice encompasses both advisory and litigation matters.
She also has considerable experience in the drafting of codes of professional ethics and conducting compliance audits, and advising on advertising and promotion of medicines and medical devices, including via the internet, online advertising and social media. Montserrat advises on a wide range of agreements related to the pharmaceutical industry, such as license and distribution agreements, clinical trial agreements, and supply and manufacturing agreements.

Related Posts