Since the General Data Protection Regulation 2016/679 came into force, there have been a lot of reflections, discussions and confrontations around the controllership status. Supervisory authorities throughout Europe have been issuing several opinions on how to interpret the GDPR’s definition of the controller, joint controller and processor. These concepts play a crucial role in the application of the GDPR, since they determine who shall be responsible for compliance with different data protection rules and how data subjects can exercise their rights in practice.
I believe any legal field has its own hot/problematic topic, and certainly, among others, controllership is one of them in the world of data protection. Moreover, things become even more complex when it comes to specific industries, like life sciences, which will be the focus topic of this article.
But why is determining a controller position still so complex, considering the definition provided by the GDPR, and all the opinions and guidance released in the last years?
Starting from the definition of data controller and processor, this article will focus on controllership issues encountered in the life sciences sector, particularly in clinical trials. It will briefly mention the data processing aspects in a clinical trial to analyse further the roles played by each party; finally, it will reflect on the current guidance, and maybe lack of direction, over the controllership role.
Following art. 4 of the GDPR, the controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; (…). While processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller[1].
As exhaustively explained by the European Data Protection Board (EDPB), the overarching criterion for joint controllership to exist is the joint participation of two or more entities in the determination of the purposes and means of a processing operation. (…) where the decisions complement each other and are necessary for the processing to take place in such a manner that they have a tangible impact on the determination of the purposes and means of the processing. An important criterion is that the processing would not be possible without both parties’ participation[2].
With the above in mind, how do these concepts apply in the scope of a medical research study? Two parties play relevant roles in a clinical trial: the organisation that sponsors the study (Sponsor) and the Site (Hospital) where the trial takes place, which offers facilities, clinicians and patients to participate.
How do they interact in terms of controllership status? Following an origin-based approach to the definition of controllership where each controller is responsible for the data it introduces in the system for the clinical trial:
- the Sponsor is responsible for the data they add into the trial’s systems; and
- the Sites are responsible for the data they collect into the medical care systems (e.g., the medical history of the patient) and process to provide primary care.
Therefore, according to an origin-based approach, in clinical trials, we have to regard the Sponsors and Sites as two autonomous and independent controllers, according to each data-processing purpose pursued.
The UK Health Research Authority embraces this opinion and guides in this exact direction in providing the standard and ethically approved agreements to regulate the relationship between Sponsors and Sites. Any contractual model in a research trial establishes these two separate and autonomous controllership positions[3].
However, even if this position and the reasoning behind it are shareable/acceptable, concerns are still raised on two aspects, at least:
- This approach is mainly focused on the purpose of the processing but does not consider the means in enough depth;
- How can we distinguish between data for the purposes of the research and named data for medical care?
Concerning the first question, following EDPB guidance 07/2020, when determining who the controller of certain processing is, we have also to consider the “means” for the processing which not only refer to the technical ways of processing but also how processing is made, which includes questions like “which data is processed”, “which third parties shall have access to this data”, “when data shall be deleted”, etc.
And this reflection automatically drives us to the second point, how can we make a separation of datasets based on the purpose for which they are collected? Indeed, how can we determine on what data the Sponsor/Site detains controllership status and ensure the consequent compliance with controllership obligations in terms of transparency, accountability, international transfer and so on?
Wouldn’t considering the option of a joint controller position be reasonable? Unfortunately, there is no clear guidance on this from the UK Supervisory Authority, the Information Commissioner’s Office (ICO), and I believe it is highly needed. However, at an EU level, the EDPB embraced the joint controller position in its guidance mentioned above, providing the following example:
“A health care provider (the investigator) and a university (the Sponsor) decide to launch together a clinical trial with the same purpose. They collaborate together to the drafting of the study protocol (i.e. purpose, methodology/design of the study, data to be collected, subject exclusion/inclusion criteria, database reuse (where relevant) etc.). They may be considered as joint controllers for this clinical trial as they jointly determine and agree on the same purpose and the essential means of the processing. The collection of personal data from the medical record of the patient for the purpose of research is to be distinguished from the storage and use of the same data for the purpose of patient care, for which the health care provider remains the controller”.
Nevertheless, the example appears too specific, and the Board itself recognises that further guidance is necessary and expected.
To conclude, even if there’s no final and definitive position on this, in my opinion, the approach of ‘one size fits all’, which determines the controllership in clinical trials solely based on the purpose, is not satisfying. Following this standard determination, one of the most relevant risks is to act as a data processor but being actually a controller.
In fact, it’s important to say that no matter what is included in the contract or agreed upon between the parties, the actual responsibility of a party as a Controller or a Processor is determined by the law and applied by the relevant supervisory authority in case of conflict, dispute or investigation. As such, it’s important to have a clear justification supported by strong and robust arguments (e.g. as part of the record of processing activities) regarding Sponsor’s position on the controllership model in a Clinical Trial, in case this is raised by any authority or parties involved[4].
[1] Regulation (EU) 2016/679 of European Parliament and of the Council of 27 April 2016
[2] Guidelines 07/2020 on the concepts of controller and processor in the GDPR
[3] https://www.hra.nhs.uk/planning-and-improving-research/policies-standards-legislation/data-protection-and-information-governance/gdpr-guidance/what-law-says/data-controllers-and-personal-data-health-and-care-research-context/
[4] https://www.dcaprivacy.com/europe/2019/3/27/mv8to9zcuv5y6j1gb136sokn724f0l
