Sponsors outside the European Union conducting clinical trials in the EU should consider current guidelines and the Breyer case to understand whether GDPR requirements will apply to them.
Many sponsors of clinical trials believe that companies based outside the EU who sponsor clinical trials conducted in the EU through clinical research organisations (CROs) and/or clinical sites do not themselves need to comply with the General Data Protection Regulation (GDPR). Sponsors believe the GDPR does not apply to them as they do not conduct the research directly but only receive results in key-coded form, and only their CROs and/or clinical sites will have access to the raw data and/or the key that connects the key-coded data to individual patients. However, sponsors need to reconsider this presumption in light of current guidelines and the Breyer case. Similar issues arise in other fields, for example, data and market research, in which only key-coded data is received by the organisation commissioning the research. But following the GDPR and the Breyer decision these organisations may still be subject to the requirements of the GDPR.
Is Key-Coded Data Personal Data?
The GDPR defines “personal data” broadly to include any information relating to an identified or identifiable natural person. For this purpose, an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person (Article 4(1) GDPR).
Breyer decision: The 2016 Court of Justice of the European Union (CJEU) decision in Breyer v. Bundersrepublik Deutschland (which related to Directive 95/46, the predecessor legislation to the GDPR) addressed key-coded personal data. Under Breyer, key-coded information in the hands of a party (Party A), to which a third party (Party B) holds the key, is likely to be considered personal data in the hands of Party A if Party A has the “means likely reasonably to be used” to access the key and to combine the key with the key-coded data. For example, the CJEU noted that Party A would not have the means likely reasonably to be used to identify the person if Party A is “prohibited by law” from obtaining access to the key code. In addition, if accessing the key code would be “practically impossible on account of the fact that it requires a disproportionate effort in terms of time, cost, and manpower, so that the risk of identification appears in reality to be insignificant,” then Party A would not have the means likely reasonably to be used to re-identify the data subject. Accordingly, short of a prohibition by law or a practical impossibility to access a key code, Breyer suggests that an entity with only key-coded data may still have means likely reasonably to be used to re-identify the person and therefore may be deemed to hold personal data — even though the data the entity holds is solely in key-coded form.