CLINICAL DEVELOPMENT IN EU
Every sponsor conducting a trial in the European Union (EU) and not having a registered office within the territory of the European Economic Area (e.g. from the USA or Japan or any other territory outside E.U.) is required by the European Union Commission through its directive 2001/20/EC to work with a legal representative in one of those countries.
CLEMANN GROUP offers to be your legal representative in EU, and acts as a support for your project to ensure compliance with the requirements from both the EU Commission and the Health Authorities.
Each clinical trial requires a legal representative whom will act as the agent of the sponsor in the event that legal proceedings are initiated and instituted within the EU/EEA.
LEGAL POINTS TO CONSIDER
Why a legal representative ?
What are the obligations of a Legal Representative?
What are the obligations of the represented structure?
Why CLEMANN GROUP?
Where does CLEMANN GROUP's services extend?
GLOBAL DATA PROTECTION REGULATION IN EU
« The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. »
The goals of the GDPR rules are
- To give ownership and more control to people over their personal data
- To provide businesses benefit from a level playing field and simplify business across EU and the 15 adequate countries
The Law applies to all EU Countries since 25th May 2018 and all companies, based in EU or outside EU, collecting or processing EU residents personal data must comply with GDPR rules.
CLEMANN GROUP offers to be your GDPR legal representative in each EU Country, and acts as a support for your project to ensure compliance with the requirements from 2018 reform of EU data protection rules.
LEGAL POINTS TO CONSIDER FOR GDPR LEGAL REPRESENTATION
Who are the GDPR stakeholders ?
1 – Data Controller (= The sponsor)
Companies sponsoring the data collection in view of automated processing (can be paper) e.g. Pharma or Biotech companies
2 – Data Processor (= The Clinical Research Organization)
Companies processing data provided by others, or collecting data on behalf of others e.g. CROs, software vendor, data hosting company, clinical site
3 – Data Protection Authority (DPA = The Authority)
Country specific Authorities controlling data protection and law application
What are the key principles of GDPR rules ?
Critical Processes (*) are inventory and then each critical process needs
- to be filed in a central repository with deeper level of information including:
§ initial objective of the process, names of processors, do the data go out of the country, new goals of the process if any, etc. (Register of processes, or record of processing activities)
§ Informed consent needs to be more detailed and updated if necessary - A Data Protection Impact Analysis (DPIA) as detailed risk based document.
(*) Critical processes: data on healthcare, ethnicity, race, politics, trade union, religious beliefs, children, elderly or harmful people and any mass processing of personal information allowing profiling of people. One epidemiological or clinical study is a critical process.
2 – A Data Protection Officer representing the Controller or Processor in each Country he is operating
In case the controller or processor, « as a core activity monitors individuals systematically and on a large scale, or that process special categories of personal data on a large scale », a Data Protection Officer (DPO) needs to be identified.
The DPO requires 3 hard skills :
- IT and Data Management,
- Health Science Business,
- Regulatory knwoledge
A DPO can be an external consultant and be shared by several organizations.
The major roles of a DPO are to
- Carry out DPIA and audits
- Monitor compliance
- Contact person for DPAs, Data Subjects, sub-contractors, data controllers
- Update documentation and procedures
The DPO must be independent from data processes and easily contactable by Citizens. Indeed, Data breaches need to be notified to local DPA (and to citizen if high risk) within 72 hours. A citizens’ request needs to be answered within one month – in native language (subject access requests). Communications must take place in each country specific/applicable language used by the DPA and Data Subjects. The contact details of the DPO need to be published by Controller and Processor (the name is not required)
Why CLEMANN GROUP?
We offer competent, flexible and cost-efficient representation services. Thanks to our collaborative orientation, we gather the most qualified and experienced regulatory experts to follow your project from the starting point reducing time and resources waste.