GDPR
What is the General Data Protection Regulation (GDPR)?
The General Data Protection regulation or the GDPR(link is external)(link is external) is a European Union (link is external)(link is external)(EU) regulation designed to protect the privacy rights of Individuals in the European Economic Area(link is external)(link is external), which includes the European Union, Iceland, Norway, and Lichtenstein. It is intended to be an overarching privacy regulation for all EU Member States and replaces prior EU privacy regulations.
What does GDPR do?
GDPR expands privacy rights for individuals located in the EEA Specifically, it guarantees certain rights, depending on how the data is used:
-
The right to be informed about data collection, the specific intended use of the data, and the right to be informed if the intended use changes;
-
The right to make informed decisions regarding the use and disclosure of the data;
-
The right to access the data; and
-
The right to have the data returned or deleted.
It also impacts data pertaining to these individuals even when the data is located in other countries, regardless of the citizenship of the individuals. Specifically, the GDPR establishes a framework for safeguarding how personal data is used, such as:
-
Ensuring that the data is transferred, processed, stored and eventually disposed of using appropriate technical safeguards;
-
Limiting the use/processing of the data to purposes that comply with GDPR requirements (e.g., managing the academic records of UC students studying in the EEA as part of Education Abroad);
-
Requiring third parties who receive the data to adopt UC’s GDPR protections and safeguards through changes to contract terms.
Who does GDPR apply to?
GDPR applies to all organizations that are established in the EEA, including higher education institutions (e.g., a study center in Europe). It also applies to organizations not physically in the EEA when goods or services are offered to individuals in the EEA (e.g., applications for admissions), or monitor the behavior of individuals in the EEA (e.g., research that includes EU citizens).
Do higher education institutions like UC Berkeley need to worry about GDPR?
Yes. All organizations need to think about GDPR, including higher education institutions like UC Berkeley.
Are there penalties for GDPR non-compliance?
Yes, GDPR imposes significant monetary penalties for organizations that do not comply with the regulation. The fines are up to €20M ($28M) or 4% of global revenue.
Which countries are part of the European Union and European Economic Area?
List of EU countries
- Austria
- Belgium
- Bulgaria
- Croatia
- Cyprus
- Czech Republic
- Denmark
- Estonia
- Finland
- France
- Germany
- Greece
- Hungary
- Ireland
- Italy
- Latvia
- Lithuania
- Luxembourg
- Malta
- The Netherlands
- Poland
- Portugal
- Romania
- Slovakia
- Slovenia
- Spain
- Sweden
- United Kingdom
List of EEA countries
- All 28 EU countries above as well as Iceland, Liechtenstein, and Norway.
What is the territorial scope of the GDPR?
The GDPR applies to organizations located within the EU and organizations outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects and applies to all companies processing and holding the personal data of data subjects residing in the EU, regardless of the company’s location and whether the person is a citizen. The GDPR is therefore a significant change because the territorial scope of the regulation is more expansive than Directive 95/46/EC.
Example 1: Sponsor in the EU/EEA
- If the sponsor is based in the EU/EEA then the GDPR applies to the data processing activities, even if the processing itself is not performed within the EU/EEA and even if there are no data subjects within the EU/EEA.
Example 2: Sponsor not in the EU/EEA
- If an organization has offices in the EU/EEA involved in some aspects of the clinical trial (e.g. a central data management organization and/or system managed from a EU/EEA-based establishment), then the sponsor may be considered as established in the EU/EEA and the GDPR may apply.
- If the clinical trial data is intended to support a market authorization filing in the EU/EEA, then there is a data processing activity taking place in Europe for the purpose of the data submission. The GDPR may therefore apply.
- If a full service CRO established in the EU/EEA, is being delegated the definition of the purpose of the clinical trial, and, as such, qualifies as a joint-controller, then the GDPR would apply even if the sponsor is not located in the EU/EEA.
Example 3: Data Subjects in the EU/EEA
- If the clinical trial includes data subjects within the EU/EEA, then the GDPR applies in its entirety. This applies irrespective of where the sponsor and CROs/vendors are located, where the data processing is performed or where the data submission is planned.
- If a sponsor not based in the EU/EEA is processing data from data subjects within the EU/EEA then they must nominate in writing a representative within the EU/EEA who fulfills their responsibilities with regards to GDPR. Note that this applies even if the data subjects are not EU/EEA citizens, if their information is collected while they are within the EU/EEA.
Example 4: Person Living or Traveling in the EU/EEA
- A person in the EU/EEA (even if not a citizen) is subject to the GDPR.
Example 5: Application to U.S. Organizations
- The GDPR applies to U.S. Organizations if under the circumstances below, and will apply in a broader range of circumstances than prior to the repeal of the Directive: (1) Established in the EU/EEA (e.g. branch or office) and acts as a data controller or data processor; (2) Offers goods or services to individuals in the EU/EEA; and (3) Monitors the behavior of individuals in the EU/EEA.
Example 6: Lead site for research activities taking place at EU/EEA sites
- A prime recipient of an NIH grant which flows through sub-awards to EU/EEA sites.
Example 7: Studies involving the use of technology in research that target enrollment in the EU/EEA
Example 8: Conducting clinical trials for organizations located in the EU/EEA with personal data being sent to and/or processed in the EU/EEA
Example 9: Research arrangements involving European governmental grants or contracts.
- Institutions may be direct awardees or sub-recipients from EU/EEA institutions of European governmental grants or contracts to perform research services.
- Terms of grant may require compliance with GDPR.
- Personal data flows to and from EU/EEA may require compliance with the GDPR if offering goods or services to data subjects.
Example 10: Use of an investigational product in a clinical trial. (This is an example of offering a good or service.) Using an app to monitor the behavior of research participants. (This is an example of monitoring the behavior.)
What are some of the key GDPR definitions?
a. What is the definition of Personal Data?
The definition of Personal Data related to a Data Subject is essentially unchanged under GDPR. “Personal Data” means any information relating to an identified or identifiable natural person (“data subject”). A “data subject” is an identifiable person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
b. What is the definition of Sensitive Personal Data?
“Sensitive Personal Data” are special categories of personal data that are subject to additional protections. Under the GDPR, “Sensitive Personal Data” is defined as “personal data” revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; and the processing of genetic data, biometric data for the purposes of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
c. What is the Definition of Data Concerning Health
“Data Concerning Health” is defined as personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.
d. What is the Definition of Pseudonymous Data and how is that different from Anonymous Data?
How is Data Subject to GDPR different than Data Subject to HIPAA?
“Pseudonymous Data” refers to personal data that can be amended in such a way that no individuals can be identified from the data without a key that allows the data to be re-identified. A Coded data set is an example of pseudonymous data. The GDPR encourages organizations to consider pseudonymization as a security measure when appropriate.
“Anonymous Data” refers to data sets that can be amended in such a way that no individuals can be identified from the data (whether directly or indirectly) by any means or by any person. Data that is fully anonymized is outside the scope of the GDPR.
Personal Data under the GDPR is broader than what is covered under HIPAA as the GDPR applies to all sectors of the economy, not just healthcare.
e. What is a definition of a Data Controller?
A “Data Controller” is … “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. In clinical research, the Sponsor is always a controller”. Other types of organizations may qualify as joint controllers such as a Contract Research Organization, Investigator, or joint collaborator on a research project.
f. What is the definition of a Data Processor?
A “Data Processor” is “… a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”. In clinical research, this corresponds to anyone appointed by the Sponsor to work with the clinical trial, including CROs (project management, monitoring, data management, statistics, medical coding, medical writing, etc.) and Vendors (eCRF/EDC and central labs, etc.).
g. What is the definition of Processing?
“Processing” is defined as “…any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”. An example is any operation that affects the data from a clinical trial during its entire life-cycle, from its collection by the sites as source data to its reporting, archival and destruction.
I have heard that subjects have additional rights under the GDPR. Is that true?
Yes, it is. The GDPR creates a range of rights that are available to research subjects under certain situations. Some of the rights under the GDPR include the right that research subjects can obtain copies of all of their personal data and have the right to withdraw consent to further processing of their personal data. Upon withdrawal of consent for research, one can no longer retain the personal data for the purpose of research, including in pseudonymized (key-coded) form. However, one may retain the data if necessary for legal compliance (i.e., for adverse event reporting). Also, the researcher could continue to process the data for research purposes if the data have been fully anonymized through removal of all identifiers associated with the data, including destruction of the key linking the subject’s data to his or her identity (Please see previous note on “anonymized” data).
What are some of the obligations of a controller and processor under the GDPR?
Controllers must ensure that data protection principles and appropriate safeguards are addressed and implemented in the planning phase of processing activities and the implementation phase of any new product or service. As an entity that controls data on behalf of the Controller, a Processor must implement technical and organizational security measures to protect personal data. Examples of technical and organizational security measures include encryption, redundancy and backup at co-location facilities and security testing. There are also breach notification requirements.
What terms and definitions are commonly used in the GDPR?
Data Subject - an identified or identifiable natural living person.
General Data Protection Regulation - European privacy law in effect as of May 25, 2018, which protects the Personal Data of Data Subjects.
European Economic Area - the European Union, United Kingdom, Iceland, Liechtenstein and Norway.
Personal Data - Any information that relates to an identified or identifiable Data Subject; an identifiable Data Subject is one who can identified, directly or indirectly, for example, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more specific factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that Data Subject.
Processing - any operation or set of operations that is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Pseudonymized Data - Personal Data that can no longer be attributed to a specific Data Subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the Personal Data are not attributed to Data Subject.
Special Categories - Personal Data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
What is an example of a GDPR compliant consent language?
Consent forms that include certain notice requirements and permits processing of the data subject's personal data in the EU/EEA may be required by sponsors established in the EU/EEA.
What are the requirements of consent under the GDPR?
Under the GDPR, consent means “any freely given, specific, information and unambiguous indication of the data subject’s wishes by which he or she, by a statement or a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” Depending on the nature of the processing, there also may be additional requirements. For example, when processing the personal data of children, the consent of the holder of parental responsibility may be required depending on the age and the type of processing.
What are the requirements for the transfer of personal data from the United States to the EU/EEA?
If a US organization transfers personal data to the EU/EEA, the US organization does not require a legal basis to transfer the data. However, the sponsor established in the EU/EEA receiving the data requires a legal basis to process the personal data transferred from a US organization.
Example: US university may need to transfer clinical trial data of research subjects to the EU/EEA when the trial is sponsored by an EU/EEA-based entity or the EU/EEA-based entity serves as the lead site. In this case, the EU/EEA-based sponsor may require the US organization to obtain trial subjects’ consent that meets the notice requirements of the GDPR and permits processing of their data in the EU/EEA.
Example: Clinical research sponsored by an EU/EEA-based company for which an EU/EEA-based university serves as a lead site or data coordinating center. In this case, a US university may need to transfer its employees’ data to the EU/EEA if the US university is serving as a site for an EU/EEA organization. This may require the consent of the employees as they are considered data subjects under the GDPR.
What are the requirements for the transfer of personal data to the United States?
The GDPR requires a legal basis to transfer personal data from the EU/EEA to a country outside of the region such as the United States. A legal basis to transfer personal data from the EU/EEA includes, but is not limited to, the following:
- Obtaining the explicit consent of the data subject to the transfer of the personal data to the United States for processing.
- Entering into model contract clauses approved by the European Commission between the EU/EEA entity transferring personal data from the EU/EEA to the US and the US organization (such as a university or sponsor) receiving the data.
- Data transfers necessary to protect the vital interest of the data subject.
Example: A research collaborator established in the EU/EEA transfers files of pseudonymised (coded) data to a US organization for research purposes. In this case, the organization needs a legal basis to transfer the personal data to the US and a legal basis to process the data in the US.
Are there special requirements for the processing of special categories of personal data?
Yes. The “processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation [is] prohibited” unless one of the following applies including:
- Explicit consent to the processing of the data.
- Processing necessary to protect the vital interests of the data subject where the data subject is incapable of giving consent.
- Processing necessary for reasons of public interest in the in the area of public health.
- Processing necessary for scientific or historical research purposes.
For a complete list, see GDPR, Article 9(2), Processing of special categories of personal data(link is external).
What is the lawful basis for processing personal data under the GDPR?
Under the GDPR, the processing of personal data must have a lawful basis. The lawful bases most likely to be relevant to a U.S. university are:
- Data subject consent to the processing.
- Processing necessary for the performance of a contract to which the data subject is a party.
- Processing necessary to protect vital interests of the data subject or a natural person.
- Processing necessary for the legitimate interests of the controller or a third party, except where such interests are overridden by the interest or fundamental rights and freedoms of the data subject.
For a complete list, see GDPR, Article 6, Lawfullness of processing(link is external).
Does the GDPR apply to human subjects research?
Yes. The GDPR applies to human subjects research (e.g., interventional trials, non-interventional trials, registry studies, student research, etc.) involving personal data as defined in the GDPR that is within the territorial scope of the regulation. The GDPR adopts a broad interpretation of research that includes publicly and privately funded research such as public health research, technological development and demonstration, fundamental research, and applied research. It also includes personal data processed for historical research and statistical purposes.
Has the Department of Health and Human Services provided any guidance on GDPR?
The Office for Human Research Protections has developed a new resource for IRBs, researchers, and sponsors that are involved in human subjects research in Europe. Titled “Compilation of European GDPR Guidances,” the document lists the data protection authorities of all European countries that fall under the new E.U. General Data Protection Directive (GDPR). For each country, the compilation also provides the links to any general GDPR guidances, as well as specific guidances on the topics of Research, Legal Basis, Consent, and International Data Transfer. The new Compilation is available here: https://www.hhs.gov/ohrp/international/index.html
Is it possible to de-identify data so that GDPR does not apply?
The GDPR does not apply to data that have been “anonymized.” However, for data to be anonymized, the GDPR requires that there be no key to re-identify the data. For example, if Berkeley serves as the sponsor of a research study with a site located in the EEA and receives only key-coded information from the EEA site, the key-coded data from the EEA site remain “personal data” in the hands of Berkeley. This is the case even if Berkeley has no access to the key needed to re-identify the coded data. Unlike in HIPAA, there is no “safe harbor” under the GDPR to which data can be rendered de-identified by removing a specific list of identifiers. Rather, anonymization is judged on a facts and circumstances basis taking into account all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. Given this definition, anonymization is an extremely high standard that is difficult to meet in practice.
What is considered “personal data”?
For purposes of the GDPR, personal data refer to any information that relates to an identified or identifiable natural person (i.e., an individual, not a company or other legal entity), otherwise known as a “data subject.” Personal data may include data that could be attributed to a data subject through the use of additional data, even if that data come from a third-party. Examples of personal data include a person’s name, e-mail address, government issued identifier, or other unique identifier such as an IP address or cookie number, and personal characteristics, including photographs.
There is a subset of personal data, referred to in the GDPR as “special categories” of personal data, which merit a higher level of protection due to their sensitive nature and associated risk for greater privacy harm. Special categories of personal data include several items that are often collected as part of a research study, including information about a data subject’s health; genetics; race or ethnic origin; biometrics for identification purposes; sex life or sexual orientation; political opinions, religious or philosophical beliefs; or trade union membership. Criminal convictions and records, while not among the “special categories” of personal data, also receive heightened protection under the GDPR.
What if I am only receiving coded data?
The GDPR considers key-coded data to be “personal data” and refers to key-coded data as “pseudonymized data,”. This is in contrast to the position under many U.S. research and privacy laws, such as the Common Rule and HIPAA; pseudonymized data are regarded as identifiable personal data and therefore remain subject to the GDPR’s protections, even when in the hands of a person who lacks the key needed to link the data to the data subject’s identity.
What if I am not collecting personal data from individuals in the EEA?
In short, GDPR would not apply. Research studies may not involve the receipt of personal data because the data received may not relate to an identified or identifiable natural person. For example, studies that do not collect information that is linked to a subject’s identity, such as anonymous surveys in which the identities of survey subjects cannot be traced, would not involve the receipt of personal data.
How does the GDPR affect research?
The GDPR may be applicable to a broad range of research activities. For example, the GDPR may apply when Berkeley acts as a sponsor of research occurring in EEA member states; when Berkeley acts as a core data facility or lead site for a multi-national research study with EEA-based sites; and when Berkeley conducts research in the U.S. in which participant data are transmitted to sponsors, servers, or data core facilities in the EEA. Research studies that collect data online from EEA residents may also be subject to the GDPR.