8. Data Management

8.1 What data privacy and/or technology regulations need to be complied with to run a trial in the countries of interest? 

1. The General Data Protection Law (LGPD) (see below link for English translation) -https://iapp.org/media/pdf/resource_center/Brazilian_General_Data_Protection_Law.pdf
2. Resolution CFM No 1.821, 23 November 2007 (Portuguese) - http://www.portalmedico.org.br/resol ucoes/cfm/2007/1821_2007.htm

8.2 What are the data locality rules within each jurisdiction?

• Does the data have to remain within the countries’ geographic boundaries or can it be transmitted for display on a web browser outside of the region?

There is no specific regulation on this matter.

• Who is responsible for complying with international regulations if a participant travels between geographies (e.g. for vacation)? Does the CRO have to honor the destination country’s rules?

There is no specific regulation on this matter.

• Are there any specific requirements for using the Cloud (including whether any routing must be excluded/avoided)? Is there a need to implement secure transfers?

Transfer of data to third countries is permissible only if there is a legal basis for the processing/transfer and then it must be within the approved or whitelisted jurisdictions.

• Does data need to be collected in the country? Do the servers need to be in the country?

There is no specific regulation on this matter. However, if data is collected in a country other than Brazil, that country's regulations about data transfer will need to be followed.

• Are there data storage and transmission requirements (for data transfer out of the country)?

Yes. Transfers of personal data to third countries are permissible only if there is a legal basis for the processing/transfer and one of the following applies:

1. Approved adequate/whitelisted jurisdictions
2. To holders of specific certifications or followers of specific code of conduct programs each approved by the relevant data protection and security authority 
3. Approved standard contractual clauses
4. Binding corporate rules
5. Derogations, such as consent, contract performance, the necessity to establish, exercise, or defend legal claims
6. Other solutions

As per Article 33 of the General Data Protection Law (LGPD), other transfer mechanisms available include:

• When the transfer is necessary for international legal cooperation between public intelligence agencies, public investigation agencies, and public prosecution agencies, in accordance with international law mechanisms.
• When the transfer is necessary for the protection of the life or physical safety of the data subject or a third party.
• When the ANPD authorizes a specific transfer.
• When the transfer is a product of a commitment undertaken under international cooperation.

• Are there any exceptions made for research to the local privacy regulations?

No.

• Who is allowed to view data (including the PI) and have access to Personal Identifiable Information (PII)?

The sponsor is responsible for deciding who can access the data.

For the purposes of data protection requirements, the sponsor acts as the “controller” who is responsible for decisions regarding the processing of personal or sensitive personal research data. Within this context, the sponsor (controller) may carry out studies as a research body, guaranteeing, whenever possible, the anonymization of personal data.

8.3 Detail the appropriate level of verification and validation of the CRO system (i.e., a software platform that runs clinical trials but is not considered a clinical device)

Clinical software is not considered a clinical device.