8. Data Management

8.1 What data privacy and/or technology regulations need to be complied with in order to run a trial in the countries of interest? 

Primarily, the GDPR needs to be adhered to. The EU GDPR has been adopted in Spain through the Organic Law 3/2018, of December 5, Protection of Personal Data and Guarantee of Digital Rights (“Spanish Data Protection Act”).

Article 93 of the EU CTR 536/2014 reads as under:

“1. Member States shall apply Directive 95/46/EC to the processing of personal data carried out in the Member States pursuant to this Regulation.

 2. Regulation (EC) No 45/2001 shall apply to the processing of personal data carried out by the Commission and the Agency pursuant to this Regulation.”

Note that, since the CTR was adopted, Directive 95/46/EC has been replaced with General Data Protection Regulation (“GDPR”) 2016/679. 

On the basis of the EU GDPR and the Spanish Data Protection Act, the Spanish government has also published a Code of Conduct Regulating the Processing of Personal Data in Clinical Trials and Other Clinical Research and Pharmacovigilance Activities (“Code of Conduct”). The aim of this Code of Conduct is to enable Spanish pharmaceutical companies to comply with the GDPR when conducting clinical trials, other clinical investigations, and pharmacovigilance.

Please see:

1. Code of Conduct (Original in Spanish)_Feb 2022
2. Code of Conduct (non-official English translated version)_Feb 2022

8.2 What are the data locality rules within each jurisdiction?

• Does the data have to remain within the countries’ geographic boundaries or can it be transmitted for display on a web browser outside of the region?

With respect to any data other than personal data, free movement of data within the European Union is permitted. Please see Article 4.1 of the Regulation (EU) 2018/1807 on ‘A Framework For the Free Flow of Non-Personal Data In the European Union’ which states that “Data localization requirements shall be prohibited unless they are justified on grounds of public security in compliance with the principle of proportionality.”

With regard to personal data, as a general rule, personal data cannot be transferred to countries that do not provide an adequate level of protection unless the requirements for Chapter V of the GDPR are fulfilled.

• Who is responsible for complying with international regulations if a participant travels between geographies (e.g. for vacation)? Does the CRO have to honor the destination country’s rules?

Data Controller as well as Data Processor

• Are there any specific requirements for using the Cloud (including whether any routing must be excluded/avoided)? Is there a need to implement secure transfers?

There are no specific requirements for using the Cloud indicated within the Spanish legislation or guidance.

The EMA’s Guideline on Computerized Systems and Electronic Data in Clinical Trials contemplates cloud solutions and recognizes the risks associated with doing so, requiring careful contracting. Section 6.7 states the following:

“Irrespective whether a computerized system is installed at the premises of the sponsor, investigator, another party involved in the trial or whether it is made available by a service provider as a cloud solution, the requirements in this guideline are applicable. There are, however, specific points to be considered as described below. 

Cloud solutions cover a wide variety of services related to the computerized systems used in clinical trials. These can range from Infrastructure as a Service (IaaS) over Platform as a Service (PaaS) to Software as a Service (SaaS). It is common for these services that they provide the responsible party on-demand availability of computerized system resources over the internet, without having the need or even the possibility to directly manage these services. 

If a cloud solution is used, the responsible party should ensure that the service provider providing the cloud is qualified. 

When using cloud computing, the responsible parties are at a certain risk, because many services are managed less visibly by the cloud provider. 

Contractual obligations with the cloud solution provider should be detailed and explicit and refer to all ICH E6 relevant topics and to all relevant legal requirements (see Annex 1). 

Data jurisdiction may be complex given the nature of cloud solutions and services being shared over several sites, countries, and continents; however, any uncertainties should be addressed and solved by contractual obligations prior to the use of a cloud solution. 

If the responsible party chooses to perform their own validation of the computerized system, the cloud provider should make a test environment available that is identical to the production environment.”

• Does data need to be collected in the country? Do the servers need to be in the country? 

Any collection of data during the conduct of the trials by the Sponsor will be governed by the provisions of the GDPR (by virtue of Article 3 of the GDPR).

Assuming that the data does contain personal data, Chapter V of the GDPR (transfer of personal data to third countries or international organizations) provides for certain conditions under which data may be collected or stored (on servers or otherwise) outside of the European Union. 

• Are there data storage and transmission requirements (for data transfer out of the country)?

For any data transfer out of the country (Spain) but within the EU, provisions of Article 9 of the GDPR may apply. 

With respect to data transfer outside of the EU region, the entire Chapter V (Articles 46 – 51) of the GDPR may be applicable.

• Are there any exceptions made for research to the local privacy regulations?

Although we have not come across any exception upon review of the Spanish Data Protection Act, it is worth noting that the Spanish authorities have published the Code of Conduct, thereby showing a special concern for the field of clinical trials.

Please see:

1. Code of Conduct (Original in Spanish)_Feb 2022: 
2. Code of Conduct (non-official English translated version)_Feb 2022

• Who is allowed to view data (including the PI) and have access to Personal Identifiable Information (PII)?

The study team will have access to the study data as well as personal data.

Study participants must be informed (via the Informed Consent) who will have access to their data. This includes third-party vendors (such as courier/pharmacy) when applicable.

Annex VIIIA provides confidentiality wording that must be included within the Patient Information Sheet (PIS).

8.3 Detail the appropriate level of verification and validation of the CRO system (i.e., a software platform that runs clinical trials but is not considered a clinical device)

Section 4.10 (and Annex 2) of the EMA’s guideline on computerized systems and electronic data in clinical trials provides recommendations for the validation of systems.

“Computerized systems used within a clinical trial should be subject to processes that confirm that the specified requirements of a computerized system are consistently fulfilled and that the system is fit for purpose. Validation should ensure accuracy, reliability, and consistent intended performance, from the design until the decommissioning of the system or transition to a new system. 

The processes used for the validation should be decided upon by the system owner (e.g. sponsors, investigators, technical facilities) and described, as applicable. System owners should ensure adequate oversight of validation activities (and associated records) performed by service providers to ensure suitable procedures are in place and that they are being adhered to. 

Documentation (including information within computerized systems used as process tools for validation activities) should be maintained to demonstrate that the system is maintained in the validated state. Such documentation should be available for both the validation of the computerized system and for the validation of the trial-specific configuration or customization. 

Validation of the trial-specific configuration or customization should ensure that the system is consistent with the requirements of the approved clinical trial protocol and that robust testing of functionality implementing such requirements is undertaken, for example, eligibility criteria questions in an eCRF, randomization strata and dose calculations in an IRT system.”