Clinical Trials Regulation: aims and benefits On 31 January 2022, the European Regulation No. 536/2014 on clinical trials on medicinal products for human use (the “Clinical Trials Regulation”) came into force, replacing the former Directive 2001/20/EC (“Directive”) and the corresponding national transposing legislation. The Clinical Trials Regulation provided for a transition period: The Clinical Trials Regulation aims to harmonise the processes of assessing and supervising clinical trials throughout the EU in order to facilitate the conduct of larger clinical trials in multiple EU Member States/European Economic Area (“EEA”) countries and it aims to ensure that the EU provides an attractive and favorable environment for carrying out clinical research on a large scale, with high standards of public transparency and safety for clinical trial participants. Prior to the implementation of the Clinical Trials Regulation, sponsors had to submit separate clinical trial applications to national competent authorities and ethics committees in each country in order to obtain regulatory approval to conduct a clinical trial. Furthermore, registration and the posting of results of the clinical trials were subject to separate processes. With the implementation of the Clinical Trials Regulation – in order to obtain the approval to run a clinical trial in several European countries – sponsors can now submit one online application via the CTIS, This makes it more efficient both to carry out multinational trials and for EU Member States to evaluate and authorise such applications together. However, running a clinical trial involves the processing of personal data and, therefore, beside the Clinical Trials Regulation, also the General Data Protection Regulation (EU) 679/2016 (“GDPR”) shall apply. It should be noted that the Clinical Trials Regulation constitutes the sector-specific legislation with special provisions under a data protection perspective which, however, do not derogate from the provisions of the GDPR. Moreover, considering that personal data are also processed by the Union institutions, bodies, offices and agencies, also Regulation (EU) 2018/1725 (s.c. European Data Protection Regulation, hereinafter “EUDPR”) shall apply. CTIS and personal data issues In the context of a clinical trial (including the authorisation and supervision process), different actors may need to register personal data into CTIS, including sponsors, marketing authorisation applicants or holders, the European Commission, European Medicine Agency (“EMA”), EU Member States and EEA countries (the “Parties”). In general terms, CTIS is a system that facilitate the exchange of information between the Parties, and specifically, throughout the lifecycle of a clinical trial, the interactions between clinical trial sponsors (researchers or companies that run a clinical trial and collect and analyse the data) and regulatory authorities in EU Member States and EEA countries. Therefore, CTIS is structured as follows: Considering the involvement of the different Parties in clinical trials, the protection of personal data in CTIS is a joint responsibility. Therefore each Party is responsible for ensuring that personal data are processed according to the principles of the GDPR and EUDPR. In this regard, following consultation by EMA, the European Data Protection Supervisor (“EDPS”) confirmed[1] that, pursuant to Article 26 of the GDPR and Article 28 of the EUDPR, the Parties need to be qualified as “joint controllers” of the CTIS. In order to comply with the obligations set forth by Article 26 of the GDPR, the EMA and the representatives of the Parties were engaged in drafting a Joint Controller Agreement (“JCA”) which sets out the roles and responsibilities of the joint controllers in relation to the processing of personal data while using and interacting with CTIS. Moreover, the JCA sets out the measures that the Parties shall put in place in order to ensure the secure processing of personal data in CTIS and covers how the Parties must handle any personal data breaches. Considering that JCA needs to be accepted by all joint controllers, it should be noted that, when accessing the CTIS for the first time, each user is required to confirm acceptance of the terms set out in the JCA. The JCA also includes two annexes: Finally, it is important to note that each of the joint controller can act as an independent controller for the processing activities that can be performed without the cooperation of the other Parties (e.g. sponsors are independent data controllers in relation to data processing activities performed outside of CTIS and carried out within their organisation, whether related to clinical trials or not). Privacy roles of the sponsor and the clinical trial centre As clarified above, in any clinical trial there are multiple actors involved, each with their own scope of activities and specific responsibilities. However, while the role of the Parties within the CTIS is well defined, in the context of conducting clinical trials, neither the GDPR nor the Clinical Trials Regulation have brought clarity to the privacy roles of the subjects involved therein. In this paper, the privacy roles of the sponsor and the trial centre will be examined in more detail. The EDPB’s Guidelines 07/2020 on the concepts of controller and processor in the GDPR (“EDPB’s Guidelines”), throughout a specific example[2], consider that the trial centre and the sponsor, which have to draft together the study protocol, should be qualified, pursuant to Article 26 of the GDPR, as joint-controller, as they jointly determine and agree on the same purpose and the essential means of the processing. On the contrary, in the event that the trial centre does not participate to the drafting of the protocol (it only accepts the protocol already elaborated by the sponsor), and the protocol is only designed by the sponsor, the trial centre should be considered as a processor and the sponsor as the controller for such trial. Instead, at the national level, the “Guidelines for the Processing of Personal Data in the Context of Clinical Trials of Medicines - July 24, 2008” (“Guidelines”) published by the Italian Data Protection Authority (“Italian DPA”) provide that, trial centres and sponsor have separate responsibilities in the context of clinical trials and are, therefore, to be qualified as autonomous data controllers. In fact: In view of the above, it follows that the trial centre and the sponsors should, for the reasons outlined by the Italian DPA, be considered as two autonomous data controllers regardless of whether or not they have jointly drafted the trial protocol. Conclusion The joint-controllership’s approach (which is common especially in other European countries) should not be deemed as the suitable solution applicable aprioristically to all clinical trials without any distinction. This is due to the circumstance that data controllers shall comply, pursuant to Articles 5(2) and 24 of the GDPR. In this specific case, the Accountability principle should require the parties to carry out a specific assessment, supported by documentation, of their privacy roles, taking into account the flow of personal data in the context of clinical trials. In particular, it should be noted that "joint-controllers" jointly determine the purposes and means of processing. In the context of clinical trials, however, the purposes pursued by the clinical trial centre (i.e., patient care purposes) and the sponsor (i.e., scientific research purposes) are substantially different, even if they share a protocol. Finally, it is worth noting that while the Guidelines are still applicable, they are dated, and new EDPB guidelines, updated in light of the provisions of the Clinical Trials Regulation, are expected. [1] See EDPS Case Number C 2018-0642. [2] The example mentions the case in which a health care provider (the investigator) and a university (the sponsor) decide to launch together a clinical trial with the same purpose. They collaborate together to the drafting of the study protocol (i.e. purpose, methodology/design of the study, data to be collected, subject exclusion/inclusion criteria, database reuse (where relevant) etc.From 31 January 2023, all initial clinical trial applications in the European Union (“EU”) must be submitted via the Clinical Trials Information System. The latter is now the single-entry point for sponsors and regulators of clinical trials for the submission and assessment of clinical trial data.