To the extent key-coded clinical trial data cannot reasonably identify an individual it is likely to be De-identified personal information for the purpose of the Privacy Act.
De-identified personal information is no longer personal information for the purpose of the Privacy Act.
In general, personal information will be de-identified if:
- Direct identifiers are removed; and
- One or both of the following steps have been taken:
- The removal or alteration of other information that could potentially be used to re-identify an individual, and/or;
- The use of controls and safeguards in the data access environment to prevent re-identification
The regulator has issued the following guidance on de-identification:
- De-identification and the Privacy Act;
- The De-identification decision making framework (as adapted from the UK version);
- Guide to data analytics and the Australian Privacy Principles.
Yes, key-coded clinical data is personal data if it is possible to re-identify the data subjects using the key-coded data (i.e., if it is possible to lift pseudonymization).
Key-coded clinical trial data qualifies as pseudonymized data which constitutes personal data under the GDPR.
The key-coded clinical trial data is not defined by the applicable legislation due to the lack of special guidelines/regulations addressing privacy matters on clinical trials. However, pursuant to the Law, personal data is defined as any information related to an identified or identifiable natural person, therefore pursuant to this definition, any information related to an identified or identifiable natural person is deemed as personal data irrespective of the fact who is holding the identification “key”.
There are no local regulations defining key-coded data as personal data in Croatia.
However, based on the decision of the CJEU in the case no. C‑582/14, Breyer v. Bundesrepublik Deutschland, key-coded clinical trial data would be considered personal data if the person holding the data has the means that may likely and reasonably be used to access the key needed for decoding and combine it with the coded data.
Therefore, if the identification of the trial participants is prohibited by law or practically impossible on account of the fact that it requires a disproportionate effort in terms of time, cost and man-power, so that the risk of identification appears in reality to be insignificant, key-coded data would not be considered personal data.
Key-coded clinical trial data constitutes pseudonymized personal data. unless the codification procedure ensures that re-identification of participants is not possible and in such case data will be anonymised.
Yes.
Finland does not have any country specific guidance on this matter and the general EU approach is followed.
In accordance with the GDPR, key-coded clinical trial data that can be used to re-identify the data subject is considered to be pseudonymized data. Pseudonymized data is personal data. If the clinical trial data is made into a format from which data subjects cannot be re-identified anymore, the data is anonymized meaning that it is not anymore personal data.
Yes, given that the “key” can be used to re-identify the data subjects. The key-coded data would only be considered as pseudonymized and thus fall within the scope of the GDPR.
Yes, as long as it is possible to re-identify the data subjects with the key-coded data, it shall be considered as personal data under GDPR.
Pursuant to the Announcement No. 3/8/2017 issued by the National Ethics Committee, key-coded clinical trial data, mentioned as anonymized data of clinical trial participants, are considered personal data.
Key-coded clinical trial data would not be considered personal data as long as the codification procedure ensures that re-identification of participants by the Sponsor is not possible. Hence, this condition is met if personal data is truly anonymous, not merely pseudonymized.
Personal data is information relating to a natural person who is identified or identifiable and so the principles of data protection should apply to any information concerning an identified or identifiable natural person.
Where key-coded clinical trial data is used, this is akin to pseudonymization which, involves “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information.” In this case, additional information is the “key” used to re-identify the individuals.
While it does provide additional safeguards, pseudonymized data, unlike anonymized data, is still unequivocally considered personal data under the GDPR, as noted in Recital 26.
Additionally, guidance from the EU Commission also notes that, “if there is a significant prospect of re-identification of persons whose data have been collected, the information should be treated as personal data”.1
[1] European Commission: Ethics and data protection
Yes, as specifically clarified by the Italian DPA’s Guidelines. Indeed, key-coded clinical trial data constitutes pseudonymized personal data.
Only in the case where the data is fully anonymized it would not be considered personal data. Key-coded data would not be considered personal data if it can be guaranteed that no reidentification of the data subject is possible.
Therefore, in those cases, the processing of key-coded data by any entity who does not hold the key will not be data processing in the sense of the GDPR.
The DP Law, nor any of the applicable healthcare laws do not regulate whether key-coded clinical trial data should enjoy the status of personal data.
Given the general rules and principles of the DP Law, as well as the general international practice which the Montenegrin Data Protection Authority (the “DPA”) would likely take into consideration, key-coded clinical trial data would not be considered as personal data, as long as such data does not directly, or indirectly, allow for identification of the participants. Therefore, to the extent that the Sponsor receives anonymized trial data, which by itself, or together with any other information Sponsor might encounter, does not allow identification of the participant, such data would not be considered as personal data.
In line with the GDPR, the DP Law defines personal data broadly as any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by a reference to an identifier such as the first and last name, personal identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Key-coded clinical trial data, as pseudonymized data, is considered as personal data. This is because the existence of a key to re-identify the participant can be considered as additional information which could identify the participant.
Yes, key-coded data is regarded as personal data as long as there is a technical possibility to re-identify the dataset. However we have national regulations that allows transfer of key-coded data on certain conditions.
Under GDPR pseudonymised data would still considered personal data. However, key-coded clinical trial data might not be considered personal data if the codification procedure ensures that re-identification of participants by the Sponsor is not possible by any means, e.g. no additional data available to Sponsor or third parties may allow its re-identification.
No specific local laws nor guidelines in this regard, other than GDPR and EDPB’s guidelines were published on this subject.
Law no. 58/2019 of 8 August does not provide for a definition of pseudonymized or anonymized data. However, considering the legal definition of pseudonymization foreseen in Recital 26 and Article 4(5) of GDPR, to the extent it is possible to re-identify the data subject, it is likely that the key-coded clinical trial data is considered personal data. However, this should be assessed in a case-by-case basis in view of the specific technical and organizational measures adopted.
No guidance is given by legislation or the data protection supervisory authority.
The DP Law, nor any of the applicable healthcare laws do not regulate whether key-coded clinical trial data should enjoy the status of personal data.
Given the general rules and principles of the DP Law, as well as the general international practice which the DPA would likely take into consideration, key-coded clinical trial data would not be considered as personal data, as long as such data does not directly, or indirectly, allow for identification of the participants. Therefore, to the extent that the Sponsor receives anonymized trial data, which by itself, or together with any other information Sponsor might encounter, does not allow identification of the participant, such data would not be considered as personal data.
As per the Code, key-coded clinical trial data is not considered personal data as long as the codification procedure ensures that re-identification of participants by the Sponsor is not possible.
Yes. The GDPR applies. If it is in any way possible to re-identify the data subject, the data at hand qualifies as personal data.
Key-coded clinical trial data constitutes pseudonymized personal data (see, for example, the guidance of the Medical Research Council).
Albania
Has the local regulator published any guidelines/regulations addressing privacy matters on clinical trials and/or pharmacovigilance? ('Regulator' may mean either the local data protection authority, or the local medicines authority.)
Yes, with regard to clinical trials. The Albanian Data Protection Commissioner (“Commissioner”) has approved Instruction no. 18 as of 03.07.2012 “On the processing of personal data in the context of clinical trials of drugs” (“Instruction no. 18”).
The instruction is available online.
No guidelines or regulations have been published with regard to pharmacovigilance.
Albania
Do the privacy laws and regulations applicable to clinical trials in your jurisdiction provide for extraterritorial applicability?
No.
Law no. 9887 “On the Protection of Personal Data”, as amended (Data Protection Law) does not provide an extraterritorial applicability.
However, the domestic Data Protection Law does extend to controllers located outside the territory of the Republic of Albania who process personal data with “means” located within the territory of the Republic of Albania. The law does not provide any definition of “means” however the Commissioner has confirmed verbally on several occasions that “means” shall be understood as anything from equipment (i.e., servers), apps or persons located in Albania to collect personal data.
In case the controller (i.e., sponsor) is located outside the Republic of Albania, it must appoint a designated representative located within the territory of the Republic of Albania.
Albania
What is the preferred legal ground for the processing of the personal data of the participants in a clinical trial in your jurisdiction?
Article 4.2 of the Instruction no. 18 states that personal data is processed only if consented by the test subject. Therefore, consent is a mandatory legal ground for processing of the personal data. Further, based on article 4.3 of Instruction no. 18, personal data of clinical trial participants can be processed only for the following purposes:
- If necessary for granting the registration permit of a drug;
- To prove the clinical effect and safety of a drug during the scientific research process;
- To reassess the efficiency and safety of a drug after its release in the market.
Albania
What is the legal ground for the processing of the personal data in respect of pharmacovigilance in your jurisdiction?
The processing of patients’ personal data in respect of pharmacovigilance activities is based on the existence of a legal obligation based on Article 6.1. of the Data Protection Law.
In cases of adverse effects of a certain medicine/drug, the legal ground for conducting data processing activities can also be considered the protection of vital interests of the data subject (Article 6.1.c of the Data Protection Law).
Albania
Indicate the role from a data protection perspective of various parties involved (i.e in respect of the processing of the personal data of the clinical trial).
| Role | Notes |
| Sponsor |
Data controller of the participants' data. |
| Principal Investigator |
Data controller of the participants’ data in connection to data processing activities that arise from the performance of investigation activities. |
| Clinical Trial Site |
Data controller for the purpose of helping the investigation. |
| Monitor |
Sponsor's data processor monitoring the investigation. |
| CRO | Sponsor's data processor when performing activities that involve access by the CRO to the participants data. |
Albania
Is key-coded clinical trial data considered personal data under your jurisdiction’s data protection laws? (Key-coded clinical trial data is where the identity of the individual clinical trial participant is replaced with a unique subject identification code, and the ‘key’ which can be used to re-identify the participant is held by the Principal Investigator.)
Yes.
There is no definition of key-coded information under the Data Protection Law, however as long as the key-coded information is accessible through a “key”, data subjects are at some point or somehow identified/identifiable regardless of who is holding the key to access the information, therefore key coded information is considered personal data under the Data Protection Law.
Albania
Is it possible to re-use the personal data obtained for the purposes of conducting the clinical trial? If so, what requirements need to be satisfied?
Yes.
It is possible to re-use the personal data obtained for the purpose of conducting clinical trials conditional as a general rule only upon consent of the data subject. Other legal grounds for the processing need to be satisfied in a case-by-case basis (e.g., protection of vital interests of the data subject).
Hence, if the consent and/or the legal ground for processing of data extends to the re-use/ re-processing scenario, there is no need to obtain a second consent or to conduct processing on different legal grounds as there is already a valid legal ground in place for processing of personal data i.e., in case of research for the same purpose.
In light of the above, please consider that the consents given and/or the legal ground allowing the processing of data obtained for the purpose of conducting clinical trials do not automatically and in any case, extend to the re-use of the personal data for other/latter purposes unless those are specified.
Albania
What requirements, if any, need to be satisfied if clinical trial data is transferred internationally?
As with health data, clinical trial data are considered sensitive data. Any processing (including transfer) of sensitive data is expressly prohibited. However, processing of sensitive data is allowed in certain exceptional cases prescribed by the Data Protection Law, among others, if the data subject has given his/her consent.
Generally speaking, international data transfer is only limited to those countries offering adequate levels of data protection as provided by the Decision of the Council of Ministers no.934, dated 2 September 2009 “On the determination of the countries which have a sufficient level of personal data protection” i.e., EU and EEA member states; signatory countries of the Strasbourg convention etc.
However, as an exception, international data transfer may take place freely even if made to a country which does not provide adequate protection provided the data subject has granted consent. Other exceptions include scenarios where the international transfer is necessary for the performance of a contract between the data subject and the data controller or in case the transfer is a legal obligation of the controller; the international transfer is necessary for protecting vital interests of the data subject; the transfer constitutes a legal requirement over an important public interest or, for exercising and protecting a legal right; the transfer is done from a register that provides information to the general public etc.
Exceptionally, if none of the scenarios above are applicable, international data transfer is also possible with the prior authorization of the Commissioner, if the Commissioner is satisfied that adequate safeguards with relation to privacy and other fundamental rights of the data subject are in place. The Commissioner can additionally provide for conditions and obligations under which the data transfer should take place.
Albania
