April 7th, 2025
Role qualification and Clinical Trials in Spain: Does the new AEPD decision undermine the legitimacy of the first European Data Protection Code of Conduct on Clinical Research?
Spain’s complex regulatory landscape
Sponsors trying to perform clinical trials in Spain have traditionally dealt with a complex regulatory landscape, partly due to the decentralization of competences on health to the different regions and the variety of authorities involved. From a data protection perspective, one of the most disputed topics when negotiating a clinical trial agreement was the role qualification of the parties, which determines their obligations and responsibilities. The role qualification varied by region or even hospital, and the health and data protection authorities held opposing views in the matter.
Approval of Farmaindustria Code of Conduct:
With the approval of Farmaindustria Code of Conduct (“CoC”) in 2022 by the Spanish data protection authority (“AEPD”), the question of the role qualification seemed settled. The CoC painted a clear view on the position of the parties: hospital and sponsor should be considered independent controllers.
(Figure 1: Farmaindustria Code of Conduct, page 37)
Indeed, the AEPD ratified the CoC and agreed with its criteria , stating that while the hospital is controller regarding the authorization to access the medical records by individuals contracted by other parties (such as the CRO and the monitor), the sponsor is controller regarding the processing of personal data for research purposes.
According to the AEPD, “(t)he Code of Conduct specifies and facilitates the processing of personal data in clinical trials (…), it establishes protocols that facilitate the application of the GDPR and offers certainty to the entities that adhere to it” on “the position of the various parties involved (…)”. Further, the AEPD declared that “(a)s regards the code’s compliance with national legislation, in particular the LOPDPGDD, as well as various national sectoral regulations governing clinical trials with drugs, observational studies with drugs, pharmacovigilance and biomedical research, the code’s content is fully compliant”. This led to the expectation, among both adherents to de CoC and followers of its criteria, of being considered compliant with GDPR and Spanish data protection legislation.
New AEPD Decision
This certainty was shattered with the decision published this month by the AEPD. In June of 2023, Grupo Español de Trabajo en Enfermedad de Chron y Colitis Ulcerosa (GETECCU), Sponsor of a clinical trial conducted in several Spanish hospitals, notified to the AEPD a personal data breach occurred within the platform used to collect the data of the study. The AEPD fined the sponsor with 7.000 euros for not signing data processing agreements with the hospitals, considering it an infringement of article 28 of the GDPR. Additionally, the sponsor was ordered to implement said agreements within 3 months.
After analyzing the factual circumstances of the case, the AEPD concluded that the role qualification of the parties is independent controllers. However, the hospitals were additionally considered processors of the sponsor (controller) for the processing of personal data related to the clinical trial database.
Surprisingly, this qualification of the hospital as processor (and the consequent requirement of a data processing agreement) was not mentioned in the CoC, nor in past reports of the AEPD.
After analyzing the factual circumstances of the case, the AEPD concluded that the role qualification of the parties is independent controllers. However, the hospitals were additionally considered processors of the sponsor (controller) for the processing of personal data related to the clinical trial database.
Surprisingly, this qualification of the hospital as processor (and the consequent requirement of a data processing agreement) was not mentioned in the CoC, nor in past reports of the AEPD.
Where does this leave Sponsors?
The CoC appeared as the blueprint to follow in clinical trials conducted in Spain. As mentioned above, one of the main factors that determined the code’s approval was its consideration as a tool to facilitate data protection compliance and provide certainty to the stakeholders. However, the AEPD’s decision to fine a Sponsor for not fulfilling a requirement that is not present in the code may undermine its legitimacy and practical value. If sponsors cannot rely on the code approved by the AEPD to avoid being fined, how they can be sure of their compliance?
It will be challenging for sponsors to align with the role qualification reflected in the AEPD decision. Besides the inherent difficulties of reopening negotiations on signed clinical trial agreements, the fragmented nature of the clinical trial landscape in Spain makes it even more difficult. Spain lacks a unified template for clinical trial agreements, and the various official regional templates are often mandatory and non-amendable (e.g., Andalucía). More importantly, they do not reflect the additional qualification of sites as processors recently declared by the AEPD.
MDT has contacted the AEPD and the regional data protection authorities requesting clarification on their position. While waiting for further guidance, and as risk mitigation measure, it would be advisable for Sponsors to implement data protection agreements with their Spanish sites where possible, documenting their efforts to align with the AEPD decision.
