On 7 September 2020, the European Data Protection Board (EDPB) initiated a public consultation on draft Guidelines 07/2020 on the concepts of controller and processor in the GDPR. Any interested party could provide comments by 19 October 2020 using the dedicated form.

The draft Guidelines contain elements that are of interest for companies active in the life science sector as they may have an impact on comapnies’ day-to-day research and commercial activities in the EU and their compliance with Regulation (EU) 2016/679 (GDPR).

Why is this important?

The distinction between controller and processor in the context of the GDPR is important for determining which entity is responsible for ensuring compliance with the requirements and obligations imposed by the GDPR.

As an example, this distinction is a key element in the determination of how in practice individuals could exercise their rights granted by the GDPR, but also in the determination of whether there is a need to conclude a data processing agreement (i.e., is there a processor?) versus an agreement between joint or independent controllers (i.e., both/all parties are controllers).

In the life science sector, the determination of the roles of controller and processor is important in the context of clinical trials (e.g., what is the role of the research institution?), safety data exchange agreements (e.g., respective roles of the partners), and patient support programs (e.g., what is the role of the treating physician?), just to name a few likely issues.

Concept of controller

The draft Guidelines clarify that the concept of controller is based on the GDPR and that the applicable data protection roles that an entity may have in accordance with other laws (e.g., as sponsor of a clinical trial) have no impact on this definition. This means that a sponsor of a clinical trial is not necessarily the only data controller and other entities (e.g., clinical trial sites) may be joint or independent controllers.

The draft Guidelines also highlight that an entity could be considered to be the controller without having access to the personal data which is processed on its behalf and according to its instructions. In practice, this means that a pharmaceutical company could be a controller if the company determines the essential means and purposes for which patient personal health data is processed by a healthcare professional, even if the company has no access to such patient data.

Joint controllers in the context of clinical trials

The draft Guidelines provide a much needed clarification on the concept of controller and processor in the context of clinical trials.

According to the draft Guidelines, if an investigator and a sponsor of a clinical trial cooperate on the design and development of the key features of the clinical trial protocol, these entities are to be considered joint controllers for the clinical trial subjects’ personal health data.

In contrast, if the investigator is not involved in the design of the clinical trial protocol and simply follows and implements this protocol, as developed and designed by the sponsor, the investigator is a processor and the sponsor is the controller.

In the above scenarios, the investigator (and hospital) would remain the controller(s) for the patients’ personal health data relating to day-to-day patient care outside the scope of the clinical trial.

Essential vs. non-essential means of processing

According to the GDPR, the controller is the entity that, alone or jointly with others, determines the purposes and means of processing of personal data. In practice, however, the determination of the means for the processing of personal data is not always easy to clearly attribute to one or another party. For example, a clinical trial site may determine which tools to use to collect and record clinical trial patients’ personal health data.

To address this point, the draft Guidelines introduce a distinction between “essential” and “non-essential means” of processing of personal data. The essential means that could be determined solely by the controller include the type of personal data processed and categories of data subjects, the duration of the processing, and the recipients of personal data.

While only the controller has the “decision-making power” over the determination of the essential means for data processing, the non-essential means could be determined also by the processor. These non-essential means include “more practical aspects of implementation” of the data processing, as well as the choice of the most suitable technical and organisational means (e.g., specific software tool), without, however, going beyond or against the controller’s instructions and/or determining processor’s own purposes or means for processing of the personal data.

Encrypted or pseudonymised data

One of the examples provided in the draft Guidelines addresses the situation in which a service provider processes encrypted personal data on behalf of the controller and has no means to decrypt this personal data alone. According to the draft Guidelines, in this situation the data processed by the service provider remains personal data within the meaning of the GDPR and the service provider is a processor bound to comply with the GDPR when processing the encrypted data.

In practice, this means that service providers that process pseudonymised and/or encrypted patients’ personal health data on behalf of pharmaceutical companies are processors and the processing of this data must comply with the GDPR. The fact that the service provider cannot decrypt the data on their own does not have an impact on this conclusion.

What’s next? 

The public consultation is a good opportunity for companies and trade associations active in the life science sector to provide feedback to the EDPB and present their specific experience and views. This could inform and help the EDPB adapt the Guidelines as much as possible to the reality and practical needs in the life science sector.

We would anticipate that, following the end of the public consultation, the EDPB would review the feedback received and issue a final version of these Guidelines.