In addition to the information required to participate in the clinical trial, the Guideline also addresses the information to be provided to the patient for the processing of personal data. In the Guideline, the AEMPS includes the proposed wording that the PIS/ICF should contain in relation to these issues.

The AEMPS proactively requested the AEPD to analyse whether the Guidelines, and in short, the PIS/ICF, complied with the principles of information and transparency required by the General Data Protection Regulation (GDPR). In the report we discuss, the AEPD makes various recommendations and proposals for improvement, which have been gradually incorporated into the latest versions of Annex VIIIA published by the AEMPS on its website.

Responsibilities of the Site and the Sponsor

According to the AEPD, one of the essential aspects that must be specified in any PIS/ICF concerns what specific data processing is carried out by the Site and the Sponsor, respectively, and in relation to which data. Otherwise, the trial participant will not have a clear understanding of the responsibility of each of these parties for the processing of their data. However, the AEPD also recommends not to provide excessively detailed information that may be difficult for the average citizen to understand. Furthermore, the AEPD states that it is necessary to include the contact details of the Data Protection Officer (DPO) of the Sponsor, even if the latter only processes pseudonymised data.

Purpose, legal basis for processing and recipients

The AEPD considers that another relevant topic that should be informed about, in a clear and differentiated manner, is that relating to the purpose of the processing. In relation to the legal basis for the processing, the AEPD refers to Opinion 3/2019 of the European Data Protection Board, in order to determine which could be appropriate. In addition to the usual consent, the processing of health data may be based on the following basis: compliance with a legal obligation (art.6.1 c GDPR), the public interest in public health (art. 9.2 i GDPR) and the conduct of scientific research (art. 9.2 j GDPR). On the other hand, the AEPD also recommends delimiting the categories of recipients: health authorities, Ethics Committees for Investigation with medicinal products, or third parties providing services to the Sponsor or the Site, among others.

Other aspects to consider

In the event that international data transfers are foreseen, the AEPD understands that a generic text should not be offered to inform on this matter, but that it would be advisable to adapt its wording to each trial according to its specific circumstances.

On the other hand, as regards the period of data retention beyond 25 years after the end of the clinical trial, the AEPD considers that it should be specified for how much longer these data will be kept and for what specific purpose. Imprecise formulas that could affect the data subjects’ right to information should be avoided.

Finally, according to the AEPD, it would be desirable for the PIS/ICF to establish, in a differentiated and clear manner, the cases in which the re-identification of trial participants is possible (e.g., to protect the vital interests of the data subject) and the corresponding legal basis for this (Art. 6.1 d and Art. 9.2 c GDPR).

In short, it is essential that when drafting a PIS/ICF, all the improvements proposed by the AEMPS in the aforementioned Annex VIIIA, in line with the AEPD’s report, are considered; especially when dealing with sensitive data, such as the health data of patients participating in clinical trials.

La entrada Which aspects of personal data protection should be included in the patient information sheet and informed consent form? aparece primero en Faus Moliner.

In recent months, a number of noteworthy court decisions regarding the protection of trade secrets have been handed down.

The importance of non-disclosure agreements

Firstly, the Judgment of the Provincial Court of Barcelona, of 20 May 2022, upheld a EUR 4.2 million claim. The defendant company allegedly engaged in unfair conduct by exploiting trade secrets that had been provided under a non-disclosure agreement.

This judgment is relevant, not only because of the high amount of the awarded compensation, but also due to the importance given to the existence of a non-disclosure agreement, which was intended to prevent the defendant from using the information in the way it was ultimately used.

The Provincial Court considers the execution of the non-disclosure agreement as one of the key elements of the case. According to the judgment, the defendant acted unfairly to gain access to the claimant’s trade secrets with the aim of securing the management of a hotel that the claimant intended to start operating. Consequently, the claimant lost the opportunity to exploit the business referred to in the privileged information.

Protection of trade secrets in the course of a judicial procedure

Secondly, Commercial Court no. 10 of Barcelona recently issued several resolutions aimed at implementing measures of the Law on Trade Secrets to preserve the confidentiality of information that may constitute a trade secret and has been disclosed in the course of a judicial proceeding. This has included measures such as refraining from using or disclosing information outside the judicial proceedings. Likewise, measures have also been taken to grant access to information only on an individualised basis to specific persons.

Courts becoming accustomed to implementing these measures for the protection of confidential information is extremely beneficial, as it renders greater protection to trade secrets and greater legal certainty to the holders of such trade secrets.

La entrada Judicial protection of trade secrets   aparece primero en Faus Moliner.

According to the “Whistleblowing Directive” (Directive 2019/1937), private sector entities with over 50 employees as well as all public sector entities are obliged to have a whistleblowing channel. Although the deadline for implementing this Directive ended on 17 December and Spain has not yet done so, it is advisable that companies take the appropriate measures to comply with the provisions of this regulation, either by creating whistleblowing channels or, as the case may be, by adapting the existing ones to the new standards.

Whistleblowing channels and personal data

Rules, guidelines and directives have outlined how these channels should be organised. Organic Law 3/2018 on the Protection of Personal Data (article 24) regulates the processing of personal data through these channels. One key aspect is the period during which this data may be retained. According to the law, data must be deleted three months after it has been entered into the reporting system. However, in response to a query from the Spanish Compliance Association, on 22 November, the Spanish Data Protection Agency (AEPD) clarified that, if the complaint is considered well-founded and gives rise to a specific investigation, the data may be kept beyond this three-month period. However, in this case, the data must be retained in company’s systems other than whistleblowing channels (e.g. at the compliance committee or the human resources management body).

The AEPD recalls that its guide on data protection in labour relations, dated May 2021, also analyses these and other relevant aspects. By way of example, the AEPD clarifies that it is essential that workers are informed about the existence of whistleblowing channels and the processing of the data involved in making a complaint. This information can be included directly in the employment contract or, for example, by means of information letters sent to the staff.

La entrada Compliance, internal whistleblowing channels and management of personal data aparece primero en Faus Moliner.

Law 3/2018 simplifies the duty of the data controller to provide information to the data subject as regards his/her personal data. The controller is no longer required to provide at first instance all the information set forth in the GDPR.

According to this Law, the controller can provide the data subject with some basic information, provided that the controller facilitates other means (e.g. email or link to the privacy policy) to the data subject through which he/she may easily and immediately access all the information referred to in the GDPR (except for the basic information previously provided).

Also, the Law clarifies under which circumstances may data concerning the contact information and working position of persons working for companies be processed, without obtaining their consent.

In order to process said data without previously obtaining the data subject’s consent, two requirements must be met: (i) the data of any of such person must be processed only to professionally locate him/her, and (ii) the purpose of the processing must only be to maintain the relationship between the controller and the company for which the person provides his/her services.

The same criteria is followed by the Law with respect to the contact information of self-employed or individual business persons.

Health Data and biomedical research

The Law introduces different provisions aimed to ensure the proper development of biomedical research, regulating the specific cases in which it is possible to process health data without necessarily having the data subject’s consent (e.g. to guarantee health quality and safety, or due to pharmacovigilance reasons).

Also, the Law opens the door to the use of ‘big data’ on the healthcare sector, favoring access to the data contained in medical and patient records, as long as there are appropriate guarantees in connection with the fundamental right to data protection. In this regard, the Law sets forth the conditions under which it will be possible to reuse personal data for research purposes. In these cases, it won’t be necessary to obtain an additional consent from the data subject. The consent initially provided by such data subject will be enough, as long as such consent allows the use of personal data for research areas scientifically related to the one of the initial study. Also, in any such case, the duty of the controller to provide information to the data subject, must be complied with.

Finally, the Law specifies the measures that must be taken to use of pseudonymized data, which are also regarded as personal data. In any of these cases, a favorable report from the research ethics committee must be previously obtained. This reinforces the role of such committee in the data protection field.

La entrada New Spanish Data Protection Law: the latest features on the processing of personal and health data aparece primero en Faus Moliner.

The Spanish Data Protection Agency (“AEPD”) has recently published a report in which it analyses the impact that the new General Data Protection Regulation (“GDPR”), approved by the European Parliament, and the draft of the Spanish Law on Protection of Personal Data (“LOPD”) –currently being processed– will have in the field of biomedical research.

Such report has been motivated by the concern shown by the scientific community over the fact that these new rules might demand that from now on patients must give their specific consent for each particular research in which they participate.

Flexible interpretation

According to the AEPD, the GDPR and the draft of the LOPD do not only modify the regime contained both in the mentioned Law on Biomedical Research as well as in the Royal Decree 1090/2015 on clinical trials with medicinal products, but they also allow to make a more flexible interpretation of the scope that might be given to the consent granted according to them, going beyond even the more restrictive interpretation of the Law on Biomedical Research.

“Specific and unequivocal” consent

The AEPD considers that when the GDPR becomes applicable, it will not be necessary that individuals give their consent for a specific research; not even in order to carry out research in a very defined branch as, for instance, a specific type of cancer. On the contrary, taking into account the interpretation directly derived from the GDPR, the consent given in relation to a broad branch of research as, for instance, the oncological research or even for broader areas will be sufficiently unequivocal and specific.

Likewise, in the report issued by the AEPD the opportunity is taken to recall the fact that Law 14/2007 foresees the possibility to undertake research without having the patients’ consent, when such research is of general interest and has been authorized by a Research Ethics Committee, provided that certain conditions foreseen in such Law have been met.

From now on it remains to be seen if the doctrine established by the AEPD through this report is followed by the Ethics Committees when authorizing future research.

La entrada The new rules on data protection facilitate biomedical research in Spain aparece primero en Faus Moliner.

Responsibility principle

From now on those who process personal data will no longer have to record the personal data files in the Data Protection Agency, nor do they need to have a security document. The GDPR does not require to comply with specific formalities, but it permits each company to have the freedom to organize itself as it deems convenient in order to comply with the GDPR. To that end, they must conduct impact assessments, analyzing the possible risks when using personal data, depending on which data is being processed, how they will be processed and for what purpose. It is convenient that all these processes are documented, to be able to prove adequate compliance with GDPR.

Information and consent

In order to achieve greater transparency, the information that must be provided to the data subject whose data are going to be used must be more complete, concise and expressed in a plain language. As regards the consent given by such data subject, it will now have to be “unambiguous”, meaning, by a clear affirmative action of the data subject. Tacit consent will no longer be acceptable. When collecting health data, or biometric or genetic data, such consent will also have to be explicit.

Practical consequences

Although companies might be currently meeting their obligations regarding data protection, it is highly advisable that they review their course of action in this field. In particular, it is advisable to review the content of the information clauses and the way in which the consents are being obtained. It is also convenient to review the privacy policies and the specific procedures that the companies might have implemented so that they might, where necessary, adapt them to the requirements of the GDPR.

Some aspects of the GDPR will be supplemented by the new data protection law which will be approved in Spain in the coming months. We will refer to these matters future Cápsulas.

La entrada Final countdown for the implementation of the European Regulation of Data Protection aparece primero en Faus Moliner.

One of the main uses of Big Data is establishing correlations and creating consumer patterns and profiles. It is of particular interest to countless sectors that undertake online sales and even physical sales via so-called “loyalty cards”, that make it possible to discover the buying habits of a vast number of consumers. Big Data is also an effective tool in sectors such as health, where there are many examples of its effectiveness, for example, in reducing hospital admission times or predicting future illnesses and health risks.

Despite the huge benefits it brings, Big Data also poses obvious risks when it comes to personal data. Imagine, for example, the indiscriminate use of this data without appropriately protecting people’s privacy or without adopting the legal, organisational or technical measures required. The Code sets out guidelines for minimizing or eliminating said risks in such projects, pursuant to the provisions of the new European Data Protection Regulation, which will come into force in May 2018.

Basic principles

The Code recommends considering Privacy by Design in order to ensure that data protection guarantees are included from the very beginning of project planning. Furthermore, it promotes self-regulation by companies managing Big Data projects by producing codes of conduct on this topic (accountability). It also demands that impact assessments are carried out to assess possible risks, amongst others, in the event that health data is being processed.

Legal and technical aspects

Based on the risks that these processes entail in terms of people’s privacy, the Code identifies aspects that must be addressed in order for Big Data projects to comply with data protection regulations. On the one hand, it covers the most important legal aspects to be considered, such as the transparency of information provided in advance to those affected or obtaining their consent and the exercise of their rights, or subsequent uses that had not been envisaged when informed consent was obtained. On the other, the Code reviews the different technical and security issues to be considered as part of these projects. Specifically, it identifies the most common privacy strategies: anonymisation, encryption, access control and traceability.

La entrada Publication of the Code of Best Practice on data protection for Big Data projects aparece primero en Faus Moliner.

In year 2007, the sole director of an Italian building company sued the Chamber of Commerce of Lecce. He considered that the properties that his company had built were not selling because in the companies’ register it was still noted that he had been the sole director and liquidator of another company which was declared insolvent in 1992 and liquidated in 2005. The court of first instance upheld that claim and obliged the Chamber of Commerce to anonymize the data linking the plaintiff to the liquidated company, and to pay compensation for the damage suffered. The Chamber of Commerce brought an appeal against this judgment and the Italian Supreme Court decided to refer various questions to the European Court of Justice. In essence, the court requested the ECJ whether European Law on protection of privacy opposes to the fact that any person may have access for an unlimited period of time to the data related to individuals that are recorded in the Mercantile Registry.

Public registry and privacy

The European Court recalls that the purpose of making certain data public in the Mercantile Registry aims to protect the interests of third parties in relation to companies. Given that companies only respond towards third parties with their own assets, some situations may appear where having the personal data of its representatives may be of interest even years after the company had been liquidated (for instance, if personal liabilities have to be sought). According to the European Court, this interference in the right of privacy is not disproportionate because (i) in the Mercantile Registry only a limited number of personal data are recorded (its identity and the functions in the company) (ii) the persons whose data are recorded are persons who choose to participate in trade through a company.

Case-by-case analysis

However, the European Court does not exclude that, in special situations, legitimate reasons may justify that access to personal data recorded in the registry may be limited once a sufficiently long period of time after the liquidation of the company has expired. In these cases, only third parties justifying a specific interest in the consultation should be allowed to this data. In the opinion of the court the limitation of access to personal data shall have to be done case by case and shall be for each Member State to decide whether it wants to establish such a limitation or not.

In this particular case, the European Court understands that the reasons raised by the Italian director were not sufficient to justify a limitation on the access by third parties to the personal data recorded in the Mercantile Registry.

La entrada Personal data recorded in the Mercantile Registry and “the right to be forgotten”, a difficult equilibrium aparece primero en Faus Moliner.

Both Organic Law 15/1999 and Royal Decree 1720/2007 contain a wide variety of provisions similar to those established by the GDPR. Companies that currently comply with said provisions already have a solid base on which to build their compliance with the GDPR. Even so, the GDPR includes several new developments to which all companies must adapt. The AEPD recently published a range of guidelines to help companies with their efforts to adapt to the new regulations.

Informed consent

Under the GDPR, the unmistakable consent of the interested party shall always be required to process personal data. Said consent must have been granted by a clear affirmative action or statement issued by the interested party. Tacit consent or consent by omission will no longer be permitted, as had been the case to date.

Processing activities started prior to the implementation of the GDPR shall remain valid insofar as explicit consent was granted. Furthermore, in addition to other new developments, the GDPR also demands further information to be provided to interested parties, in particular concerning the legal basis that makes it possible to process personal data, in addition to the scope of rights extended to interested parties. This will involve reviewing not only widely-used informed consent, but clauses included in privacy policies and agreements to this end.

Controllers and data processors

As had been the case to date, the relationship between the controller and data processor must be covered by an agreement, although the GDPR already regulates its basic content more thoroughly. What’s more, the controller will have to adopt appropriate measures to ensure that the processor is able to process data pursuant to the GDPR.

Therefore, it would be advisable for companies that process personal data to adapt to the GDPR as soon as possible rather than waiting until May 2018. This process of adapting will undoubtedly require decision making and measures will need to be adopted that set out a reasonable time frame for their implementation. Particular care will be required, specifically in cases in which sensitive data is processed, for example, data relating to people’s health.

La entrada Countdown for adapting to the new European personal data protection framework aparece primero en Faus Moliner.

Law No 19/2013 on transparency, access to public information and good governance, as is well known, sets out that requests for access to information possessed by Public Administrations may be denied when said information contains personal data.

In order to ensure consistency between the principles of transparency and access to public information and the fundamental right to personal data protection, on 13 October 2016, the Spanish Data Protection Agency (hereinafter AEPD) published two documents containing guidelines on how to reuse information generated by the public sector and how to anonymise personal data contained therein.

AEPD Guidelines

In these documents the AEPD proposes a series of measures in order to enable Public Administrations to provide individuals with information in their possession (known as the “reuse of public information”), whilst complying with personal data protection guarantees.

Specifically, the documents include detailed instructions on how to anonymise public information in such a way as to minimise the risk of information requested by applicants identifying the individuals to which said information may refer.

In this regard, applicants who have been refused access to information based on said information containing personal data may ask the Public Administration in charge to anonymise the information pursuant to the AEPD guidelines.

Anonymising is not the same as redrafting

These guidelines have been established at a time at which the discretionary powers available to Public Administrations to deny access to public information is gradually subject to more restrictions. Proof of this is the ruling of 23 September 2016 issued by the Spanish Council of Transparency and Good Governance, in which said organisation considers to be incorrect a decision of the Ministry of Development to denying access to files regarding a building work on the basis that it would have to redraft said information.

The need to redraft the information requested is indeed a valid reason for denying access thereto. However, the Spanish Council of Transparency and Good Governance believes that this rationale was in this case unjustified by the Ministry of Development, as it had merely invoked this exception to the right to access public information but without explaining the reasons for having to redraft the requested information. In this regard, the Spanish Council of Transparency and Good Governance highlights the fact that requested information must be previously anonymised does not involve submitting said information to a redrafting process and, therefore, access to information cannot be denied on these grounds.

La entrada Access to public information and personal data protection aparece primero en Faus Moliner.