Transfers of personal data to the US in research studies conducted in Spain

Background

Clinical trials and other studies conducted in Spain are often sponsored by US entities. For this reason, patients’ health data and, in many cases, their biological samples collected in Spain are sent to the US. These health data and biological samples are personal data and their transfer to the US. constitutes an international transfer of personal data subject to the General Data Protection Regulation (GDPR).

The GDPR stipulates that when personal data is transferred outside the European Economic Area (EEA), the level of protection in the destination country must be equivalent to the European level. That is the case when the European Commission, by means of a specific decision, considers that the rules of the destination country are adequate. In the absence of such a decision, data may be transferred if the sending and receiving entities have entered into agreements ensuring an adequate level of protection. These agreements are commonly implemented through “Binding Corporate Rules”, or through “Standard Contractual Clauses” adopted by the European Commission.

EU-US Data Privacy Framework

In the case of personal data transfers to the US, , the European Commission adopted the Adequacy Decision implementing the “EU-US Data Privacy Framework” (DPF) on 10 July 2023. The DPF is the third attempt to regulate such transfers. Previously, the Court of Justice of the European Union (CJEU) had invalidated the Safe Harbour and Privacy Shield decisions in Schrems I (C-362/14) and Schrems II (C-311/18). In both cases, the CJEU considered the guarantees of personal data protection in the US to be insufficient, especially due to mass surveillance programmes by the US authorities.

The Adequacy Decision allows public and private entities resident in the EEA to transfer personal data to US entities adhering to the DPF. These US entities must undergo a self-certification process with the US Department of Commerce, committing to respect a number of general data protection principles, in particular those relating to data use and retention.

When personal data are processed in the context of clinical research, the DPF includes other requirements, such as pseudonymisation of the data by the investigator. The DPF also provides that US sponsors of clinical trials may make secondary use of the data they have received, but must inform the data subjects so that they have the opportunity to object to such use. In addition, new studies involving secondary use of data must be in areas of research or for purposes consistent with what was intended in the consent given for the initial study. These complementary principles are aligned with the 17th Additional Provision of the Spanish Data Protection Law (LOPDGDD), which regulates the processing of health data.

European Data Protection Board clarifications on the DPF

On 16 July, the European Data Protection Board published two frequently asked questions (FAQ) documents to clarify doubts about the DPF. They are addressed to European organisations exporting data to the US and to individuals whose data is transferred to the US.

The document for exporting entities clarifies which US entities can self-certify under the DPF. It also explains how exporters should proceed before transferring data, checking that the importer has a current certificate covering the data to be transferred, and whether it also covers its affiliates, if transfers are to be made to any of them. For this purpose, the public registry of the DPF (https://www.dataprivacyframework.gov/), managed by the US Department of Commerce, should be consulted.

In addition, this document provides specific guidance on whether the importing entity is acting as a controller or processor of the data. If it is a controller, data subjects must be informed about the entity receiving the data and that the transfer is covered by the DPF Adequacy Decision. If acting as a processor, both entities must sign a processor contract in accordance with Article 28 of the GDPR, in addition to the DPF certification.

For individuals whose data is transferred to the US, the document indicates how they can exercise their rights, and which authority will handle their complaints. It also states that they should be informed of the transfer and the identity of the importer of the personal data.