The European Union’s General Data Protection Regulation (GDPR) goes into effect May 25, 2018, replacing the existing EU Data Protection Directive. The regulation is intended to cover EU personal data and therefore we intend to explain what it means for clinical research sponsors, emphasizing that for the purpose of the collection, processing and use of personal data in the clinical research consent documents of the persons under investigation, the following information should be indicated:
- a) identity and contact information of the data controller or the controller's representative
b) contact information of the data protection officer where appropriate
c) purpose of personal data processing and the legal basis of processing
d) controllers or third party’s legitimate interests where the processing is based on point (f) of Article 6: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
e) the recipients or categories of recipients of the personal data if there are
f) where applicable, that the controller intends to transfer personal data to a third country or international organistion
2. a) the period for which the personal data will be stored and if not possible - criteria for the application of those provisions (e.g legislative terms)
b) an existence of the right of controller’s access to data concerning the data subject, and the right to request rectification or deletion or restriction of processing of personal data subject, or the right to object to the processing as well as the rights of data portability, under the Article 31 of Personal Data Processing Law
c) the right to withdraw the consent at any time without affecting legality of such data processing, for which the consent was granted before such withdrawal
d) the right to lodge a complaint with a supervisory authority and the contact details of the supervisory authority
3. If the controller is considering processing data for purpose other than those for which the consent has been collected, the controller shall inform the data subject about the other purpose & shall supply all additional relevant information.