EN

Quick
contact:

+420 23 605 1111+420 23 605 1111
Search
Switch off graphics Print the page
  • Change
    font size

GDPR

IKEM Requirements for Personal Data Protection Documents in Clinical Research, Clinical Trials, and Similar Research Projects

IKEM Hospital may take part in clinical trials, clinical research, non-statutory registries, research databases, biobanks, and similar projects only if it is clearly, fully, and understandably explained in advance how personal data will be processed. This includes personal data of IKEM data subjects, especially patients, health care workers, and other persons.

IKEM places strong emphasis on the level of protection for health data, genetic data, laboratory results, clinical data, treatment data, adverse event data, biomarkers, pseudonymized identifiers, and other data that may be processed in connection with research. Health data and genetic data are special categories of personal data under the GDPR. Their processing requires a higher level of technical and organizational security. The GDPR also sets special rules for processing health data for scientific research purposes.

1. Documents must be provided before the contract is signed

A draft contract for a clinical trial, research cooperation, non-statutory registry, or other research project must be submitted together with complete documents dealing with personal data protection. A simple contractual statement that personal data will be processed in line with the GDPR is not enough.

Before signing the contract, IKEM may require in particular:

• the draft contract, for example a Clinical Trial Agreement or a research cooperation agreement;
• a separate personal data protection annex, for example a Data Protection Agreement or GDPR Annex;
• identification of the GDPR roles of all contracting parties;
• a description of the purposes of personal data processing;
• a description of the categories of data subjects and categories of personal data;
• identification of the legal bases for processing under Article 6 GDPR and the exceptions for special categories of data under Article 9 GDPR;
• a personal data flow map;
• a Data Protection Impact Assessment under Article 35 GDPR;
• a description of technical and organizational measures;
• a list of all vendors, subcontractors, CROs, laboratories, IT systems, eCRF systems, hosting services, and other data recipients;
• a description of any transfer or access to personal data outside the EU, including the recipients, countries, purposes, scope of data, and the proposed legal mechanism under the GDPR;
• sample patient documents, especially the informed consent form, patient information, and information on personal data processing under Article 13 or Article 14 GDPR.

If these documents are not provided, are incomplete, or do not make it possible to verify that the project complies with the GDPR and the laws of the Czech Republic, IKEM is not required to enter into the contract.

2. Identification of the roles of companies, the hospital, and other institutions under the GDPR

Before the research project starts, it must be determined whether each party acts as an independent controller, joint controller, processor, or recipient of personal data.

This determination must reflect reality. A formal declaration in the draft contract is not enough. What matters is mainly who determines the purposes of processing, who decides on the means of processing, who processes data based on another person’s instructions, who only receives the data, and who is responsible toward the data subjects.

Correct identification of GDPR roles is a basic condition for properly setting the mutual rights and obligations in the draft contract, the information duties toward patients, the exercise of data subject rights, responsibility for data security, involvement of vendors, and transfers of data outside the EU.

If the parties’ GDPR roles are not properly analyzed and justified, IKEM will consider the draft contract insufficient.

3. A patient’s informed consent is not automatically GDPR consent

IKEM expressly points out that a patient’s informed consent to participate in a study, a clinical trial, sample collection, or health care is not automatically consent to personal data processing under the GDPR.

It is necessary to distinguish between consent under the Health Services Act and the legal basis for personal data processing under the GDPR. In clinical research, legal bases other than GDPR consent may often apply, such as compliance with a legal obligation, public interest in the area of public health, scientific research, or legitimate interest. This always depends on the specific processing purpose and the role of the relevant contracting party.

Patient documents must therefore clearly and understandably distinguish between:

• consent to participate in a study or to undergo a specific medical procedure;
• information on personal data processing;
• the legal basis for personal data processing;
• the purposes of processing;
• data recipients;
• the data retention period;
• any transfer of data outside the EU;
• data subject rights under the GDPR.

4. DPIA and prior risk analysis

For research projects that include processing of health data, genetic data, clinical data, registry data, data from eCRF systems, data from laboratory systems, or international data sharing, IKEM requires a DPIA under Article 35 GDPR.

The DPIA must be completed before processing starts. It should describe in particular the planned processing operations, the purposes of processing, the necessity and proportionality of processing, the risks to the rights and freedoms of data subjects, and the measures used to reduce those risks.

A simple statement that the sponsor or another partner has a Data Protection Officer, a privacy office, or an internal compliance process is not enough. IKEM must be able to review the specific documents for the particular project.

5. Pseudonymization is not the same as anonymization

In clinical research and other research projects, personal data is often described as pseudonymized or deidentified. Such data is not automatically anonymous.

If a reidentification key exists, for example at IKEM, with the investigator, or with another authorized person, and if there is a real possibility to link the record to a specific patient, the data must be treated as personal data under the GDPR.

As a rule, IKEM requires that direct patient identifiers not be transferred to sponsors, CROs, research companies, pharmaceutical companies, registries, or other third parties unless this is necessary, expressly justified, and regulated by contract. The re-identification key should remain at IKEM or with the investigator, unless the nature of the research project requires another properly justified approach.

6. Transfers of personal data outside the European Union

If personal data is to be transferred or made available outside the EU, the legal mechanism under Chapter V GDPR must be documented in advance.

For countries for which the European Commission has not issued an adequacy decision, the European Commission’s Standard Contractual Clauses under EC Implementing Decision 2021/914 are usually used. The correct module of the clauses depends on whether the relationship is controller-to-controller, controller-to-processor, processor-to-processor, or processor-to-controller.

7. Technical and organizational measures

IKEM requires that the contract documents and related annexes include specific technical and organizational measures, not only general statements.

Important measures may include in particular pseudonymization, encryption, access rights management, two-factor authentication, access logging, access reviews, a ban on storing data outside information systems approved by the controller, limits on copying and downloading data, separation of roles, data minimization, limited retention periods, secure deletion, archiving rules, and the duty to report security incidents without undue delay.

Vendors, subcontractors, and other persons with access to data must be known in advance. Their involvement must be regulated by contract.

8. Clinical trials of medicinal products

For clinical trials of medicinal products for human use, European Regulation No. 536/2014 must also be taken into account. This regulation emphasizes the protection of the rights, safety, dignity, and well-being of trial subjects and the reliability of the data obtained.

If the sponsor of the clinical trial is not established in the European Union, the sponsor must have a legal representative in the EU under Article 74 of this regulation. The appointment of a CRO, an administrative contact, or a DPO does not replace this requirement. 

9. Registries, databases, and other research projects

Similar requirements also apply to non-statutory registries, databases, research platforms, biobanks, and other research projects that are not regulated by a special legal regulation or that are created ad hoc based on contractual cooperation.

10. Final recommendation of IKEM

IKEM supports high-quality clinical research and cooperation with academic, research, pharmaceutical, and other research companies. However, the protection of personal data of patients and other data subjects involved in the research project, such as physicians, is a necessary condition for such cooperation.

IKEM therefore expects sponsors, research companies, pharmaceutical companies, CROs, registry operators, and other institutions to submit complete contractual and related documents. If the documents do not include a proper GDPR role setup, a DPIA, a data flow map, a description of technical and organizational measures, documents on data transfers, and appropriate patient documents, they cannot be considered sufficient for entering into a contract.

© Institute for Clinical and Experimental Medicine 2015 - 2026. All rights reserved.

Created by ARSY line

Pro zaměstnance

Portál
Post
Intranet
PACS


Zlatokop
Vema
MIS
Varování

Zavřít