GREECE Law and Practice Contributed by: Angela Livgieri and Danai Panopoulou, ALG Manousakis Law Firm
protection of personal data and commercially confi- dential information. 2.4 Use of Online Tools to Support Clinical Trials In Greece, there are no explicit restrictions on the use of online tools in clinical trials. However, the use of these tools must comply with both national and European legislation. This includes the CTR, Minis- terial Decision No G5α/59676/2016 on Clinical Trials and EU Regulation 2016/679 (General Data Protec- tion Regulation – GDPR), as well as its implementa- tion in Greek Law 4624/2019. Additionally, guidance from EOF must be followed to ensure the protection of clinical trial participants’ data privacy rights. More specifically, Ministerial Decision No G5α/59676/2016 (Articles 8, 13 and 24) describes the processes throughout the clinical trial course in Greece and the obligations assigned to sponsors and clinical research organisations (CROs) regarding pro- tecting the participant’s data, including using appro- priate security measures. In addition, a data protection impact assessment must be conducted; appropriate privacy-related information must be provided to the individuals concerned; and data processing agreements (DPAs) must be in place between sponsors, investigators and tool providers. The Hellenic Data Protection Authority (HDPA) over- sees the enforcement of data protection regulations in Greece. While the HDPA has not issued specific guid- ance on the use of online tools in clinical trials, spon- sors and investigators must ensure that any digital platforms used for recruitment or monitoring purposes implement appropriate technical and organisational measures. 2.5 Use of Data From Clinical Trials Data from clinical trials is classified as sensitive health-related information regarding an individual’s past, present, or future physical and mental health (Article 4 (15) GDPR). Transferring clinical trial data to third parties or affili- ates is allowed under specific conditions:
• Within the EU/EEA, it is allowed, provided that clinical trial participants have been duly informed through the informed consent form and processing is in accordance with the trial’s approved protocol. • Outside the EU/EEA (International Transfers), if data is transferred to a third country (eg, the US), additional safeguards are required: (a) the recipient country must have an adequacy decision from the European Commission (eg, under the EU-US Data Privacy Framework); (b) if no adequacy decision exists, Standard Con- tractual Clauses (SCCs) or Binding Corporate Rules (BCRs) must be used; and (c) additional security measures (eg, encryption, pseudonymisation) may be required. To ensure compliance, before transferring clinical trial data to third parties or affiliates, the sponsor must execute a Data Processing Agreement (DPA) (along with the execution of the appropriate Standard Con- tractual Clauses if applicable for international transfer) with third-party vendors or enter into an intragroup data transfer agreement with its affiliates. 2.6 Personal or Sensitive Data Below, you will find the requirements for creating a database containing personal or sensitive data (in accordance with the GDPR and Law 4624/2019). A Data Protection Impact Assessment (DPIA) (GDPR Article 35) is mandatory if the processing of person- al data is likely to result in a high risk to individuals’ rights. For example, this will be the case if: • there is large-scale processing of special catego- ries of data; • there is involvement of high-risk data processing; or • there are systematic and extensive processing activities, including profiling. Adherence to data protection principles, such as the data minimisation and purpose limitation principles, is required, as the database should contain only the min- imum amount of data necessary for the specific pur- poses for which it was created (Articles 5-11 GDPR).
115 CHAMBERS.COM
Powered by FlippingBook