Category Archives: Little tips for CRA

Should clinical study technicians take the steps related to the GDRP ? Who should carry out these procedures?

Hello everyone, this is Manon DURAND, health lawyer at Pharmaspecific. We are meeting today once again to talk about the GDPR, the General Data Protection Regulation which is, I remind you, the reference text in terms of personal data protection within the EU. It came into force on May 25, 2018 in the EU member states.

The question of the day is whether clinical study technicians (CSTs) are responsible, at their level, for implementing the obligations related to the GDPR or whether it happens at another level. As a reminder, the clinical study technicians are the personnel who will be in charge of entering the study data that are collected from the patients in order to set up the proper conduct of the study. They are confronted with personal data on a daily basis. However, it is not up to them to implement the obligations related to the GDPR since this happens at the level of the data controller.

I remind you that the controller is the person who determines the purposes and means of the processing. In practice, in clinical research, it is the sponsor. Within the sponsor’s organization, there are different levels that can deal with GDPR compliance.

First of all, if a Data Protection Officer has been appointed – which is not always an obligation – if a Data Protection Officer has been appointed, he or she will be responsible for ensuring compliance with the DPMR, i.e., putting in place all the required tools, processing registers, impact assessment where appropriate, supervision of transfers outside the EU, etc.

If there is no DPO in the sponsor’s organization, it will happen either at the level of the legal department if there is one and if not directly at the management level. It is therefore not up to the clinical study technicians to implement GDPR compliance. On the other hand, they must, like all the personnel involved in the study, be trained in the rules of the GDPR, in its spirit and in the way in which the data must be processed, since they are confronted with this data on a daily basis, they must be able to know what they can or cannot do with the data.

I hope you enjoyed this video, if so, you can subscribe to our channel and like this video and you will find in the information bar all the information about our services such as the monthly legal watch or the legal advice in clinical research. As for us, we will soon meet again for a new video!

GDRP : Can an impact assessment be made after once the processing has begun?

Hello everyone, this is Manon DURAND, health lawyer at Pharmaspecific. We are meeting today to talk about the General Data Protection Regulation (the GDPR) which is, I remind you, the reference text in terms of personal data protection and which came into force in the European Union on May 25, 2018.

The question of the day is whether it is possible to implement a data protection impact assessment a posteriori, i.e. once the processing has already begun. The impact assessment is a tool to ensure compliance with the GDPR and is intended for processing operations that could generate high risks for the rights and freedoms of the data subjects, i.e., it balances the security measures implemented by the data controller with the rights and freedoms of the data subjects.

So, in practice, the impact assessment can be done as you wish, but the CNIL provides a software called PIA that allows you to perform your impact assessment in a very clear and simple way. So, you can use this software and it is better for all these reasons to set up the impact assessment before your processing because it will allow you, if you find that some security measures are insufficient or are badly used, to adopt corrections before your processing.

However, the GDPR is not always straightforward so you may have forgotten to implement your impact assessment. If this is the case, there is nothing to stop you from doing it anyway during your processing. This will allow you, if you have corrections to make on certain security measures, to identify and implement them and, otherwise, if you identify a data breach, you can still notify the CNIL to be truly in compliance with the GDPR.

In conclusion, the impact assessment is preferably set up before the processing, but nothing prevents you from setting it up during your processing if you have not been able to do it before. Please refer to the CNIL website to know in which case you have to set up an impact assessment. And I remind you that this is the responsibility of the data controller with the help of his processor, if necessary.

That’s it for this video, I hope you liked it. If you did, don’t hesitate to subscribe to our channel and to like this video and you will find in the information bar information on our services and in particular the monthly legal watch and the legal advice in clinical research. As for me, I’ll see you soon for a new video.

Is there an GDRP certification? How can I prove that my company is GDRP compliant?

Hello everyone, this is Manon DURAND, health lawyer at Pharmaspecific. We’re meeting again to talk about the General Data Protection Regulation (the GDPR), which is the reference text in terms of personal data protection, and which came into force in the European Union on May 25, 2018.

Today we’re interested in certification. We want to know if there is a certification in terms of GDPR. First of all, certification is provided for by the GDPR in its articles 42 and 43. It will allow a data controller to request that a third-party certification body attests the conformity of its processes, products, services or skills to the characteristics that will be defined in a given reference system. The certifying body must be independent and impartial, and for this, there are two ways: either the body has been approved by the CNIL, or it has been accredited by the French Accreditation Committee (COFRAC).

The certification will allow an organization to prove its compliance with the GDPR and thus, to be a guarantee of confidence for its customers. The most well-known certification in terms of personal data protection is the certification of the competences of the DPO, i.e. the data protection officer, and the fact of passing this certification will allow the company to prove that its DPO, the person who deals with all aspects related to the GDPR, carries out his missions in accordance with the reference frameworks provided by the CNIL. So, once again, it will be a guarantee of confidence for your customers.

In conclusion, it is possible to obtain a GDPR certification. There are different ones on different subjects but the main one is the one of the DPO’s skills. If you wish to have recourse to a certification, you can go to the COFRAC website (French Committee for Accreditation) since it lists all the certifying bodies.

That’s it for this video, I hope you enjoyed it. If you do, don’t hesitate to subscribe to our channel, to like this video and you will find in the information bar the information concerning our monthly legal watch and the legal advice in clinical research. As for me, I’ll see you soon for a new video.

Who must notify the CNIL of a violation?

Hello everyone, this is Manon DURAND, health lawyer at Pharmaspecific. We meet again to talk about the General Data Protection Regulation (the GDPR), which is the reference text in terms of personal data protection, and which came into force in the European Union on May 25, 2018.

The question of the day is who should file a data breach notification with the CNIL. As a reminder, a personal data breach is a breach of security resulting in the accidental or unlawful destruction, loss, alteration or unauthorized disclosure of or access to personal data. When such a personal data breach occurs and it entails a risk to the rights and freedoms of the persons concerned, it must be notified to the CNIL within 72 hours.

In practice, how does this happen? If the clinical research associate (CRA) realizes that a personal data breach has occurred, he/she informs the project manager who will contact the sponsor – or its DPO, if one has been designated – directly so that the latter can notify the CNIL of the breach. It is therefore the sponsor or its DPO who will be responsible for this breach notification.

When a subcontractor works with the controller, with the developer, the same applies: if there is a personal data breach at the subcontractor’s premises, it must directly inform the developer or its DPO, who will be responsible for notifying the data breach to the CNIL.

In conclusion, the person in charge of making this data breach notification to the CNIL, within the 72-hour time limit, is the sponsor or his DPO if he has been appointed.

Get in touch with the CNIL website to find out how to notify a data breach to the CNIL, knowing that when the breach does not entail any risk for the rights and freedoms of the persons concerned, you simply have to document it internally, if the breach entails a risk, you have to document it internally and inform the CNIL within 72 hours, and finally, if the risk is high, you have to document it internally, notify it to the CNIL and inform the persons concerned as soon as possible

That’s it for this new video, I hope you liked it. If you did, don’t hesitate, as usual, to subscribe to our channel, to like this video and you will find in the information bar the information about our services and in particular the monthly legal watch and the legal advice in clinical research. As for me, I’ll see you soon for a new video.