The Information Commissioner (Slovenian National Supervisory Body for Personal Data Protection) received your questions regarding the roles of data controllers and data processors in the context of clinical trials in Slovenia:
If a clinical trial is being conducted in Slovenia, would the Sponsor and the Principal Investigator be considered joint controllers of the personal data of the trial participants (data subjects)?
Is the Sponsor the data controller while the Principal Investigator acts as a processor on behalf of the Sponsor? Is the Principal Investigator an independent data controller/controller in common with the Sponsor?
The Information Commissioner initially emphasises that it is only possible to provide specific opinion and answers to your questions in the course of an inspection procedure where all aspects of data processing and its compliance with the relevant GDPR provisions are assessed in the context of a specific case. Hence, at this point it is only possible to provide general comments, as follows bellow.
Slovenian national legislation, which regulates clinical trials, does not define the roles of the sponsor and the principal investigator in the light of data protection rules, nor does EDPB Opinion 3/2019 concerning the Questions and Answers on the interplay between the Clinical Trials Regulation (CTR) and the GDPR. In accordance with our national legislation, the sponsor is a business entity or an individual who assumes responsibility for initiating, conducting, or financing a clinical trial of a medicinal product; the principal investigator is the person responsible for the entire clinical trial course at the clinical trial site; and the investigator is the person responsible for the activities assigned to him in the clinical trial of the medicinal product at the particular trial site.
A controller determines the purposes and means of the processing, i.e. the why and how of the processing. The criterion for joint controllership to exist is the joint participation of two or more entities in the determination of the purposes and means of a processing operation. A processor is a separate entity in relation to the controller that processes personal data on the controller’s behalf.
There is no doubt that the sponsor typically acts as a controller of personal data. However, in our opinion, the principal investigator does not always have a role of a joint controller or a processor, as this depends on his tasks, assignments and level of autonomy in the particular clinical study. This needs to be evaluated on a case by case basis. It is also necessary to distinguish between roles according to the CTR and roles from the point of view of data processing.
So, the sponsor and the principal investigator may be considered as independent or joint controllers, and in certain cases the principal investigator may also act as a processor. We emphasize that the role of a (joint) controller or processor does not stem from the very nature of an entity that is processing data but from its concrete processing activities in a specific context. The same entity may therefore act at the same time as a (joint) controller for certain processing operations and as a processor for others. The qualification as (joint) controller or processor has to be assessed with regard to each specific data processing activity and it is not necessary for an actor to have only one role for all phases of a particular clinical trial. Hence, it is also possible that the sponsor and the principal investigator would be in a specific clinical trial (only) regarding certain processing activities considered joint controllers or, due to special agreements, in a controller-processor relationship. As we do not know the specific facts and circumstances of the concrete clinical trial, unfortunately we cannot give you a more precise answer to your question.
Finally, we would like to add that the EDPB will soon adopt guidelines on the concepts of controller and processor in the GDPR, which will further clarify the meaning of these concepts and the different roles between these actors.
Information Commissioner of the Republic of Slovenia