GDPR

Question 1

When did the GDPR come into force?

The EU General DataProtection Regulation Training Deck
Clinical Operations Training - Slide 2

Answer 1

5, May 2018

BREXIT: at end of Transition Period was retained in UK as “UK GDPR”

Question 2

GDPR allows for individual member states to vary the rules in a number of areas. What are they?

The EU General DataProtection Regulation Training Deck
Clinical Operations Training - Slide 2

Answer 2

• employment
• processing of sensitive health information
  - including genetic data, and when processing personal data for scientific research purposes in the public interest

Question 3

Clinical ops policies and procedures must flex to meet local legal requirements because…

The EU General DataProtection Regulation Training Deck
Clinical Operations Training - Slide 2

Answer 3

…there is a lack of uniformity across the EEA/UK

Question 4

True or False

The GDPR applies to all controllers and processors in all industrial sectors equally.

The EU General DataProtection Regulation Training Deck
Clinical Operations Training - Slide 2

Answer 4

True.
(i.e., IVI is treated the same as Silicon Valley tech giants like Meta and Amazon which are treated the same as supermarkets and banks)

Question 5

What are the 10 GDPR Key Themes for Clinical Trials?

The EU General DataProtection Regulation Training Deck
Clinical Operations Training - Slide 3

Answer 5

Question 6

Regarding Territorial Scope…

GDPR applies to:

The EU General DataProtection Regulation Training Deck
Clinical Operations Training - Slide 4

Answer 6

1. Data processing in the context of the activities of an “establishment” in the EEA/UK
2. Processing EEA/UK data subjects’ personal data

Question 7

Regarding Territorial Scope…

What constitutes an “Establishment” that would be covered under GDPR?

The EU General DataProtection Regulation Training Deck
Clinical Operations Training - Slide 4

Answer 7

“Establishment” is broad – minimal business presence through “stable arrangements” is enough e.g. the presence of one single employee or agent in the EU if that employee or agent acts with a sufficient degree of stability.

Question 8

True or False

EU GDPR applies even if the processing itself takes place outside the EEA/UKe.g., company group based in multiple countries.

The EU General DataProtection Regulation Training Deck
Clinical Operations Training - Slide 4

Answer 8

True

Question 9

Does a controller or processor need to be established in the EU/EEA for the GDPR to apply?

The EU General DataProtection Regulation Training Deck
Clinical Operations Training - Slide 4

Answer 9

No. If they offer goods or services or monitor individuals’ behaviour within the EEA/UK, then GDPR applies.
* Look at factors such as ability to order goods/services online an EUlanguage/currency.
* Monitoring ⇨ tracking EEA/UK individuals online, creating profiles e.g., targeted advertising through the use of cookies, conduct of clinical trials.

Question 10

True or False

A controller or processor not based in the EU/EEA must appoint a representative within the EU/UK.

The EU General DataProtection Regulation Training Deck
Clinical Operations Training - Slide 4

Answer 10

True.