Today, 25 May 2018, the new General Data Protection Regulation (GDPR) 2016/679 came into force in the European Union, replacing Directive 95/46/EC. The GDPR regulates "the protection of natural persons with respect to the processing of personal data" (Art. 1), insofar as this takes place in the context of the activity of a branch in the EU (irrespective of whether the processing takes place in the EU) or itself the persons concerned are in the EU (see Art. 3). At the same time with the GDPR, an adapted Federal Data Protection Act (BDSG-new) came into force in Germany, which should take into account the new GDPR.
Beforehand, the debate on the new laws has already been heated up by highlighting possible sanctions: companies risk dramatic fines of up to four percent of last year's sales or EUR 20 million if they fail to comply with the new data protection rules. How serious are the changes at all, and what is actually changing within the pharmacovigilance practice? Let’s have a look at four essential areas of the pharmacovigilance practice:
If personal data is to be processed by a service provider, the qualification of the contracting party must be checked before the processing of an assignment is made and a written processing contract (Data processing Agreement) must be concluded in accordance with Art. 28 GDPR. The qualification is assessed by reviewing the technical and organizational measures and their documentation by examining certificates or similar evidence that can serve as guarantees (see Art. 32 GDPR). In the case of subcontractors, they are subject to the same data protection obligations arising from the contract between the service provider and the responsible entrepreneur (see Art. 28 GDPR). For the pharmacovigilance practice, this means adapting the contracts with clients and subcontractors according to the standards of the new legal requirements.
According to Art. 9 and 30 GDPR, the processing of personal health data is subject to specific regulations. All data processing activities must be recorded. The record may be kept in writing or electronically and must be provided to the supervisory authorities on request. The GDPR also suggests documenting the action of each data processing operation as well as the data protection compliance measures (see Art. 5 and 24 GDPR). Other new requirements for the processing of personal health data are the data protection impact assessment prior to the start of the data processing (see Art. 35 GDPR) and the reporting requirements of data breaches within 72 hours (see Art. 33 u. GDPR 37). The appointment of a data protection officer is obligatory (see Art. 37 GDPR). For the pharmacovigilance practice, these aspects lead to a slightly higher documentary effort.
The GDPR demands numerous new information obligations to data subjects regarding affected persons: Precise specification of the legal basis for data collection, duration of data storage, naming the responsible person for data collection, name and contact details of the data protection officer, information on the right to complain, information on data transfer to third countries, if applicable (see Art. 12, 13 and 14 GDPR). The basis of adverse event reports is personal data of the affected patients and the reporting persons (physicians, pharmacists, patients).
The German Association of Research-Based Pharmaceutical Companies (
The new legal situation can be interpreted in such a way that in individual cases a post-marketing service provider may be allowed to process personal health data, even if, for example, a person reporting a serious adverse event explicitly disagrees on that.
Personal health data are relevant in pharmacovigilance, especially in the context of clinical trials and the Medical Information Service. The scope of the data collection is a further critical aspect of pharmacovigilance practice in addition to the obligation to provide a huge amount of information about processed data to the affected person (information obligation). The
An adaptation of the German Medicinal Products Act (AMG), which is planned for this legislative period, may be able to eliminate such legal uncertainties.
For the Medical Information Service, the information obligation regarding affected persons means that persons requesting medical information (e. g. patients, pharmacists, physicians) have to be instructed by the service provider (information giver) more extensively than before about their rights.
The consequences of the GDPR (and BDSG-new) lead to a higher amount of work for pharmacovigilance in the processing of assignments, the documentation of processes, the reporting of adverse events as well as in clinical studies, and in regard with the Medical Information Service. In individual cases, excessive bureaucracy and lack of flexibility in the pharmacovigilance practice are criticized. Overall, the changes to the legal requirements do not have a major impact on pharmacovigilance activities.