DPO and Data Management

2) in one trial CRO where I'm working is responsible for Data Management - so here it's clear for me that we are data processor. But I have other trial where the DM is done by third party, but we are checking at the sites patient's data against CRF data - does it mean that here we are also data processor ? it's not clear for me..in this situation..
3) is there any situation where CRO might have the status of joint data controller ? or CRO is always the data processor, even if not responsible for the data management?

Answers:

The DPO contact details should be provided to the patient when the patient consents to the trial and is presented with the Privacy Notice. Don`t forget that the EU GDPR requires that the consent needs to be informed so the consent for shoul d always be paired with the Privacy Notice.

In the General Data Protection Notice in the EU GDPR Documentation Toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ there is a dedicated section where the DPO contact details need to be filled in.

If the processing you do is based on the instructions of the DM then you are a processor. If you however do the processing based on your own judgement then you are a controller regardless if you receive the personal data from a third party.

If the CRO decides the scope and means of processing together with another party then we can assume that joint processing. Each situation needs to be assessed in order to establish the controller, processor, joint controller status.

You should not assume that you are either until you have assessed the particular situation.

To learn more about controllers and processors you can check out our article “EU GDPR controller vs. processor – What are the differences?” https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/