LIVE VIRTUAL TRAININGS
Learn in small groups from top experts and real-life examples

Expert Advice Community

Guest

DPO and Data Management

  Quote
Guest
Guest user Created:   Apr 13, 2018 Last commented:   Apr 13, 2018

DPO and Data Management

1) first question is about the DPO contact details, which should be provided for the patient in the inform consent. Is this clearly regulated where those contact details should be listed? Can we add them in the text or should they be listed together with the Sponsor details ?
0 0

Assign topic to the user

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Andrei Hanganu Apr 13, 2018
2) in one trial CRO where I'm working is responsible for Data Management - so here it's clear for me that we are data processor. But I have other trial where the DM is done by third party, but we are checking at the sites patient's data against CRF data - does it mean that here we are also data processor ? it's not clear for me..in this situation..
3) is there any situation where CRO might have the status of joint data controller ? or CRO is always the data processor, even if not responsible for the data management?

Answers:

The DPO contact details should be provided to the patient when the patient consents to the trial and is presented with the Privacy Notice. Don`t forget that the EU GDPR requires that the consent needs to be informed so the consent for shoul d always be paired with the Privacy Notice.

In the General Data Protection Notice in the EU GDPR Documentation Toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ there is a dedicated section where the DPO contact details need to be filled in.

If the processing you do is based on the instructions of the DM then you are a processor. If you however do the processing based on your own judgement then you are a controller regardless if you receive the personal data from a third party.

If the CRO decides the scope and means of processing together with another party then we can assume that joint processing. Each situation needs to be assessed in order to establish the controller, processor, joint controller status.

You should not assume that you are either until you have assessed the particular situation.

To learn more about controllers and processors you can check out our article “EU GDPR controller vs. processor – What are the differences?” https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Apr 13, 2018

Apr 13, 2018

Suggested Topics

Guest user Created:   Feb 07, 2020 EU GDPR
Replies: 1
0 0

Questions regarding GDPR

Guest user Created:   Jan 14, 2020 EU GDPR
Replies: 1
0 0

EU GDPR - DPO, DPIA & other questions