Scenario 1/Scenario 2

Scenario2: We do not obtain any personal data from anyone (including from EU) to process their clinical trial provided by our sponsors (who obtains consent from subjects). In this case, what are obligation to ensure we comply to EU GDPR.

Answers:

1. Consent is not necessarily required. You just need to provide an adequate privacy notice to the relevant employees pursuant to art. Article 13 of the EU GDPR – “Information to be provided where personal data are collected from the data subject”( https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-are-collected-from-the-data-subject/) and among others the fact that date may be sent outside the EEA. In addition you need to ensure that adequate safeguards are in place to regulate the data transfer such as Standard Contractual Clauses.
To learn more about data transfers check out our webinar “ How to make personal data transfers to other countries compliant with GDPR” (https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/).

2. So you are obtaining personal data from someone namely the “sponsors”. If the personal data you process relates to individuals in the Union then the GDPR is applicable to you. To establish exactly what are your obligations one of the first things you need to do is establish weather you are a controller or a processor.

To learn more about the EU GDPR check out our “EU GDPR Foundation Course” https://advisera.com/training/eu-gdpr-foundations-course//