This Code of Conduct becomes the first sectoral code of conduct approved since the entry into force of the General Data Protection Regulation (GDPR). Its scope of application is Spain; however it aspires to be a benchmark at European level as it is the first code in this field that has been approved in Europe.
This new Farmaindustria code ‒which replaces and adapts the previous one from 2009 ‒ represents a step forward in the protection of the data of those who participate in the activities it regulates, and will serve to strengthen clinical research and pharmacovigilance. Farmaindustria is the National Business Association of the Pharmaceutical Industry that brings together most of the innovative pharmaceutical companies established in Spain.
RGPD establishes that the associations or representative bodies of categories of controllers or processors can develop codes of conduct to facilitate its effective application. These codes constitute an element of self-regulation that responds to the specific needs of the sector of activity that they regulate, provide guarantees for the rights and freedoms of individuals, and represent an added value to the applicable regulations. Codes of conduct must be approved by the supervisory authority.
The scope of application of the code is the processing activities within the framework of clinical research in general, and clinical trials in particular, as well as those activities linked to compliance of obligations set by regulations on pharmacovigilance for the detection and prevention of adverse effects of drugs already marketed. In the case of clinical trials, it establishes protocols that facilitate the application of RGPD and offers security to the entities that adhere to it. They regulate, among other issues: the application of the principles of data protection, impact assessment, data coding, the responsibility of the different participants in a trial, the legal basis of processing, the regime of international transfers of data, the obligations derived from security breaches and the exercise of rights.
In terms of pharmacovigilance, the code distinguishes the processing of personal identifiable data and that of coded data and establishes protocols for collecting information on possible adverse reactions depending on who makes the notification and the different notification channels, including social media. Likewise, the code establishes a mediation procedure, voluntary and free of charge, which allows for an agile response to claims raised by data subjects.
The RGPD establishes that all codes of conduct must designate a supervisory body that acts with independence from both the promoter of the code and the adhered entities, and which must be accredited by the supervisory authority. The Spanish DPA (AEPD) has accredited the governing body of the code of conduct as the body in charge of the supervision of the code.
Article provided by INPLP member: Belén Arribas (Belén Arribas, Abogada, Spain)
Dr. Tobias Höllwarth (Managing Director INPLP)