Clinical research is a data-intensive field, involving the collection, storage, and analysis of sensitive personal data, including special categories like health data. In Serbia, strict legal frameworks govern the handling of such data to ensure the protection of individual privacy and rights. For clinical research professionals – whether sponsors, investigators, or regulatory affairs teams – understanding and complying with these requirements is not just a legal obligation but also a cornerstone of ethical research practices.
One critical aspect of compliance is the appointment of a Data Representative and/or a Data Protection Officer (DPO). This blog outlines the legal obligations, roles, and practical steps for appointing these professionals to ensure compliance with Serbian Law on Personal Data Protection.
Legal Obligations for Clinical Research Organizations in Serbia
The Law on Personal Data Protection in Serbia (modeled after the EU’s General Data Protection Regulation, GDPR) imposes several obligations on organizations processing personal data, especially sensitive data used in clinical research. These obligations include:
- Data Minimization: Collecting only the data necessary for the research.
- Legal Basis for Processing: Ensuring consent or another lawful basis for data processing.
- Transparency: Informing participants about how their data will be used.
- Special Categories of Data: Applying extra safeguards when handling sensitive data, such as genetic or health information.
Two roles are particularly relevant for clinical research organizations to comply with these obligations:
1. Data Representative: Required for organizations without an establishment in Serbia but actively processing the personal data of Serbian residents.
2. Data Protection Officer (DPO): Mandatory for organizations where data processing is a core activity and involves large-scale processing of sensitive data.
If you’re conducting clinical research in Serbia, you will need to appoint at least one out of these two roles!
This blog will explain the specific circumstances under which each of these roles is mandatory for clinical research. For a more general overview of the necessity of appointing a DPO or Data Representative in Serbia, find out more in our blog: Data Protection Officer vs. Country Representative for Serbia.
1. Data Protection Officer (DPO)
Whether you are a foreign or domestic company conducting clinical research in Serbia, you must appoint a Data Protection Officer (DPO) if:
a) the core activities of your research involve large-scale, regular, and systematic monitoring of research participants (data subjects); or
b) the core activities of your research involve large-scale processing of sensitive data, such as health information, or genetic data.
In clinical research, at least one of these conditions will always be met, as the research typically involves the systematic monitoring of participants and the processing of sensitive health-related data. This means that if you are conducting clinical research, appointing a Data Protection Officer (DPO) is essential to guarantee compliance with data protection regulations.
A group of organizations involved in the research process can designate a single Data Protection Officer, as long as this representative is equally accessible to all members of the group. This option is particularly favorable if the budgets are constrained.
The Role of the Data Protection Officer (DPO) in Clinical Research
A DPO is responsible for overseeing the overall data protection strategy and ensuring compliance with Serbian data protection laws. Their role becomes critical in clinical research due to the large-scale processing of sensitive data.
Responsibilities of a DPO:
- Monitoring compliance with data protection laws and internal policies.
- Conducting data protection impact assessments (DPIAs), especially for research projects involving special categories of data.
- Providing guidance on legal obligations and best practices.
- Serving as a contact point for the Serbian data protection authority and participants.
Conditions & Qualifications:
- In-depth knowledge of data protection laws and practices.
- Familiarity with the ethical implications of data processing.
- Either domestic or foreign individuals can be designated for the role. However, domestic individuals are often more familiar with the specific data protection laws and regulations that apply in Serbia, making them a preferable option for ensuring compliance with local legal requirements. Additionally, having a domestic DPO enables smoother communication with Serbian authorities and data subjects, as they can engage directly in the Serbian language.
- While a DPO can be an employee of the organization conducting clinical research, most companies do not have in-house data protection experts. In such cases, appointing an external DPO is not only a viable but often a highly useful solution, ensuring the organization benefits from specialized expertise and guidance in data protection compliance. An external DPO is particularly advantageous in situations where an in-house DPO may lack impartiality or face potential conflicts of interest, ensuring that the organization benefits from specialized expertise and independent guidance in data protection compliance.
2. Data Representative for Serbia
If you’ve already appointed a Data Protection Officer (DPO) and think you’re finished with compliance requirements, think again! The role of a Data Representative for Serbia is different from that of a DPO, and your company may be obligated to assign each of these two roles.
If you are a foreign company conducting clinical research in Serbia but do not have a registered office, branches, or other establishments in the country, you must still comply with Serbian data protection laws if you are involved in activities such as:
a) Offering goods or services to individuals in Serbia, even if the data subject is not required to pay for these goods or services; or
b) Monitoring the activities of data subjects within Serbia.
In these cases, you are required to appoint a Data Representative in Serbia to ensure compliance with the Law.
However, even if you meet the above-mentioned conditions, you may not be required to appoint a Data Representative in Serbia if:
a) You are a public authority; or
b) The data processing is occasional, does not involve large-scale processing of special categories of data or data related to criminal convictions, and is unlikely to result in privacy intrusions. In practice, this exemption almost never applies in clinical research.
Given the nature of clinical research, which typically involves large-scale processing of sensitive health-related data and systematic monitoring of research participants, most foreign clinical entities will find that they must appoint a Data Representative in Serbia to comply with local data protection regulations.
For more detailed information on the regulations surrounding the position of Data Representative in Serbia, including specific requirements and the legal obligations associated with this role, you can refer to our blog: “Does Your Company Need to Appoint a Representative for Serbia?“
What is a Data Representative?
For foreign sponsors and contract research organizations (CROs) without a registered legal entity in Serbia, this representative acts as a local point of contact for all data protection matters, helping you navigate local regulations and maintain proper compliance throughout your clinical research activities.
Key Responsibilities of Data Representative:
- Representing your organization before the Serbian Commissioner for Information of Public Importance and Personal Data Protection;
- Ensuring communication with research participants and authorities;
- The company may entrust its Representative for Serbia with maintaining records of processing activities.
Who Can Be Appointed as a Data Representative in Serbia?
- The Data Representative can be an individual or a legal entity based in Serbia.
- They should have the necessary expertise in data protection laws and clinical research to handle compliance effectively. Although this is not a legal requirement, it is highly recommended.
3. Legal Basis for Data Processing in Clinical Research and Use of Special Categories of Personal Data
Legal Basis
When conducting clinical research in Serbia, it’s crucial to understand the legal framework surrounding data processing. The Serbian Law on Personal Data Protection governs how personal data is collected, used, and stored within the Republic of Serbia. It is also important to note that this regulation is harmonized with the EU’s famous General Data Protection Regulation (GDPR).
The Serbian Law on Personal Data Protection requires a lawful basis for processing any personal data. However, in the context of clinical research, relying solely on one legal basis might not always be sufficient. Namely, different legal bases may be used for different processing activities within the clinical research process, the main two being:
- Processing operations related to reliability and safety purposes; and
- Processing operations purely related to research activities.
Generally, the most commonly cited legal bases for clinical research purposes are:
- The necessity for compliance with a legal obligation to which the controller is subject: In the context of clinical research, this legal obligation stems from directives and regulations mandating data collection for the purposes of medicinal product development and pharmacovigilance.
- Explicit consent from the data subject: While not always practical for all types of data collection in clinical research, obtaining explicit consent from participants strengthens the legal justification for processing their personal data.
The use of different legal bases may be used depending on the specific circumstances. These additional legal bases could be:
- Public interest: This can be a crucial legal basis for processing personal data in clinical research if it directly supports the advancement of medical knowledge and public health.
- Legitimate interests pursued by the controller: This legal basis can be used when processing personal data is necessary for the research sponsor’s legitimate interests, provided those interests outweigh the interests or rights and freedoms of the data subjects.
Special Categories of Personal Data
Clinical research often involves processing “special categories of personal data,” which is a designation for sensitive data types like information about a person’s health. Serbian Law on Personal Data Protection imposes stricter requirements for processing special categories of data. However, there are specific exceptions that allow for the processing of such data under certain conditions. In the context of clinical research, the following exceptions may apply depending on the specific circumstances:
- Explicit consent: The data subject has given explicit consent for the processing for one or more specific purposes unless the law provides that processing is not carried out on the basis of consent.
- Protection of vital interests: Processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally unable to give consent.
- Public interest in public health: Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare and medicinal products or medical devices;
- Public interest archiving, scientific or historical research, and statistical purposes: Processing is necessary for archiving purposes in the public interest, for scientific or historical research purposes, or for statistical purposes.
Therefore, while appointing a Data Protection Officer (DPO) and/or Data Representative is mandatory for clinical research projects in Serbia, a comprehensive understanding of the legal basis for data processing and the use of special categories of personal data is equally important. This knowledge ensures your research adheres to data protection regulations while fulfilling its goals.
4. Prioritize Data Protection for Ethical and Legal Research
Conducting clinical research in Serbia demands a meticulous approach to data protection. This is not merely a box-ticking exercise; it’s fundamental to ethical research practices, participant trust, and overall research success.
The Importance of Data Protection in Clinical Research:
- Participant Trust
Robust data protection measures are paramount for building and maintaining trust with research participants. When individuals understand how their personal data will be handled, they are more likely to participate in clinical trials.
- Research Integrity
Strong data protection safeguards ensure the integrity of research data, minimizing the risk of data breaches, manipulation, or misuse. This is crucial for generating reliable and trustworthy research outcomes.
Non-compliance can lead to severe consequences, such as:
- Administrative Fines
Non-compliance with data protection regulations can result in substantial fines (up to 2 million RSD), significantly impacting research budgets and potentially jeopardizing the financial viability of research projects.
- Delays in Clinical Trials
Regulatory investigations and non-compliance issues can lead to significant delays in clinical trial timelines, potentially impacting research progress;
- Reputational Damage
Data breaches and non-compliance can severely damage the reputation of research institutions, investigators, and sponsors, eroding public trust and hindering future research collaborations.
To ensure robust data protection, it can be crucial to engage with experts specializing in data protection who can act as DPOs or Data Representatives in Serbia. Their expertise will be invaluable in developing and implementing a proactive data protection strategy, and conducting regular reviews to maintain ongoing compliance with Serbian (and other) data protection regulations.
