#19 The Bulgarian Commission for Personal Data Protection Published an Opinion on the Form of Authorisation regarding the Exercise of Rights of Data Subject before Medical Institutions

Crucial for any controller opinion of the Bulgarian Commission for Personal Data Protection (the Commission) on the form of authorisation regarding the exercise of rights of the data subject before medical institutions has recently been published on their website.

The Commission made its statement in response to an enquiry submitted by a medical institution regarding patients’ access to their personal data, as well as regarding the exercise of their rights as data subject through an authorised person. The issue arose in the process of preparation of the institution’s internal rules on data protection aimed at synchronizing their data processing activities with the requirements of Regulation (EU) 2016/679. There are no clear provisions on this issue neither in the European, nor in the national legislation. To put it short, is a notarized form of authorization required for the exercise of the data subjects’ rights by another person under Articles 15-22 of the Regulation?

In its legal analysis, the Commission examines the conditions for the exercise of the data subjects’ rights as set out in Art. 12 of the Regulation. For the controller, the verification of the data subject’s identity is the the thing to begin with. The manner in which such verification is carried out depends on the specifics of each case, but the controller is generally supposed to use the already available data on the subject. Where there is doubt, the controller may request additional information from the data subject, and in case such is not provided or is unconvincing, the controller may refuse a remedy bearing the burden of proof regarding the unverifiability of the subject’s identity. With regards to the data subject, the procedure for the submission of rights requests is laid down in the Personal Data Protection Act – namely, a written application to the controller is required, unless otherwise specified by the controller, including by electronic means or an user interface. The Act states that an application submitted by an authorised person shall be accompanied by the respective form of authorisation. The Commission furthermore addresses the Health Act and the opportunity provided therein for patients to authorize another person in a written form to get acquainted with their medical files and make copies thereof . Taking into account the general regulatory framework regarding authorisation contained in the Obligations and Contracts Act which provides for an aggravated form of authorisation only upon the conclusion of transactions in aggravated form, as well as considering the absence of requirements in the special legislation relevant to the case, the Commission makes its final statement in response to the submitted enquiry, namely the medical institutions, in their capacity of controllers, have no legal grounds to require notary certification of the signature when authorizing another person to exercise the data subjects’ rights under Art. 15-22 of the Regulation.

Despite in the context of the exercise of rights of the data subject before a specific type of controllers – namely, the medical institutions, the conclusions drawn by the Commission can be applied in all cases of exercise of data subjects’ rights under the Regulation. In the absence of specific regulation, the “standard” written authorisation should always be sufficient for their exercise through an authorised person.

# 18 The Bulgarian Commission for Personal Data Protection published an opinion on the determination of the figures of “controller” and “processor” in the conduct of clinical trials

Crucial for the pharmaceutical sector opinion of the Bulgarian Commission for Personal Data Protection (CPDP/Commission) on the determination of the figures of “controller” and “processor” in the conduct of clinical trials was published on 10.06.2019 on the website of the Commission.

According to the opinion, when conducting clinical trials, the medical institutions and the sponsor of the clinical trial act in the capacity of joint controllers under the meaning of Art. 26 of the Regulation (EU) 2016/679 (GDPR).

The opinion has been published after CPDP examined a request by a company having the capacity of a “sponsor” under the meaning of § 1, item 8 of the Additional Provision of the Medical Products in the Human Medicine Act (MPHMA), i.e. a company which is responsible for initiating, management and/or financing a clinical trial and is participating in the clinical trials initiated by it. The requesting company states that while conducting clinical trials, the sponsor also has relations with other persons participating in the clinical trials, namely with the principal investigator and the investigators, as well with the members of the investigator’s team – collaborators, monitors and auditors of the trial.

To clearly determine the roles of the parties, CPDP examines the figures of “Controller” and “Processor” in the light of the national and EU legislation regulating clinical trials. Furthermore, CPDP explains that the Regulation (EU) No 536/2014 of the European Parliament and of the Council on Clinical Trials on Medicinal Products for Human Use and the MPHMA exhaustively determines the functions and tasks of all persons participating in a clinical trial. According to the Commission, the data processing activities related to the conduct of clinical trials, could not be carried out “on behalf” of the sponsor of the trial, since such activities cannot be carried out by it, but only by organizations authorized in accordance with the applicable procedures and having the status of a “medical institution”. This is yet another confirmation of the thesis long ago adopted both in theory and practice (including that of CPDP), that not each assignment contract automatically leads to arising of relationship of the type of controller-processor and that in order to adequately determine the roles and responsibilities of the parties with regard to the processing of personal data, the nature of the rights and obligations of the parties in the contractual relationship need to be taken into account.

An additional argument for classification of the parties‘ roles according to CPDP is the Opinion 1/2010 of the Article 29 Data Protection Working Party (now European Data Protection Board) on the concepts of “controller” and “processor” which explicitly states that when conducting clinical trials, the participants are processing personal data in the capacity of joint controllers (p. 30 from the Opinion).

The main consequence of this opinion for the pharmaceutical companies and the medical institutions that conduct clinical trials is that they will need to conclude an agreement between themselves that shall in a transparent manner determine their respective responsibilities for compliance with the obligations in the field of data protection. In particular, they will have to regulate matters related to exercising the rights of the data subject and their respective duties to provide the information referred to in Art. 13 and 14 of GDPR. Furthermore, the data subjects-participants in the clinical trial may exercise their rights in respect of and against each any of the controllers. (Art. 26, Para. 3 of GDPR).