23.9.2009   

EN

Official Journal of the European Union

C 229/19

1.

On 10 December 2008, the Commission adopted two proposals relating to the amendment of Regulation (EC) No 726/2004 and Directive 2001/83/EC respectively (3). Regulation (EC) No 726/2004 of the European Parliament and of the Council (4) lays down Community procedures for the authorisation and supervision of medicinal products for human and veterinary use and establishes the European Medicines Agency (hereinafter: ‘the EMEA’). Directive 2001/83/EC of the European Parliament and of the Council (5) contains rules on the Community code relating to medicinal products for human use, dealing with specific processes at Member State level. The proposed amendments relate to the parts in both instruments on pharmacovigilance of medicinal products for human use.

2.

Pharmacovigilance can be defined as the science and activities relating to the detection, assessment, understanding and prevention of adverse effects of medicinal products (6). The pharmacovigilance system currently in place within Europe makes it possible for patients and healthcare professionals to report adverse drug reactions to the relevant public and private bodies involved at national and European level. A Europe-wide database (the EudraVigilance database) is operated by the EMEA as a centralised point for managing and reporting suspected adverse drug reactions.

3.

Pharmacovigilance is seen as a necessary supplement to the Community system of authorisation of medicinal products which dates back to 1965 when Council Directive 65/65/EEC (7) was adopted.

4.

As follows from the Explanatory Memoranda and the Impact Assessment attached to the proposals, the current pharmacovigilance system suffers from a number of weaknesses, including a lack of clarity with regard to roles and responsibilities of the various actors involved, complicated procedures for adverse drug reaction reporting, the need for strengthened medicines safety transparency and communication and the need for rationalisation of the medicines risk management planning.

5.

The general intention of the two proposals is to remedy these weaknesses and to improve and strengthen the Community pharmacovigilance system with the overall objective of better protecting public health, ensuring proper functioning of the internal market and simplifying the current rules and procedures (8).

6.

The overall operation of the current pharmacovigilance system relies on the processing of personal data. These data are included in the adverse drug reactions reporting and can be considered as data relating to health (‘health data’) of the persons concerned since they reveal information about drug use and associated health problems. Processing of such data is subject to strict data protection rules as laid down in Article 10 of Regulation (EC) No 45/2001 and Article 8 of Directive 95/46/EC (9). The importance of protecting such data has recently repeatedly been emphasised by the European Court of Human Rights in the context of Article 8 of the European Convention of Human Rights: ‘The protection of personal data, in particular medical data, is of fundamental importance to a person’s enjoyment of his or her right to respect for private and family life as guaranteed by Article 8 of the Convention’ (10).

7.

Despite this, no reference to data protection is included in the current text of Regulation (EC) No 726/2004 and Directive 2001/83/EC, except for one specific reference in the Regulation which will be discussed below in point 21 and further.

8.

The European Data Protection Supervisor (‘EDPS’) regrets that data protection aspects are not considered within the proposed amendments and that he was not formally consulted on both proposals for amendments as provided for by Article 28(2) of Regulation (EC) No 45/2001. The current opinion is therefore based on Article 41(2) of the same Regulation. The EDPS recommends that a reference to this opinion is included in the preamble of both proposals.

9.

The EDPS notes that although data protection is not sufficiently considered in both the current pharmacovigilance legal framework and the proposals, the practical application of the central Community EudraVigilance system clearly raises data protection issues. To this end, the current EudraVigilance system was notified by the EMEA to the EDPS in June 2008 for a prior check on the basis of Article 27 of Regulation (EC) No 45/2001.

10.

The current opinion and the conclusions by the EDPS on the prior check (publication of which is expected later this year) will necessarily contain some overlap. However, the focus of both instruments is different: whereas this opinion concentrates on the general legal framework supporting the system as it follows from Regulation (EC) No 726/2004 and Directive 2001/83/EC and the proposed amendments to it, the prior check constitutes a detailed data protection analysis concentrating on how the current rules have been further elaborated in subsequent instruments (e.g. decisions and guidelines) issued by the EMEA or the Commission and the EMEA jointly, and how the EudraVigilance system works in practice.

11.

This Opinion will first proceed with a simplified explanation of the system of pharmacovigilance in the EU as it follows from Regulation (EC) No 726/2004 and Directive 2001/83/EC in their present state. Subsequently, the necessity of processing of personal data in the context of pharmacovigilance will be analysed. After this, the proposals of the Commission for improving the current and envisaged legal framework will be discussed and recommendations will be made on how to ensure and improve the data protection standards.

12.

Several actors are involved in collecting and disseminating information on adverse effects of medicinal products in the European Union. At national level, the two main actors are the Market Authorisation Holders (companies who are authorised to bring medicinal products on the market) and the National Competent Authorities (authorities responsible for the market authorisation). National Competent Authorities authorise products through national procedures, which include the ‘Mutual Recognition Procedure’ and the ‘Decentralised Procedure’ (11). For products which are authorised through the so-called ‘centralised procedure’, the European Commission can also act as a competent authority. An important additional actor at European level is the EMEA. One of the tasks of this agency is to ensure the dissemination of information on adverse reactions to medicinal products authorised in the Community, by means of a database, which is the earlier mentioned EudraVigilance database.

13.

Directive 2001/83/EC speaks in general terms about the responsibility of Member States to operate a pharmacovigilance system in which information is collected which is ‘useful in the surveillance of medicinal products’ (Article 102). On the basis of Articles 103 and 104 of Directive 2001/83/EC (see also Articles 23 and 24 of Regulation (EC) No 726/2004), Market Authorisation Holders must have their own system of pharmacovigilance in place in order to assume responsibility and liability for their products on the market and to ensure that appropriate action may be taken when necessary. Information is gathered from healthcare professionals or patients directly. All information relevant to the risk-benefit balance of a medicinal product must be reported electronically by the Market Authorisation Holder to the Competent Authority.

14.

Directive 2001/83/EC itself is not very precise about what kind of information on adverse effects should be collected at national level, how it should be stored or how it should be communicated. Articles 104 and 106 only refer to ‘reports’ which have to be drawn up. More detailed rules on these reports can be found in guidelines which are set up by the Commission, after consultation of the EMEA, the Member States and interested parties, on the basis of Article 106. In these guidelines on Pharmacovigilance for Medicinal Products for Human Use (hereinafter: ‘the Guidelines’) reference is made to so-called ‘Individual Case Safety Reports’ (hereinafter: ‘ICSRs’), which are reports about adverse effects of medicinal products relating to a specific patient (12). It follows from the Guidelines that one element of the minimum information required in the ICSRs is ‘an identifiable patient’ (13). It is indicated that the patient may be identified by initials, patient number, date of birth, weight, height and sex, hospital record number, information on the medical history of the patient, information on the parents of the patient (14).

15.

By emphasising the identifiability of the patient, the processing of this information clearly comes within the remit of the rules on data protection as laid down in Directive 95/46/EC. Indeed, although the patient is not mentioned by name, it is possible by putting the different pieces of information together (e.g. hospital, birth date, initials) and under specific conditions (e.g. in closed communities or small places) to identify him or her. Therefore, information processed in the context of pharmacovigilance should in principle be considered as relating to an identifiable natural person in the sense of Article 2(a) of Directive 95/46/EC (15). Although this is not made clear in both the Regulation and the Directive, it is recognised in the Guidelines where it is stated that ‘the information should be as complete as possible, taking into account EU legislation on data protection’ (16).

16.

It must be underlined that, despite the Guidelines, the reporting of adverse effects at national level is far from being uniform. This will be further discussed in points 24 and 25 below.

17.

A crucial role in the EU pharmacovigilance system is played by the EudraVigilance database which is maintained by the EMEA. As already mentioned, EudraVigilance is a centralised data processing network and management system for reporting and evaluating suspected adverse reactions during the development and following the marketing authorisation of medicinal products within the European Community and the countries which form part of the European Economic Area. The legal basis of the EudraVigilance database can be found in Article 57(1)(d) of Regulation (EC) No 726/2004.

18.

The current EudraVigilance database consists of two compartments, namely (1) information which follows from clinical trials (taking place before the medicine is put on the market, therefore called the ‘pre-authorisation’ period) and (2) information stemming from reports about adverse effects (gathered afterwards, therefore called the ‘post-authorisation’ period). The emphasis of the present opinion lies on this ‘post-authorisation’ period since the proposed amendments concentrate on this part.

19.

The EudraVigilance database contains data about patients resulting from the ICSRs. The EMEA is provided with ICSRs by the National Competent Authorities (see Article 102 of Directive 2001/83/EC and Article 22 of Regulation (EC) No 726/2004) and in some case by the Market Authorisation Holders directly (see Article 104 of Directive 2001/83/EC and Article 24 of Regulation (EC) No 726/2004).

20.

The emphasis of the current Opinion lies on the processing of the personal information about patients. It should be noted, however, that the EudraVigilance database also contains personal information about the people working for the National Competent Authority or the Marketing Authorisation Holders when they are providing the information to the database. The full name, address details, contact details, identification document details of these people are kept in the system. Another category of personal information is data about the so-called Qualified Persons Responsible for Pharmacovigilance, who are nominated by the Market Authorisation Holders on the basis as referred to in Article 103 of Directive 2001/83/EC. Obviously, the rights and obligations stemming from Regulation (EC) No 45/2001 fully apply to the processing of this information.

21.

Article 57(1)(d) of Regulation (EC) No 726/2004 states that the database should be permanently accessible to all Member States. Health-care professionals, Marketing Authorisation Holders and the public must furthermore have appropriate levels of access to this database, with personal data protection being guaranteed. As said above in point 7, this is the only provision in both the Regulation and Directive 2001/83/EC which makes reference to data protection.

22.

Article 57(1)(d) has led to the following regime on access. Once the EMEA receives an ICSR it is directly put in the EudraVigilance Gateway which is fully accessible by the EMEA, National Competent Authorities as well as the Commission. After the ICSR has been validated (checked on authenticity and uniqueness) by the EMEA, the information from the ICSR is transferred to the actual database. The EMEA, National Competent Authorities as well as the Commission have full access to the database, while Market Authorisation Holders only have access to the database subject to certain restrictions, namely access only to data which they themselves submitted to the EMEA. Aggregated information about ICSRs is finally put on the EudraVigilance website to which the general public has access, including healthcare professionals.

23.

On 19 December 2008, the EMEA published a draft access policy on its website for public consultation (17). The document shows how the EMEA envisages to implement Article 57(1)(d) of Regulation (EC) No 726/2004. The EDPS will briefly return to this subject from point 48 onwards below.

24.

The Commission's Impact Assessment demonstrates a number of weaknesses of the current EU pharmacovigilance system, which is considered as complex and unclear. The complicated system of data collection, storage and sharing by different actors at national and European level is presented as one of the main deficiencies. This situation is further complicated by the fact that there are disparities in the way in which Directive 2001/83/EC is implemented in the Member States (18). As a consequence, National Competent Authorities as well as the EMEA are often confronted with incomplete or duplicative adverse drug reaction case reporting (19).

25.

This is due to the fact that, although a description of the ICSRs content is provided in the earlier mentioned Guidelines, it is left up to the Member States to decide the way in which these reports will be implemented at national level. This includes both the means of communication applied for the reporting by the Marketing Authorisation Holders to the National Competent Authorities, and the real information included in the reports (no standardised form is used for reporting within Europe). Moreover, some National Competent Authorities may apply specific quality criteria for the admissibility of the reports (depending on their content, level of completeness, etc.), whereas in other countries this might not be the case. It is obvious that the approach used at national level for the reporting and quality evaluation of the ICSRs has a direct impact on the way this reporting is performed towards EMEA, i.e. in the EudraVigilance database.

26.

The EDPS would like to emphasise that the above-mentioned weaknesses do not only lead to practical inconveniences but also pose a considerable threat to the protection of the health data of citizens. Although, as shown in the previous paragraphs, processing of health data takes place at several stages of the pharmacovigilance operation process, no provisions for the protection of these data currently exist. The only exception to this is the general reference to data protection in Article 57(1)(d) of Regulation (EC) No 726/2004, which only relates to the last stage of the data processing, namely the accessibility of the data contained in the EudraVigilance database. Moreover, the lack of clarity with regard to the roles and responsibilities of the different actors involved in the processing, as well as the lack of specific standards for the processing itself threatens the confidentiality, and also the integrity and accountability of the personal data being processed.

27.

The EDPS therefore wishes to emphasise that the absence of a thorough data protection analysis, reflected in the legal framework which forms the basis of the pharmacovigilance system in the EU, must also be seen as one of the weaknesses of the current system. This weakness should be remedied by amendments to the current legislation.

28.

As a preliminary and general concern, the EDPS wishes to raise the question whether the processing of health data about identifiable natural persons is actually necessary at all stages of the pharmacovigilance system (at national as well as at European level).

29.

As explained above, in the ICSRs the patient is not mentioned by name and as such not identified. However, the patient could still be identifiable in certain cases by combining different pieces of information in the ICSRs. As follows from the guidelines in some instances, a specific patient number is given, which implies that the system as a whole allows for the traceability of the person involved. However, neither the Directive nor the Regulation makes reference to the traceability of persons as part of the purpose of the system of pharmacovigilance.

30.

The EDPS therefore urges the legislator to clarify whether traceability is indeed intended to serve as a purpose of pharmacovigilance at the different levels of processing and more specifically in the framework of the EudraVigilance database.

31.

In that respect, it is instructive to compare with the envisaged regime on organ donation and transplantation (20). In the context of organ transplantation the traceability of an organ to the donor as well as the recipient of the organ is of paramount importance, especially in cases of serious adverse events or reactions.

32.

In the context of pharmacovigilance, however, the EDPS has no sufficient evidence to conclude that traceability is actually always needed. Pharmacovigilance is about the reporting of adverse effects of medicinal products which are used by a (mostly) unknown number of people and will be used by a (mostly) unknown number of people. There is therefore — in any case in the ‘post-authorisation’ period — a less automatic and individual link between the adverse effect information and the person concerned as in the case of information about organs and the individuals involved in the transplantation of a specific organ. It is obvious that patients who have used a certain medicinal product and have reported about adverse effects, have an interest in knowing the outcome of any further assessment. This, however, does not imply that the reported information should in every case be linked to this specific person throughout the whole pharmacovigilance process. In many cases it should be sufficient to link the information about adverse effects to the medicinal product itself, which enables the actors involved, perhaps through healthcare professionals, to inform patients in general about the consequences of taking or having taken a certain medicinal product.

33.

If traceability is envisaged after all, the EDPS wishes to recall the analysis he made in his Opinion about the Commission proposal for a Directive on standards of quality and safety of human organs intended for transplantation. In this Opinion he explained the relation between traceability, identifiability, anonymity and confidentiality of data. Identifiability is a term which is crucial in data protection legislation (21). Data protection rules apply to data relating to persons that are identified or identifiable  (22). Traceability of data to a specific person can be aligned with identifiability. In data protection legislation, anonymity is the opposite of identifiability, and thus traceability. Only if it is impossible to identify (or retrace) the person to whom the data relate, data are considered as anonymous. The notion of ‘anonymity’ is therefore different from how it is regularly understood in daily life, namely that an individual cannot be identified from the data as such, for instance because his or her name has been removed. In those situations one rather refers to confidentiality of the data, meaning that the information is only (fully) accessible to those authorised to have access. While traceability and anonymity cannot coexist, traceability and confidentiality can.

34.

Apart from traceability, another justification for keeping the patients identifiable throughout the whole pharmacovigilance process could be the well-functioning of the system. The EDPS understands that when information relates to an identifiable and therefore unique individual, it is easier for the relevant competent authorities (i.e. National Competent Authorities and EMEA) to monitor and control the content of an ICSR (e.g. to check for duplicates). Although the EDPS sees the need for such a control mechanism, he is not convinced that this alone would justify keeping data identifiable at all stages of the pharmacovigilance process and especially in the EudraVigilance database. By better structuring and coordinating the reporting system, for instance through a decentralised system as discussed below in point 42 and further, duplication could be avoided already at national level.

35.

The EDPS acknowledges that in particular circumstances it is impossible to make data anonymous. This is for instance the case if certain medicinal products are used by a very limited group of individuals. For those cases specific safeguards should be put in place to follow the obligations stemming from data protection legislation.

36.

To conclude, the EDPS seriously doubts whether traceability or the use of data about identifiable patients is necessary at every stage of the pharmacovigilance process. The EDPS is aware of the fact that it may not be possible to exclude the processing of identifiable data at every stage, especially at national level where the actual collection of information on adverse effects takes place. However, the data protection rules require that the processing of health data only takes place when it is strictly necessary. The use of identifiable data should therefore be reduced as far as possible and prevented or stopped at the earliest stage possible in cases where this is not deemed necessary. The EDPS would therefore urge the legislator to reassess the need to use such information at European level as well as at national level.

37.

It is noted that in cases where there is a real need to process identifiable data or when the data cannot be rendered anonymous (see point 35 above), the technical possibilities for indirect identification of data subjects should be explored, e.g. by making use of pseudonymisation mechanisms (23).

38.

The EDPS therefore recommends to introduce in Regulation (EC) No 726/2004 and Directive 2001/83/EC a new Article which states that the provisions of Regulation (EC) No 726/2004 and Directive 2001/83/EC are without prejudice to the rights and obligations stemming from the provisions of Regulation (EC) No 45/2001 and Directive 95/46/EC respectively, with specific reference to Article 10 of Regulation (EC) No 45/2001 and Article 8 of Directive 95/46/EC respectively. To this it should be added that identifiable health data shall only be processed when strictly necessary and parties involved should assess this necessity at every single stage of the pharmacovigilance process.

39.

Although data protection is hardly taken into account in the proposed amendments, a more detailed analysis of the proposal is still instructive as it shows that some of the envisaged changes increase the impact and subsequent risks for data protection.

40.

The general intention of the two proposals is to improve the consistency of the rules, to bring clarity about responsibilities, to simplify the reporting system and to strengthen the EudraVigilance database (24).

41.

The Commission has clearly tried to improve clarity about responsibilities by proposing to amend current provisions in such a way that the legislation itself more explicitly spells out who should do what. Of course bringing clarity about the actors involved and their respective obligations regarding the reporting of adverse effects enhances the transparency of the system and is therefore also from a data protection perspective a positive development. Patients should in general terms be able to understand from the legislation how, when and by whom their personal data are being processed. However, the proposed clarity about duties and responsibilities should also be explicitly put in relation to those stemming from data protection legislation.

42.

The simplification of the reporting system should be achieved by the use of national medicines safety web-portals which are linked to the European medicines safety web-portal (see the newly proposed Article 106 of Directive 2001/83/EC as well as Article 26 of Regulation (EC) No 726/2004). The national web-portals will contain publicly available forms for the reporting of suspected adverse reactions by healthcare professionals and patients (see the newly proposed Article 106(3) of Directive 2001/83/EC as well as Article 25 of Regulation (EC) No 726/2004). Also the European web-portal will contain information on how to report, including standard forms for web-based reporting by patients and healthcare professionals.

43.

The EDPS wishes to underline that, although the use of these web-portals and standardised forms will enhance the effectiveness of the reporting system, it at the same time increases the data protection risks of the system. The EDPS urges the legislator to make the development of such a reporting system subject to the requirements of data protection law. This implies, as indicated, that the necessity of processing personal data should be properly assessed with regard to every step of the process. This should be reflected in the way the reporting is organised at national level as well as the submission of information to the EMEA and the EudraVigilance database. In a broader sense, the EDPS strongly recommends developing uniform forms at national level which would prevent diverging practices leading to different levels of data protection.

44.

The envisaged system seems to imply that patients can report directly to the EMEA, or perhaps even directly to the EudraVigilance database itself. This would mean that, in the current application of the EudraVigilance database, the information will be put into the EMEA gateway, which as has been explained in points 21-22 above, is fully accessible for the Commission and the National Competent Authorities as well.

45.

In general terms, the EDPS strongly advocates a decentralised reporting system. Communication to the European web-portal should be coordinated through the use of the national web-portals which fall under the responsibility of the National Competent Authorities. The indirect reporting by patients, i.e. through healthcare professionals (through the use of web-portals or not) should also be used, rather than the possibility of direct reporting by patients especially to the EudraVigilance database.

46.

A system of reporting through web-portals in any case calls for strict security rules. In that respect, the EDPS would like to refer to his earlier mentioned Opinion on the proposed Directive for cross-border healthcare, especially the part on data security in the Member States and privacy in e-health applications (25). In that Opinion the EDPS already emphasised that privacy and security should be part of the design and implementation of any e-health application (‘privacy by design’) (26). The same consideration applies to the envisaged web-portals.

47.

The EDPS would therefore recommend including in the newly proposed Articles 25 and 26 of Regulation (EC) No 726/2004 and Article 106 of Directive 2001/83/EC, which deal with the development of a reporting system for adverse effects through the use of web-portals, an obligation to incorporate proper privacy and security measures. The principles of data confidentiality, integrity, accountability and availability could also be mentioned as main security objectives, which should be guaranteed at an even level in all Member States. The use of appropriate technical standards and means, like encryption and digital signature authentication, could be additionally included.

48.

The newly proposed Article 24 of Regulation (EC) No 726/2004 deals with the EudraVigilance database. The Article makes clear that strengthening of the database implies an increased use of the database by the different parties involved, in terms of providing and accessing information to and from the database. Two paragraphs of Article 24 are of particular interest.

49.

Article 24(2) deals with the accessibility of the database. It replaces the current Article 57(1)(d) of Regulation (EC) No 726/2004, which was discussed before as the only provision currently referring to data protection. The reference to data protection is retained, but the number of actors subject to it is reduced. Where the current text indicates that appropriate levels of access to the database, with personal data being protected, shall be given to healthcare professionals, Market Authorisation Holders and the public, the Commission now proposes to move the Market Authorisation Holders from this list and give them access ‘to the extent necessary for them to comply with their pharmacovigilance obligations’, without any reference to data protection. The reasons for doing so are not clear.

50.

The third paragraph of Article 24 furthermore sets out the rules on access to the ICSRs. Access may be requested by the public and shall be provided within 90 days, ‘unless disclosure would compromise the anonymity of the subjects of the reports’. The EDPS supports the idea behind this provision, namely that only anonymous data can be disclosed. However, he wishes to emphasise, as explained before, that anonymity must be understood as the complete impossibility to identify the person who reported the adverse effect (see also point 33).

51.

The accessibility of the EudraVigilance system should in general be reassessed in light of the data protection rules. This also has direct consequences for the draft access policy published by the EMEA in December 2008, mentioned above in point 23 (27). In as far as information in the EudraVigilance database necessarily relates to identifiable natural persons, access to that data should be as restrictive as possible.

52.

The EDPS therefore recommends to include in the proposed Article 24(2) of Regulation (EC) No 726/2004 a sentence stating that the accessibility of the EudraVigilance database shall be regulated in conformity with the rights and obligations stemming from the Community legislation on data protection.

53.

The EDPS wishes to underline that once identifiable data are processed, the party responsible for such processing should comply with all the requirements of the Community data protection legislation. This implies inter alia that the person involved is well-informed on what will be done with the data and who will be processing it and any further information required on the basis of Article 11 of Regulation (EC) No 45/2001 and/or Article 10 of Directive 95/46/EC. The person concerned should furthermore be enabled to invoke his or her rights at national as well as at European level, such as the right of access (Article 12 of Directive 95/46/EC and Article 13 of Regulation (EC) No 45/2001), the right to object (Article 18 of Regulation (EC) No 45/2001 and Article 14 of Directive 95/46/EC) etc.

54.

The EDPS would therefore recommend adding to the proposed Article 101 of Directive 2001/83/EC a paragraph which states that in case of processing of personal data the individual shall be properly informed in accordance with Article 10 of Directive 95/46/EC.

55.

The issue of access to someone's own information contained in the EudraVigilance database is not addressed in the current and proposed legislation. It must be emphasised that in cases in which it is felt necessary to hold personal data in the database, as just mentioned, the patient concerned should be enabled to invoke his or her right to access his or her personal data in conformity with Article 13 of Regulation (EC) No 45/2001. The EDPS would therefore recommend adding a paragraph to the proposed Article 24 stating that measures shall be taken which ensure that the data subject can exercise his right of access to personal data relating to him as provided for by Article 13 of Regulation (EC) No 45/2001.

56.

The EDPS takes the view that the lack of a proper assessment of the data protection implications of pharmacovigilance constitutes one of the weaknesses of the current legal framework set out by Regulation (EC) No 726/2004 and Directive 2001/83/EC. The current amendment of Regulation (EC) No 726/2004 and Directive 2001/83/EC should be seen as an opportunity to introduce data protection as a full-fledged and important element of pharmacovigilance.

57.

A general issue to be addressed thereby is the actual necessity of processing personal health data at all stages of the pharmacovigilance process. As explained in this Opinion, the EDPS seriously doubts this need and urges the legislator to reassess it at the different levels of the process. It is clear that the purpose of pharmacovigilance can in many cases be achieved by sharing information on adverse effects which is anonymous in the meaning of the data protection legislation. Duplication of reporting can be avoided through the application of well structured data reporting procedures already at national level.

58.

The proposed amendments envisage a simplified reporting system and a strengthening of the EudraVigilance database. The EDPS has explained that these amendments lead to increased risks for data protection, especially when it involves the direct reporting of patients to the EMEA or the EudraVigilance database. In this respect, the EDPS strongly advocates a decentralised and indirect reporting system whereby communication to the European web-portal is coordinated through using the national web-portals. The EDPS furthermore emphasises that privacy and security should be part of the design and implementation of a reporting system through the use of web-portals (‘privacy by design’).

59.

The EDPS furthermore underlines that once data concerning health about identified or identifiable natural persons is processed, the person responsible for such processing should comply with all the requirements of the Community data protection legislation.

60.

More specifically, the EDPS recommends: