DATA PROTECTION UPDATE

Erik VollebregtCOCIR Annual Meeting17 March 2016

Some top operational impacts of the GDPR for a health IT company1. Consent2. Security and breach notification3. Profiling4. RTBF and data portability5. Vendor management6. Personal data concerning health?7. International transfers

2

1. Consent

• Consent requirements enhanced, definition of consent restricted

• “freely given, specific, informed and unambiguous”

• clear affirmative action• as easy to withdraw as to give it – data must be erased then and can

no longer be used for processing• Not freely given in case of imbalance• Not making consent conditional upon service provision, unless

processing is necessary for the service• Consent for subsequent processing unless subsequent operations

are “compatible”

3

2. Security & breach notification

• More prescriptive regarding “appropriate technical and organizational measures” because specifies what kinds of security actions might be considered “appropriate to the risk,” including:

• pseudonymisation and encryption of personal data• ability to ensure the ongoing confidentiality, integrity, availability and

resilience of systems and services processing personal data• ability to restore the availability and access to data in a timely

manner in the event of a physical or technical incident• process for regularly testing, assessing and evaluating the

effectiveness of technical and organizational measures for ensuring the security of the processing

• GDPR contains a definition of “personal data breach,” and notification requirements to both the supervisory authority (<72 hours unless justifiable) and affected data subjects

4

3. Profiling• Heatlh IT business models are all about profiling

• Profiling: “any form of automated processing of personal data consisting of using those data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's […], health […]”

• Data subject

• has “right to be informed” of consequences and right of access• may contest decisions “that significantly affect him or her” made

based on profiling with contract or consent as basis• may “object”, ending legal basis for processing, unless overriding

interests

• Duty to avoid data inaccuracies and errors, implement security and minimize discriminatory effects

• Impact assessment mandatory5

4. Right To Be Forgotten and Data Portability• “Right to erasure”

• Exception: among others scientific research and public interest related processing

• Data portability: data subject has right to receive personal data in a structured and commonly used and machine-readable format and has right to transmit / request transmission of those data to another controller without hindrance from the controller to which the data have been provided, if:

• processing is based on consent or contract; and • processing is carried out by automated means

6

5. Vendor management

• GDPR expands significantly on controller responsibility

• e.g. impact assessment, breach notification, record keeping

• GDPR has specific duties for processors too, e.g. assist with security and impact assessment

• GDPR sets out rules for allocating responsibility between controller and processor

• controller must select processor that provides sufficient guarantees that it can implement technical and organisational measures required

• More detailed requirements for controller-processor contracts

• re-assess current agreements! 7

6. Data concerning health

8

6. Data concerning health

• Article 83: exemption for scientific research purposes, subject to data minimisation measures such as pseudonomization and anonimisation.

• Automated processing subject to PIA

9

6. Data concerning health data case study• Performance data becomes health data

7. International transfers• Similar structure as under DPD:

• to jurisdictions with adequacy finding (new: country, territory, sector)

• with “appropriate safeguards”

• BCR• SCCs• new: approved code of conduct• new: certification mechanism with binding and

enforceable commitments

• “Privacy Shield” hopefully up and running in June

• it is not lawful to transfer personal data out of the EU in response to a legal requirement from a third country – big fines possible

12

GDPR: threatening healthcare

Timeline for adoption

• GDPR likely to be adopted in June 2016

• Transitional period of two years

• And then there are the delegated and implementing acts that need to be adopted to make the GDPR properly operational

13

www.axonlawyers.com

THANKS FOR YOUR ATTENTIONErik VollebregtAxon LawyersPiet Heinkade 1831019 HC AmsterdamT +31 88 650 6500F +31 88 650 6555M +31 6 47 180 683E erik.vollebregt@axonlawyers.com @meddevlegalB http://medicaldeviceslegal.com

READ MY BLOG:http://medicaldeviceslegal.com