The latest data protection reform is a legislative "bundle" introduced to update and modernize the existing data protection rules within the European Union. Included in the reform is General Data Protection Regulation ((EU) 2016/679")1 which regulates the processing by individuals, companies or organizations of personal data relating to individuals in the EU ( "GDPR" or "the Regulation"), replacing Directive 95/46 / EC. Since its implementation on 25 May 2018, there have been several regulatory actions taken against hospitals around Europe which have highlighted the significant impact these reforms have had on the medical profession.
Purpose of the GDPR
The GDPR aims primarily to enhance individual rights contained in Directive 95/46/EC and to improve business opportunities by facilitating the free flow of personal data in the digital single market, as well as aiming to introduce important obligations on how organizations and professionals handle personal data as controllers and processors. Controllers and processors have certain obligations under the GDPR.
Article 4 of the GDPR defines a Controller as the natural or legal person who determines the purpose and manner of processing.2 The Processor is defined as a person who performs the processing of personal data on behalf of the controller.3
The GDPR is an integral part of any organisation that processes 4 and has access to personal, sensitive and confidential data of clients and employees including health-related data as to the physical or mental health of a natural person, which reveals information about the health status of the individual. As a result this legislation has a significant impact on the medical profession, as the treatment of patients necessarily involves the function of collecting, analysing, managing and storing the sensitive health information of patients. Such information is considered "special category" data for the purposes of the GDPR, for the processing of which special considerations apply.5
Obligations Imposed by the GDPR
In general, the GDPR builds on existing principles and adds tighter obligations and restrictions on businesses.
The GDPR, inter alia, regulates the processing by individuals, companies or organizations of personal data relating to individuals in the EU, and requires those individuals, companies and organisations to ensure that the appropriate technical and organisational security measures are implemented to protect personal data.
Lawfulness of certain processing operations - When is it legal to process simple personal data?
According to Article 6 (1) of the Regulation, it is legitimate to process simple personal data of a data subject under any of the following circumstances; If the person's consent has been granted; for the performance of a contract to which the data subject is party; in order to take steps at the request of the data subject...