Processors of health data: How will they be affected by the GDPR?

/ / Legal x-rays

As we have mentioned in our previous articles, the General Data Protection Regulation 679/2016 will bring revolutionary changes in the healthcare sector. Among others, business activities of Internet service providers, cloud providers, pharmacovigilance service providers, Contract Research Organisations, patient service call centers who are considered as processors of personal data will also be influenced by the upcoming changes.

1) What differentiates the data controller from the data processor?

“Data controller” is the natural or legal person who determines the purposes and means of processing of personal data. For instance, such person determines the types of data or their storage period as well as the people who may have access to the data. In the healthcare sector, data controllers can be health service providers, as well as  pharmaceutical and medical devices companies who usually handle a large amount of personal data.

On the other hand, according to the Regulation, ‘processor’ means a natural or legal person, who processes personal data on behalf of the controller (or for the interest of the latter) and may take decisions on some technical and organizational issues.

2) Which is the revolutionary change between the old and the new regime applying after 25 May 2018?

According to the old regime,  responsibility for the processing of personal data and accountability before the competent authority lies with both the controller and the processor. The processor’s failure to comply with his obligations may lead to imposition of heaviest fines.

3) Which will be the processor’s basic obligations according to the GDPR?

  • The Data Processor shall provide sufficient guarantees to implement appropriate technical and organizational measures in order to ensure that processing complies with the requirements of the GDPR (e.g. adoption of Code of Conduct, Certification) and protect subjects’ rights.
  • The Data Processor’s obligations shall be governed by a binding contract with the controller, which shall regulate the manner of data processing. The personal data shall be processed only according to documented instructions from the controller. It should be noted that this contract will be examined in case of monitoring by the Supervisory Authority in order to determine the parties’ liability.
  • The processor shall, at the choice of the controller, delete or return all the personal data to the controller after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the personal data; (e.g. in case of clinical trials data record must be kept for 25 years).
  • In order to demonstrate compliance with the Regulation, the processor or its sub-contractors must maintain records of processing activities. In general, such obligation applies to an enterprise or organization employing more than 250 persons unless the processing carried out is likely to result in putting risk the rights and freedoms of data subjects. In our opinion, since health data processing puts subjects’ rights at high risk, the processors of health data should undertake this obligation.
  • The processor may be required to appoint a Data Protection Officer in case his activities involve processing of health data.

4) Which are the obligations of the processor when contracting with other subcontractors?

  • When a data processor delegates another processor, the first shall require prior written consent from the data controller. However, even when general consent has been given, the processor is still required to inform the controller of any new sub-processors, giving the controller time to object.
  • Τhe lead processor is required to reflect the same contractual obligations it has with the controller in a contract with any sub-processors and remains liable to the controller for the actions or inactions of any sub-processor.

5) Which are the processor’s obligations in case of a personal data breach?

  • Processors are required to notify their relevant controller of any breach without undue delay after becoming aware of it. The time limit can be foreseen in detail in controller/processor contracts.
  • Each data subject shall have the right to an effective judicial remedy against the processor whenever he or she considers that his or her rights under the Regulation have been infringed as a result of the processing of his or her personal data.
  • What is more, the Supervisory Authority may impose fines directly to the Processor, as well as the Controller, amounting to 20 million euros and 4% of the annual turnover of the preceding financial year.

Our law firm’s comment

The application of the GDPR will undoubtedly impose direct obligations to  data processors, influencing thus the daily function of enterprises acting as data processors. In any case, processors shall review their existing contracts with data controllers or sign new contracts. We believe that data processors who will be able to demonstrate compliance with the GDPR will acquire an invaluable advantage in the healthcare market, where requirements for data protection are higher. Finally, it should be mentioned that according to the Regulation national legislation may be issued with regard to health data, which may impose new obligations to data processors.