Several factors must be taken into account when assessing whether a healthcare provider processes data on the patients’ health status on a large scale. The most important factors include the number of patients and the volume of data processed. It is assumed that a high number of patients and large quantities of patients’ personal data processed on a regional, national on international level will imply a higher risk in terms of ensuring personal data protection. Processing of patients’ personal data in hospitals can be unambiguously considered processing on a large scale based on this criterion. In contrast, in line with the recitals of the GDPR, processing of personal data on patients carried out by an individual physician, e.g. in a private surgery of a general practitioner or some other specialist doctor, will usually not constitute data processing on a large scale.
Although the aforesaid examples are more or less clear, in a number of other cases, especially in respect of small private clinics or facilities specialising in the provision of healthcare services to foreign clients, it will be necessary to assess on a case-by-case basis whether or not the duty to designate a data protection officer will apply to such entities. Preparation of a record of processing activities including assessment of the need to designate a data protection officer belong among the legal services we provide.