Blog
One of the new duties introduced by the General Data Protection Regulation, effective from 25 May 2018 (hereinafter the “GDPR”), is the duty of certain personal data controllers to designate a “data protection officer”. The GDPR provides that a fine for failure to designate a data protection officer may be up to EUR 10 million or up to 2% of the total worldwide annual turnover of the group.
In Article 37, the GDPR defines entities which must appoint a data protection officer. Healthcare facilities need to pay attention especially to subparagraph c) of that article, according to which such an officer must be designated by those entities whose core activities “consist of processing on a large scale of special categories of data”. The notion of special category of personal data corresponds to what we have known so far as “sensitive data”. Sensitive data, and thus also a special category of data, also include any data on the health status.
It could thus appear at first sight that every healthcare provider is obliged to designate a data protection officer. Nonetheless, this is not so because not every provider processes data on health on a large scale.
Several factors must be taken into account when assessing whether a healthcare provider processes data on the patients’ health status on a large scale. The most important factors include the number of patients and the volume of data processed. It is assumed that a high number of patients and large quantities of patients’ personal data processed on a regional, national on international level will imply a higher risk in terms of ensuring personal data protection. Processing of patients’ personal data in hospitals can be unambiguously considered processing on a large scale based on this criterion. In contrast, in line with the recitals of the GDPR, processing of personal data on patients carried out by an individual physician, e.g. in a private surgery of a general practitioner or some other specialist doctor, will usually not constitute data processing on a large scale.
Although the aforesaid examples are more or less clear, in a number of other cases, especially in respect of small private clinics or facilities specialising in the provision of healthcare services to foreign clients, it will be necessary to assess on a case-by-case basis whether or not the duty to designate a data protection officer will apply to such entities. Preparation of a record of processing activities including assessment of the need to designate a data protection officer belong among the legal services we provide.
(6.11.2017)
More articles:
Jasper Brinkman
Jasper Brinkman
"Following a devastating hotel fire in Prague, the law firm Holubová advokáti, led by attorney Klara Dvorakova, successfully represented our extended family as a group of victims. The firm navigated complex international insurance and compensation laws to defend our rights.
I would like to acknowledge the extraordinary efforts the firm had to make to bring our case to a successful compensation under extremely difficult circumstances."
Stewarts
Stewarts
"A visit to her daughter in London turned Eva's life upside down when she says she stepped into a crossing on a green light but was hit by a car. Despite her remarkable bravery, she faced a long treatment due to fractures in her pelvis, and the associated limitations and pain are likely to persist for the rest of her life. Regular headaches and impaired concentration compound her challenges.
Eva contacted us through an organization temporarily helping her manage her difficult living situation. At that time, she was destitute, relying only on subsistence payments. We were able to assist her because we specialize in personal injury and have contacts with proven colleagues abroad.
We worked with Stewarts, a UK law firm, on this case. Attorneys Klára Dvořáková and Rebecca Huxford helped Eva with the documentation in her case, explaining her options and the differences between the Czech and British systems of healthcare and social benefits reimbursement. Within a few months, thanks to the professional cooperation between the two offices, an offer of compensation from the insurance company of approximately CZK seven million was achieved. The client accepted this settlement because she did not want to deal with courts in the United Kingdom.
Subsequently, we assisted the client with related tax issues and contacted Auditone, a tax consultancy firm, which arranged for the filing of a tax return. Compensation for lost income is taxable, unlike most personal injury compensation.
'No one has done as much for me as you,' Eva said.
The fact that we were able to help Eva gives our work meaning and brings us great joy. We are very happy that, thanks to our many years of active involvement in the international professional organization PEOPIL, we can cooperate on such cases."