Blog
One of the new duties introduced by the General Data Protection Regulation, effective from 25 May 2018 (hereinafter the “GDPR”), is the duty of certain personal data controllers to designate a “data protection officer”. The GDPR provides that a fine for failure to designate a data protection officer may be up to EUR 10 million or up to 2% of the total worldwide annual turnover of the group.
In Article 37, the GDPR defines entities which must appoint a data protection officer. Healthcare facilities need to pay attention especially to subparagraph c) of that article, according to which such an officer must be designated by those entities whose core activities “consist of processing on a large scale of special categories of data”. The notion of special category of personal data corresponds to what we have known so far as “sensitive data”. Sensitive data, and thus also a special category of data, also include any data on the health status.
It could thus appear at first sight that every healthcare provider is obliged to designate a data protection officer. Nonetheless, this is not so because not every provider processes data on health on a large scale.
Several factors must be taken into account when assessing whether a healthcare provider processes data on the patients’ health status on a large scale. The most important factors include the number of patients and the volume of data processed. It is assumed that a high number of patients and large quantities of patients’ personal data processed on a regional, national on international level will imply a higher risk in terms of ensuring personal data protection. Processing of patients’ personal data in hospitals can be unambiguously considered processing on a large scale based on this criterion. In contrast, in line with the recitals of the GDPR, processing of personal data on patients carried out by an individual physician, e.g. in a private surgery of a general practitioner or some other specialist doctor, will usually not constitute data processing on a large scale.
Although the aforesaid examples are more or less clear, in a number of other cases, especially in respect of small private clinics or facilities specialising in the provision of healthcare services to foreign clients, it will be necessary to assess on a case-by-case basis whether or not the duty to designate a data protection officer will apply to such entities. Preparation of a record of processing activities including assessment of the need to designate a data protection officer belong among the legal services we provide.
(6.11.2017)
More articles:
Dietmar Repka
Dietmar Repka
"We express our recommendations for the law firm Holubova Advokati.
Holubova Advokati was able to resolve a project for us with confidence, composure, and perseverance that German experts had deemed hopeless.
About 80 years ago, my grandparents and my father had to leave their home. The property has now been returned to our family through the inheritance that was initiated, and thanks to the excellent work of the law firm.
During the two-and-a-half-year negotiations, there were no language problems; everyone was always well informed about the current status.
Keep up the good work, everyone."
Jan Divíšek
Jan Divíšek
"I want to thank everyone at Holubová advokáti s.r.o. for their legal services in handling my protection of personality rights lawsuit."
Denis Krytinář, M.A.
Denis Krytinář, M.A.
"What I appreciate most about working with Holubová Advokáti is their high level of expertise, clear guidance throughout the entire process, and their human approach. My case was complex and emotionally demanding, but Mrs. Dvořáková and Mr. Formánek treated me with the utmost care and sensitivity. Thanks to their precise work, we achieved a successful outcome, and I can therefore recommend this firm with complete confidence to anyone seeking legal representation of the highest standard."