Data protection officer and healthcare providers


One of the new duties introduced by the General Data Protection Regulation, effective from 25 May 2018 (hereinafter the “GDPR”), is the duty of certain personal data controllers to designate a “data protection officer”. The GDPR provides that a fine for failure to designate a data protection officer may be up to EUR 10 million or up to 2% of the total worldwide annual turnover of the group.

In Article 37, the GDPR defines entities which must appoint a data protection officer. Healthcare facilities need to pay attention especially to subparagraph c) of that article, according to which such an officer must be designated by those entities whose core activities “consist of processing on a large scale of special categories of data”. The notion of special category of personal data corresponds to what we have known so far as “sensitive data”. Sensitive data, and thus also a special category of data, also include any data on the health status.

 It could thus appear at first sight that every healthcare provider is obliged to designate a data protection officer. Nonetheless, this is not so because not every provider processes data on health on a large scale.

Several factors must be taken into account when assessing whether a healthcare provider processes data on the patients’ health status on a large scale. The most important factors include the number of patients and the volume of data processed. It is assumed that a high number of patients and large quantities of patients’ personal data processed on a regional, national on international level will imply a higher risk in terms of ensuring personal data protection. Processing of patients’ personal data in hospitals can be unambiguously considered processing on a large scale based on this criterion. In contrast, in line with the recitals of the GDPR, processing of personal data on patients carried out by an individual physician, e.g. in a private surgery of a general practitioner or some other specialist doctor, will usually not constitute data processing on a large scale.

Although the aforesaid examples are more or less clear, in a number of other cases, especially in respect of small private clinics or facilities specialising in the provision of healthcare services to foreign clients, it will be necessary to assess on a case-by-case basis whether or not the duty to designate a data protection officer will apply to such entities. Preparation of a record of processing activities including assessment of the need to designate a data protection officer belong among the legal services we provide.