Blog
One of the new duties introduced by the General Data Protection Regulation, effective from 25 May 2018 (hereinafter the “GDPR”), is the duty of certain personal data controllers to designate a “data protection officer”. The GDPR provides that a fine for failure to designate a data protection officer may be up to EUR 10 million or up to 2% of the total worldwide annual turnover of the group.
In Article 37, the GDPR defines entities which must appoint a data protection officer. Healthcare facilities need to pay attention especially to subparagraph c) of that article, according to which such an officer must be designated by those entities whose core activities “consist of processing on a large scale of special categories of data”. The notion of special category of personal data corresponds to what we have known so far as “sensitive data”. Sensitive data, and thus also a special category of data, also include any data on the health status.
It could thus appear at first sight that every healthcare provider is obliged to designate a data protection officer. Nonetheless, this is not so because not every provider processes data on health on a large scale.
Several factors must be taken into account when assessing whether a healthcare provider processes data on the patients’ health status on a large scale. The most important factors include the number of patients and the volume of data processed. It is assumed that a high number of patients and large quantities of patients’ personal data processed on a regional, national on international level will imply a higher risk in terms of ensuring personal data protection. Processing of patients’ personal data in hospitals can be unambiguously considered processing on a large scale based on this criterion. In contrast, in line with the recitals of the GDPR, processing of personal data on patients carried out by an individual physician, e.g. in a private surgery of a general practitioner or some other specialist doctor, will usually not constitute data processing on a large scale.
Although the aforesaid examples are more or less clear, in a number of other cases, especially in respect of small private clinics or facilities specialising in the provision of healthcare services to foreign clients, it will be necessary to assess on a case-by-case basis whether or not the duty to designate a data protection officer will apply to such entities. Preparation of a record of processing activities including assessment of the need to designate a data protection officer belong among the legal services we provide.
(6.11.2017)
More articles:
Martin Herna
Martin Herna
"I would like to take this opportunity to express my sincere gratitude to the law firm Holubová advokáti s.r.o. for their professional yet genuinely compassionate approach in an exceptionally difficult period of my life.
The firm successfully represented me in a dispute with my health insurance company concerning reimbursement for a medication that enables me to actively fight an oncological illness and has already begun to show positive treatment results.
From the very outset, I felt a high level of expertise, thoroughness, and a genuine interest not only in the case itself but also in the person behind it. All legal steps were explained clearly and comprehensibly, and the communication was factual, calm, and supported by clear arguments. In a time of great uncertainty, this provided me with a much-needed sense of reassurance and trust.
My special and greatest thanks go to JUDr. Klára Dvořáková, whose commitment, precision, and empathy meant more to me than can be conveyed in just a few sentences. Her work was not only highly professional but also marked by human sensitivity and deep respect for the seriousness of the situation.
I can wholeheartedly recommend this law firm to anyone seeking top-tier legal assistance combined with a truly human approach."
Dietmar Repka
Dietmar Repka
"We express our recommendations for the law firm Holubova Advokati.
Holubova Advokati was able to resolve a project for us with confidence, composure, and perseverance that German experts had deemed hopeless.
About 80 years ago, my grandparents and my father had to leave their home. The property has now been returned to our family through the inheritance that was initiated, and thanks to the excellent work of the law firm.
During the two-and-a-half-year negotiations, there were no language problems; everyone was always well informed about the current status.
Keep up the good work, everyone."