New European Data Protection legislations. What are the implications for industry?
At the end of April this year Europe has published two key documents:
- The new European Regulation 2016/679 on General Data Protection Regulation (GDPR)
- The new European Directive 2016/680 on General Data Protection Directive (GDPD)
While the Directive is essentially aimed at Member States in order to clarify their obligations in this field, the Regulation is aimed to industry and all those entities which find themselves included in the definitions of Data Controllers and Data Processors.
EU Data Protection Legislation – a brief summary
1) Legislative Background
There are 3 European legislative documents currently valid which regulate the collection and processing of Personal Data (also referred to Sensitive Data).
- The European Directive 95/46/EC published in 1995-10-24 on General Data Protection.
This directive is still valid. It has been transposed into the national legislative systems of all EU Member States.
- The new European Regulation 2016/679 on General Data Protection Regulation (GDPR) published on 2016-04-27 and entered into force on 2016-05-24. It will become fully applicable (end of the transition period) on 2018-05-25.
So we are in the transition period which means that companies which find themselves included in the definition of “Data Controllers” or “Data Processors” can chose to comply with either the old/current Directive 95/46/EC or with the new Regulation 2016/679.
After 2018-05-25 companies must comply with the new Reg 2016/679 and the old Directive will become obsolete.
- The new European Directive 2016/680 on General Data Protection Directive (GDPD) published on 2016-04-27 which has to be transposed into the national legislative systems of all EU Member States by 2018-06-06.
This new Directive essentially is aimed to clarify the obligations of the Member States in this field, to enable MS to police the procedures which will be put in place in each EU country to ensure the protection of Personal Data (PD).
Taking the above into account it can be stated that the legislative documents which have to be taken into account by any “Data Controller” or “Data Processor” company are the current Directive 95/46/EC and the new EU Regulation 2016/679.
2) Definitions (simplified)
- Personal Data = any data related to an identifiable person
- Personal Data = Identification Data + Sensitive Data + Judiciary Data // PD = ID + SD + JD
ID = data like name, address, phone number, mobile number, e-mail addresse(s), name of parents, social security number etc.
SD = religion, sexual tendency, affiliation to associations, political tendencies, commercial preferences, areas of interest, health information in general, marital status etc.
JD = fines, processes, sentences etc.
- Processing of PD = any activity in which PD are manipulated, stored, shared communicated etc.
- Controller = entity which determines the purpose and the means of processing PD
- Processor = entity which processes PD on behalf of the controller
- Data-Subject’s Consent = agreement by the person to have his/her PD processed
3) Obligations under the EU General Data Protection Directive
Under the current Directive 95/46 each Data Controller must respect the following rules:
- PD must be processed legally(*) and fairly;
- PD must be collected for explicit and legitimate purposes and used accordingly;
- PD must be adequate, relevant and not excessive in relation to the purposes for which it is collected and/or further processed;
- PD must be accurate, and updated where necessary;
- Data controllers must ensure that data subjects can rectify, remove or block incorrect data about themselves;
- Data that identifies individuals (personal data) must not be kept any longer than strictly necessary;
- Data controllers must protect personal data against accidental or unlawful destruction, loss, alteration and disclosure, particularly when processing involves data transmission over networks. They shall implement the appropriate security measures;
- These protection measures must ensure a level of protection appropriate to the data.
(*) In order to understand the definition of “legal” in this context read the following:
Under the Data Protection Directive, collecting and processing the personal data of individuals is only legitimate in one of the following circumstances laid down by Article 7 of the Directive:
- Where the individual concerned, (the ‘data subject’), has unambiguously given his or her consent, after being adequately informed; or
- if data processing is needed for a contract, for example, for billing, a job application or a loan request; or
- if processing is required by a legal obligation; or
- if processing is necessary in order to protect the vital interest of the data subject, for example, processing of medical data of a victim of a car accident; or
- if processing is necessary to perform tasks of public interests or tasks carried out by government, tax authorities, the police or other public bodies; or
- if the data controller or a third party has a legitimate interest in doing so, as long as this interest does not affect the interests of the data subject, or infringe on his or her fundamental rights, in particular the right to privacy. This provision establishes the need to strike a reasonable balance between the data controllers’ business interests and the privacy of data subjects.
It shall be noted that Article 8 prohibits the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life unless one of the exception criteria is met.
4) Enforcement/control bodies established at National Level
Each EU Member States has designated a Supervisory Authority who is responsible for the Control and Enforcement activities in the field of Personal Data Protection.
The exact modalities which need to be followed in order to interact with the Supervisory Authority of each EU Member State vary.
For this reason each entity defined as data controller has the obligation to get in touch with the Supervisory Authority of the Member State in which it is legally established in order to understand exactly what it should do.
The list of the various European Data Protection agencies (Supervisory Authorities) can be found at the following link.
5) What IVD/MD manufacturers should do
First of all it is crucial for any organization to understand whether it falls within the definition of data controller or data processor (or both).
Here the definitions given in the Regulation are given (Art. 4):
- ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
- ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
- ‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
A practical example: more and more MD/IVD complex instruments are permanently connected via internet to their manufacturers or distributors in order to enable such parties to be continuously aware of the instrument performance, monitor its status and proactively flag some problems even before they come to the knowledge of the user. Such network connectivity thus enables the suppliers of such medical/diagnostic equipment to ensure a more effective servicing of their instruments, enable proactive maintenance visits and avoid down-time periods which could affect the capability of the health institutions to deliver their services.
Regarding the obligations set forth by the European legislations on Data Protection, the ideal situation would be that the operating software of such medical/diagnostic equipment would be designed in such a way to prevent the possibility that personal data (as defined above at point 2) would become available to the suppliers of such instruments (manufacturers, country organizations, distributors etc.).
To have filters which would block the transmission or access to any eventual PD present on the systems which are connected via internet.
In this case, provided that such characteristic of the software is adequately validated and documented, manufacturers and distributors would be exempted from the obligations of the EU Data Protection legislation because they would not fit in the definition of neither data controllers nor data processors.
If, on the other hand, the software of such instruments cannot prevent the access/visibility of PD to the manufacturer (or its subsidiary or its distributor) which holds the internet connection with such instruments, then this entity (whoever comes into possession of such PD) becomes a processor of such data. Let remind that just the possession (storage) of such data qualifies an entity as a “processor”.
Data processors must be specifically authorized by the data controllers (which would be the labs in this case) to act as data processors and they have an obligation to have effective processes in place to ensure the safety of such PD, to avoid unauthorized use or disclosure to 3rd parties and need to appoint a specific function/person within their organization responsible for all of these processes.
It is up to the Data Controllers to inform their respective Country Supervisory Authority of the data processor entities they have appointed