DPA Ireland Guidance Notes: Legal bases for processing Personal Data

December 2019

“If processing of sensitive ‘special category’ data is necessary as part of performing the contract, controllers will also need to identify a separate exception to the general prohibition of processing such data, because contractual necessity alone does not fulfil the requirements of Article 9 GDPR. Thus, as with all processing of such special category data, the controller will need both a legal basis – in this case, necessary for the performance of a contract – as well as fulfilling a condition under Article 9(2) which allows for the processing that type of personal data – such as the fact that the data have been ‘manifestly made public’ or the processing is necessary to establish, exercise, or defend a legal claim.”

https://www.dataprotection.ie/sites/default/files/uploads/2019-12/Guidance%20on%20Legal%20Bases_Dec19.pdf

Netherlands: Interesting DPA action over processing of pseudonymized data

Below bits via Google translate from Press release below:
“The Dutch Data Protection Authority (AP) has reprimanded the Alliance for Quality in Mental Healthcare (Akwa GGZ) for processing personal health data. According to the privacy law, this is prohibited because health data provide sensitive information about a person. Processing is only allowed in exceptional cases. Akwa GGZ has taken over a set of insufficiently anonymized health data from the Benchmark GGZ (SBG) foundation since the beginning of 2019. Akwa GGZ has thus processed health data, while this processing cannot be based on an exception to the prohibition.

SBG and Akwa GGZ conduct quality research in mental health care. At the request of the care institution, patients complete a questionnaire so that mental healthcare providers can be benchmarked on treatment effect and customer satisfaction. This so-called Routine Outcome Monitoring (ROM) data went to SBG via Zorg TTP after pseudonymisation. After an enforcement request, the AP investigated the SBG’s working methods and tested them against relevant laws and regulations.”

“The AVG defines personal data as all information that can be traced to the person. The AP has analyzed all steps from the delivery of data by the patient to the processing of that data by SBG. This shows that SBG did not use randomization techniques when SBG received the data. The key for pseudonymisation also remains the same.

The AP finds that SBG has taken insufficient technical guarantees on the data set to eliminate the risks of traceability. The ROM data is therefore not anonymous and can be traced back to the person. At the start of 2019, Akwa GGZ took over the dataset from SBG. SBG and Akwa GGZ thus processed personal data about patients’ health.”

https://autoriteitpersoonsgegevens.nl/nl/nieuws/berisping-voor-akwa-ggz-na-overnemen-rom-data

Report: Privacy in the EU and US: Consumer experiences across three global platforms (Pat Walshe, PrivacyMatters)

Key findings (condensed from executive summary):

  • Users cannot avoid being tracked.
  • Third parties track users.
  • Privacy policies and other related policies are generally hard to read.
  • Companies fail to provide proper transparency. (specific purpose, legal basis, retention time of date)
  • Amazon treats US users differently in terms of rights to access.

https://eu.boell.org/sites/default/files/2019-12/TACD-HBS-report-Final.pdf

Germany, Federal DPA: 9.550.000 EUR fine on 1&1 Telecom Gmbh

The BfDI had become aware that callers could obtain extensive information on further personal customer data in the customer care of the enterprise alone by giving the name and date of birth of a customer. In this authentication procedure, the BfDI sees a violation of Article 32 GDPR , according to which the company is obliged to take appropriate technical and organizational measures to systematically protect the processing of personal data.

After BfDI had raised the concerns, 1 & 1 Telecom GmbH was transparent and very cooperative. In a first step, the authentication process was first secured by requesting additional information. In a further step, 1 & 1 Telecom GmbH is currently introducing a new authentication procedure which has been significantly improved in terms of technology and data protection, in consultation with the BfDI .

Despite these measures, the imposition of a fine was necessary. Among other things, the infringement was limited only to a small proportion of customers, but presented a risk to the entire customer base. In determining the amount of the fine remained BfDI due to the cooperative throughout the process behavior by 1 & 1 Telecom GmbH in the lower Range of possible penalty.

https://www.bfdi.bund.de/SiteGlobals/Modules/Buehne/DE/Startseite/Pressemitteilung_Link/HP_Text_Pressemitteilung.html

Netherlands, DPA: Cloud storage of patient data reviewed by Dutch DPA — and found GDPR compliant

The Dutch Data Protection Authority (AP) sees no reason to initiate a more detailed investigation into possible violations of the GDPR by MRDM when storing medical data on a cloud platform. This concerns personal data originating from Dutch hospitals. Public questions have been asked about how the organization works. The privacy regulator has obtained information on this from MRDM. – MDRM is a third party IT Services provider processing patient data for Dutch hospitals.

MRDM in turn uses a sub-processor (apparently Google) for the storage of that personal data. This sub-processor is a cloud platform that is located outside the EU. The storage of data is done via the cloud. The ‘exploratory investigation’ of the AP related to that last step: the processing of patient data in the cloud.

As part of an explorative inquiry the DPA lookes at the storage, by MRDM’s sub-processor, of patient data in the cloud.
Apparently, the following have been reviewed

  • the standard operating procedures,
  • the sub-processing agreements and
  • technical and organizational security measures.

The personal data is stored in the Netherlands, the contracts with the cloud platform ensure that there is no international transfer of personal data to third countries outside the EEA. In addition, MRDM has informed the AP about how the data is protected.

The decision of the Dutch DPA not to investigate further might be seen as a sign that n that GDPR compliance can be achieved in respect of cloud-based processing of patient data.

DPA press release:
https://autoriteitpersoonsgegevens.nl/nl/nieuws/ap-stelt-geen-onderzoek-naar-opslag-medische-gegevens-cloud

Blog post by BakerMcKenzie:
https://www.bakermckenzie.com/en/insight/publications/2019/11/draft-eprivacy-regulation-rejected

Media article:
https://www.agconnect.nl/artikel/medische-data-google-cloud-krijgt-geen-avg-onderzoek