Netherlands, DPA: Cloud storage of patient data reviewed by Dutch DPA — and found GDPR compliant

The Dutch Data Protection Authority (AP) sees no reason to initiate a more detailed investigation into possible violations of the GDPR by MRDM when storing medical data on a cloud platform. This concerns personal data originating from Dutch hospitals. Public questions have been asked about how the organization works. The privacy regulator has obtained information on this from MRDM. – MDRM is a third party IT Services provider processing patient data for Dutch hospitals.

MRDM in turn uses a sub-processor (apparently Google) for the storage of that personal data. This sub-processor is a cloud platform that is located outside the EU. The storage of data is done via the cloud. The ‘exploratory investigation’ of the AP related to that last step: the processing of patient data in the cloud.

As part of an explorative inquiry the DPA lookes at the storage, by MRDM’s sub-processor, of patient data in the cloud.
Apparently, the following have been reviewed

  • the standard operating procedures,
  • the sub-processing agreements and
  • technical and organizational security measures.

The personal data is stored in the Netherlands, the contracts with the cloud platform ensure that there is no international transfer of personal data to third countries outside the EEA. In addition, MRDM has informed the AP about how the data is protected.

The decision of the Dutch DPA not to investigate further might be seen as a sign that n that GDPR compliance can be achieved in respect of cloud-based processing of patient data.

DPA press release:
https://autoriteitpersoonsgegevens.nl/nl/nieuws/ap-stelt-geen-onderzoek-naar-opslag-medische-gegevens-cloud

Blog post by BakerMcKenzie:
https://www.bakermckenzie.com/en/insight/publications/2019/11/draft-eprivacy-regulation-rejected

Media article:
https://www.agconnect.nl/artikel/medische-data-google-cloud-krijgt-geen-avg-onderzoek

Irish DPA – Guide to Audit Process

v2.0 August 2014

https://www.dataprotection.ie/docimages/documents/GuidetoAuditProcessAug2014.pdf

“This guidance was originally published in 2009. This revised version has been updated to take account of legislative developments and to reflect any changes in the approach of the Office of the Data Protection Commissioner to the audit process. The guidance is designed to assist organisations selected for audit by the Office of the Data Protection Commissioner. It is hoped that
this resource will provide organisations holding personal data with a simple and clear basis to conduct a self-assessment of their compliance with their obligations under Irish Data Protection Law”