AEPD publishes a guide on data protection rights of patients and health users

The Spanish Agency for Data Protection (AEPD) has published the ‘Guide for patients and users of health’, a document that responds to the most frequent questions that citizens usually ask when their personal data is processed by centers, administrations and health professionals and which aims to facilitate the knowledge of their rights.
In a second part, the ‘Guide for patients and healthcare users’ collects the issues raised most frequently before the AEPD.

Press release: https://www.aepd.es/prensa/2019-11-14-guia-pacientes-usuarios-sanidad.html

Guide (in Spanish):
https://www.aepd.es/media/guias/guia-pacientes-usuarios-sanidad.pdf

Prior authorization/notification requirements (from Baker McKenzie 2019)

General comparison via Baker McKenzie (via compare jurisdiction and topics)
https://globaltmt.bakermckenzie.com/data-privacy-security/views/comparison-view?ids=969b220521f94e21a8358fa9cabce1ff,7b3389f4364545d8933d7ccb76b6d5c8

In many articles it is stated that prior notification/authorization requirements had been replaced with GDPR by the need to have high-risk Data Protection Impact Assessments reviewed by the Supervisory Authorities (GDPR Art 36). – However, there are still cases in which more specific prior notification/authorization requirements exist (GDPR Art 36 (5) and Member state laws (via opening clauses)).

According to the above source, in the EU, -and omitting DPO registrations – there are requirements for
(check source above for the precise wording, my own summary below)

  • Belgium
    (CCTV, sometimes communication of health data)
  • Denmark
    (purpose-related: warning someone to engage in some business, creditchecks/financial standing-related, legal information system-related)
  • France
    (sometimes for processing of person’s NIR (national identification registry) number; state investigations; biometric or genetic data for authentication on behalf of the state; some transfers of personal data to a third country (GDPR 43 (3) a);
    ad hoc scheme for health data and subjects their processing to a prior declaration of conformity with standard references (“référentiels”) of the CNIL. Failing that, article 54 of the Data Protection Act states that processing shall be subject to the CNIL’s prior authorization, except in the field of health research or study. ” (quote from URL above) [Exceptions for some bodies and services listed via a Ministerial Order]

For France/CNIL: Overview by Baker McKenzie
https://globaltmt.bakermckenzie.com/sitesearch?keyword=france&matrixid=33ba308e82f14292a36ec822d367795e&scroll=900

CNIL/France: Pior authorization for healthdata, pharmacovigilance and CNIL standards

Article by TwoBirds ” The CNIL published on 18 July 2019 a new standard concerning the processing of personal data for the purpose of vigilance in the health sector. ”
https://www.twobirds.com/en/news/articles/2019/global/new-cnil-standard-for-all-companies-doing-product-vigilance-activities

Quote: ” The standard is of great importance since according to the French Data Protection Act such processing activities are submitted to the CNIL’s prior authorization. The scope of the French prior authorization requirement is extraterritorial, and any organization worldwide doing product vigilance on individuals residing in France must obtain an authorization in order to be allowed to carry on their activities. But if their activities comply with the CNIL’s new standard, then they can now file a declaration of compliance with the CNIL, instead of filing a full request for authorization. “

Link to inofficial translation by TwoBirds at https://www.twobirds.com/~/media/pdfs/france/new-french-cnil-standard.pdf?la=en&hash=8AE9FA58104BDE6D234289328ACB6BBCE25DCBD2

TwoBird article on overall background at https://www.twobirds.com/en/news/articles/2019/france/processing-health-data-in-france-what-to-look-out-for-after-gdpr – incl. need for prior authorization and CNIL reference methods