General Data Protection Regulation (GDPR)

Original Editor - Angeliki Chorti Top Contributors - Angeliki Chorti

Introduction[edit | edit source]

The General Data Protection Regulation (GDPR) is a European Union (EU) data protection law that provides a set of rules on how personal data should be gathered and handled. It empowers people with control over their personal data. Any business that collects, keeps and analyses data sourced from EU citizens should follow the GDPR guidelines.

Check-box-with-red-marker-screen.jpg

The main aim of the GDPR is to make sure that patients own their data at all times and use it for purposes for which they have given direct informed consent. Furthermore, the GDPR protects the following rights:

  • Right to access: You have the right to obtain free of charge a copy of your personal data and related supplementary information. Access of the collected data can also be requested.
  • Right to rectification: A person has the right to request the rectification of their personal data or to have it completed. A month of the receipt of the request (or two months if the request is complex) is expected from the data controller to respond.
  • Right to erasure: A person has the right to request erasure of own personal data, for instance, where data are no longer necessary for the purposes for which they were collected or when consent was withdrawn.
  • Right to object: Under certain circumstances, and at any time, a person has the right to object to and stop the processing of their personal data.
  • Right to restrict processing: You have the right to request the restriction or suppression of your personal data. This right is not the same as the right to rectification and objection, although there are some linkages.
  • Right of data portability: You have the right to receive your personal data from an organisation in a commonly used form so that you can easily share it with another.
  • Right not to be profiled: Unless it is necessary by law or a contract, decisions affecting a person cannot be made on the sole basis of automated processing.

Employers, the public sector and some organisations whose core activities relate to regular and systematic monitoring of personal and sensitive data on a large scale will have to comply with the GDPR obligations and rights. However, these rights are not absolute and can be restricted by European Union or Member State law.

How does this relate to clinical practice?[edit | edit source]

All patient information should be collected and used appropriately and according to the requirements of the GDPR to protect personal and sensitive data. This may require organisational and technical security measures to protect patient data in clinical records against unauthorised disclosure or processing.

The same applies to digital services, such as telehealth services. Third parties may be used to process or store patient data for e.g. assessment and exercise programmes software or electronic medical records. These third parties should process and store the data in their systems according to GDPR requirements.

The History of the General Data Protection Regulation[edit | edit source]

The EU adopted the GDPR in 2016, as a replacement of the 1995 Data Protection Directive. EU's data protection laws have long been recognised as gold standard across the world. However, a lot of changes have taken place over the last 25 years. Technology has advanced immensely and this has brought huge transformations in modern societies that nobody could imagine. The new GDPR came into force on 25th May 2018. Since 2016, member states had 2 years to ensure its full implementation. GDPR is now recognised as law across the EU.

Key highlights in the history of GDPR include the following:

-24th October 1995: The European Data Protection Directive (Directive 95/46/EC) on the protection of individuals with regard to the processing of personal data and on the free movement of such data) is adopted.

-22nd June 2011: The European Data Protection Supervisor publishes an Opinion on the European Commission's Communication.

-25th January 2012: The European Commission proposes a comprehensive reform of the EU's 1995 data protection rules to strengthen online privacy rights and boost Europe's digital economy.

-7th March 2012: The European Data Protection Supervisor adopts an Opinion on the Commission's data protection reform package.

-23th March 2012: The Article 29 Working Party adopts an Opinion on the data protection reform proposal.

- 5th October 2012: The Article 29 Working Party provides further input on the data protection reform discussions.

-12th March 2014: The European Parliament demonstrates strong support for the GDPR by voting in plenary with 621 votes in favour, 10 against and 22 abstentions.

-15th June 2015: The Council reaches a general approach on the GDPR

-27th July 2015: The European Data Protection Supervisor publishes his recommendations to the European co-legislators negotiating the final text of the GDPR in the form of drafting suggestions. He also launches a mobile app comparing the Commission's proposal with the latest texts from the Parliament and the Council.

-15th December 2015: The European Parliament, the Council and the Commission reach an agreement on the GDPR.

-2nd February 2016:The Article 29 Working Party issues an action plan for the implementation of the GDPR.

-27th April 2016: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation.

-24th May 2016: The Regulation enters into force, 20 days after publication in the Official Journal of the EU.

-10th January 2017: European Commission proposal of two new regulations on privacy and electronic communications (ePrivacy) and on the data protection rules applicable to EU institutions (currently Regulation 45/2001) that align the existing rules to the GDPR.

-6th May 2018: Members States must have transposed the Data Protection Directive for the police and justice sectors into national legislation. Application from this day.

-22nd May 2018: Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC [First reading] - Preparation for the trilogue.

-25th May 2018: Corrigendum to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Corrigendum to Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA

-25th May 2018: The General Data Protection Regulation will apply from this day

GDPR - Rights and Obligations[edit | edit source]

The Data Controller and Data Processor[edit | edit source]

The Data Controller is the the natural or legal person or organisation who owns the data and sets the rules on how it is to be collected and processed. They are responsible for keeping a record of all processing activities and designating one or more data processors that can, in the name of the data controller, collect and process the data.

The Data Protection Officer (DPO)[edit | edit source]

The DPO safeguards that the organisation is processing personal data in compliance with GDPR rules by advising the controller and processors about how to comply with GDPR. The DPO designation is made on the basis of professional qualities and knowledge of data protection law and practices. Sometimes, the data controller is required to appoint a data protection officer. This happens if:

  • Public authorities are responsible for the processing of data
  • the core activities of the controller or the processor require “by virtue of their nature, their scope and/or their purposes, regular and systematic monitoring of data subjects on a large scale” (Art. 37, (1) b) or
  • the core activities of the controller or the processor consist of processing, on a large scale, special categories of data or personal data relating to criminal convictions
  • national legislation might specifies further cases where there is an obligation to appoint a DPO.

GDPR Principles[edit | edit source]

GDPR follows seven guiding principles of data protection:

Lawfulness, fairness and transparency[edit | edit source]

- Lawfulness: a legally plausible reason to collect data needs to be established, for example, processing based on consent, public interest or legitimate interests.

- Fairness: data collection and handling should be undertaken in a way that people would expect to be reasonable. Cases of deception with the aim to obtain data, lead to the data controller breaching the principle of fairness.

- Transparency: transparency refers to which data is collected, for what purpose, for whom and for how long it will be kept; this information should be written as clearly as possible in an easily understandable language

Purpose limitation[edit | edit source]

Collected data for specified, explicit and legitimate purposes cannot be further processed in any other way. The data controller has to specify for which purposes personal data is collected. Sometimes, the data can still be processed for new purposes if those are compatible with the original one (e.g. archiving in the public interest; scientific or historical research; and statistical purposes) and consent has been provided, or there is a new legal provision that requires processing or allows it in the public interest.

Data minimisation[edit | edit source]

Personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed.

Accuracy[edit | edit source]

Data needs to be accurate and kept up to date. The data controller may proactively ensure the accuracy of data and if any of it is inaccurate, incorrect or misleading, then to either delete or rectify it. In some cases, the data controller can rely on demands from data subjects, in others, records will need to be updated anyway.

Storage limitation[edit | edit source]

Personal data should be kept for a predetermined period of time and no longer than necessary. When the purpose for keeping the data is no longer relevant or it is out of date the data should be deleted or anonymised. This ensures that data are not irrelevant, excessive, inaccurate or out of date and encourages controllers to set policies on retention limits.

Integrity and confidentiality[edit | edit source]

Appropriate measures are necessary to ensure the security of the data, including protection against unauthorised or unlawful processing, and against accidental loss, destruction or damage.

Accountability[edit | edit source]

The data controller is responsible and thus accountable for compliance with the GDPR, ensuring that all necessary measures are in place.

Resources[edit | edit source]

Data Ethics and GDPR - Chartered Society of Physiotherapy, UK

European Data Protection Supervisor. The History of the General Data Protection Regulation.

The General Data Protection Regulation (GDPR) An EPSU Briefing

Retrieved from "https://www.physio-pedia.com/index.php?title=General_Data_Protection_Regulation_(GDPR)&oldid=347249"