General Data Protection Regulation – health data

General Data Protection Regulation – health data

After political agreement was reached last December, linguists and legal experts have finally reached the final version of the 261-page Regulation on data protection. This is the culmination of years of negotiations and lobbying. In an attempt to keep up with the initial deadline for final adoption of the text, the Council adopted its position via an extremely short written procedure, which ended on 8 April.

The new regulation’s objective is to remove obstacles to the flow of personal data in the EU, while ensuring a higher level of data protection for European citizens.

This may very well affect readers of this newsletter and I would suggest that they seek advice on what it means to them in practice. For instance, many organisations will likely need a Data Protection Officer or DPO; If the main activities of your organisation involve “systematic monitoring of data subjects on a larger scale”, or large-scale processing of ‘special categories’ of data – racial or ethnic origin, political opinions, religious or philosophical beliefs, biometric data, health or sex life, or sexual orientation; then you will be required to have a DPO.

More generally, the new regulation introduces the following measures:

– more specific rules allowing data controllers (those responsible for the processing of data) to process personal data, including through the requirement for the consent of the individuals concerned.
– easier access to their personal data.
– better information about what happens to personal data once it is shared. This includes informing individuals about their privacy policy in clear and plain language, which can also be done via standardised icons.
– a right to erase personal data and “to be forgotten”.
– a right to portability, facilitating the transmission of personal data from one service provider to another.
– a right to object to the processing of personal data relating to the public interest or to legitimate interests of a controller. This right covers the use of personal data for the purposes of ‘profiling’.
– common safeguards covering the processing of personal data for archiving purposes where that is in the public interest and for scientific and historical research or statistical purposes.
A very good analysis of the concrete effects of the changes can be found here. These include: “Managers, data protection officers, heads of IT and other staff responsible for data protection within a company must be careful. Those in senior positions who do not comply with the new rules face fines of up to EUR 20 million. In addition, they could be personally liable if the company is forced to pay fines or damages due to their own errors. The dramatic increase in risks means individuals should be aware that, in future, acts of negligence could very quickly cost them their jobs.”

Next steps

The implementation phase has now begun: Organisation and companies concerned have 2 years to prepare for the entry into force of the new Regulation in the second quarter of 2018.

More information




Latest Posts

Our newsletters

Get our weekly EU Public Health policy newsletter delivered to your inbox.

Get our weekly EU Pharma & MD policy newsletter delivered to your inbox.