When a company uses anonymisation, does the GDRP apply to it?

Hello everyone, this is Manon DURAND, health lawyer at Pharmaspecific. Today, we meet to talk about the General Data Protection Regulation (or GDPR), which is the reference text for personal data protection. The GDPR went into effect on May 25, 2018 in the EU member states. But it is not always very simple to apply. That’s why I’m here to help you today with the following question: when a company implements an anonymization process, does it have to apply the GDPR?

As a reminder, anonymization is a process that will prevent any re-identification of data. That is to say that when we set up an anonymization, it will be impossible, afterwards, to re-identify the data that we have anonymized. Anonymization differs from pseudonymization because, conversely, pseudonymization allows re-identification by coupling the pseudonymized data with other data. To be clearer, anonymization is a process that will render data irreversibly anonymous.

Anonymization – like pseudonymization – is a security measure, i.e., it protects personal data processed by a company.

But it is not sufficient to allow not to apply the other rules of the GDPR for two reasons. The first is that the GDPR applies in two cases: either when the company is established in a member state of the European Union, or when the company processes the data of European Union citizens.

The second reason is that the GDPR is not only a set of security measures, there are many other obligations that arise from the GDPR such as the establishment of processing registers, impact assessment, control of transfers outside the EU and a whole bunch of other measures that are put in place by this text.

In conclusion, anonymization is a way to ensure compliance with the GDPR, however, it is not enough to be GDPR compliant. It is necessary to implement all the other obligations that arise from the GDPR.

I hope you liked this video, if you did, please subscribe to the channel and like it. You will find in the information bar all the information concerning our services and in particular the monthly legal watch as well as the legal advice in clinical research. And we’ll see you soon for a new video.

When the sponsor requests a pre-screening list, is it possible to initial the patient’s name before the patient has signed an informed consent?

Hello everyone, this is Manon DURAND, health lawyer at Pharmaspecific. Today, we meet again to talk about the General Data Protection Regulation (the GDPR) which, I remind you, is the reference text in terms of personal data protection and which came into force in the European Union on May 25, 2018.

The question of the day is whether, when you have a pre-screening list, you can enter the patient’s initials into it before the patient has even signed their informed consent. So, to find the answer to this question, we have to look at the essence of the GDPR. When reading this text, we realize that the main subject of the text is the data subject. That is to say that we are really focused on the choice of the data subject as to what happens to his or her data, how it is processed and its security, obviously.

So, the patient’s initials are considered personal data. Therefore, you can’t do just anything with them. In this case, you can’t fill out the screening list with the patient’s initials until they have signed their informed consent, but why?

It is simple, in fact the processing of personal data must be based on what is called a legal basis. In fact, it’s a reason that would be legitimate. The legal bases are in Articles 6 and 9 of the GDPR. We have a list that is exhaustive, and, in this case, there are 2 legal bases that we can use: the consent of the data subject – so the patient – to the use of his personal data or the legitimate interests of the data controller.

If we were to base our treatment on the consent of the person concerned to the use of his or her personal data, this would mean that – since, as a rule, this consent is recorded in a single document with the informed consent – the patient would have to sign the consent to the use of his or her personal data first, and then, later, the informed consent, by a roundabout way. This is rare because in general, these two consents, even if they are not really the same thing, are in one and the same document. So, we can already discard the consent.

Secondly, the legitimate interests of the controller cannot be used either, since as long as the patient has not signed his informed consent, he is not part of the study. He is therefore not included in it since he can refuse to participate at any time. Therefore, the data controller cannot rely on his legitimate interests since he is not yet able to ensure that the patient will participate in the study.

In conclusion, it is not possible to use the initials of a participant in a clinical study in any way whatsoever before the participant has signed an informed consent.

I hope you enjoyed this video, if you do, do not hesitate to subscribe to the channel and to like this video. You will find in the information bar information on our various services; the monthly legal watch on one hand and the legal advice in clinical research on the other hand. As for us, we will soon meet again for a new video!

GDRP : Can the DPO be based outside the European Union?

Hello everyone, this is Manon DURAND, health lawyer within the company Pharmaspecific. We meet again to talk about the General Data Protection Regulation (the GDPR) which, I remind you, is the reference text in terms of personal data protection within the European Union and which is applicable since May 25, 2018.

The question of the day is whether it is possible to appoint a DPO who is located outside the European Union. As a reminder, the data protection officer, DPO, is the person who will take care of the compliance of the organization that has appointed him, to the GDPR. That is to say that he is the one who will implement all the obligations related to the GDPR: the processing registers, the impact assessment, the security measures…

He can be internal to the company, that is to say that he can be an employee, but he can also be external to the company, that is to say that the company can call upon a third company to carry out its DPO missions. There is a list of cases in which the appointment of a DPO is mandatory, however nothing prevents you from appointing a DPO even if you do not fit into this list of cases.

Therefore, a priori there is no contraindication to the appointment of a DPO who is located outside the European Union. However, if you make this choice, it is up to you to verify that the DPO you choose is completely aware of the principles and rules of the GDPR, since it is possible that he is not subject to it. Therefore, he does not have to work with the GDPR on a regular basis. So, if you make this choice, it is up to you to verify that your compliance will not be tainted by this choice of DPO located outside the European Union.

The second point to which you must pay attention is the framework of transfers outside the European Union, because precisely if your DPO is located outside the European Union, unless it is located in a country recognized as adequate by the European Commission, you will have to implement transfer tools that are detailed in the GDPR, for example standard contractual clauses or binding corporate rules to secure your transfer. So be careful if you make this choice to properly frame your data transfer outside the European Union so as not to deviate from the GDPR.

That’s it for this video, I hope you liked it. If you did, don’t hesitate to subscribe to our channel and to like this video. You will find in the information bar information about our services and in particular the monthly legal watch as well as the legal advice in clinical research and as for me, I’ll see you soon for a new video.

Can a patient request the deletion of data from his/her medical record?

Hello everyone, this is Manon DURAND, health lawyer at Pharmaspecific. We’re meeting again to talk about the General Data Protection Regulation (the GDPR), which is the reference text in terms of personal data protection, and which came into force in the European Union on May 25, 2018.

The question of the day is whether a patient can request that data contained in their medical record be deleted. The medical record is a set of documents that will trace the life of the patient concerning his health. So there can be histories of operations, treatments taken, medical visits… Except that the importance of this medical record is such that if a doctor consults a patient’s medical record and some information are missing, his decision making can be erroneous because he will not have all the information at his disposal.

This problem must be weighed against the principles of personal data protection, which require that a data subject, in this case the patient, may still have certain powers over his personal data. Indeed, the patient can ask for the deletion or rectification of personal data contained in his medical file; he can make this request to the hospital, but it is not without conditions.

Firstly, he can only do so if the data are inaccurate, ambiguous, outdated or incomplete. Secondly, he must be able to justify a legitimate reason for the deletion or rectification of his data. For example, a patient was able to obtain the deletion of his data on the grounds that a member of his family worked in the same hospital and that he did not want the member of his family to have access to his health information, in particular a pathology of which he was a victim.

So, if all these conditions are met, the patient will be able to ask for a modification or a deletion of his data, but in practice the reason must really be justified.

That’s all for today, I hope you enjoyed this video. If you do, don’t hesitate to subscribe to our channel, to like this video and you will find in the information bar the information on our services and in particular the monthly legal watch and the legal advice in clinical research. As for me, I’ll see you soon for a new video.