Category Archives: Little tips for CRA

GDRP : Can the DPO be based outside the European Union?

Hello everyone, this is Manon DURAND, health lawyer within the company Pharmaspecific. We meet again to talk about the General Data Protection Regulation (the GDPR) which, I remind you, is the reference text in terms of personal data protection within the European Union and which is applicable since May 25, 2018.

The question of the day is whether it is possible to appoint a DPO who is located outside the European Union. As a reminder, the data protection officer, DPO, is the person who will take care of the compliance of the organization that has appointed him, to the GDPR. That is to say that he is the one who will implement all the obligations related to the GDPR: the processing registers, the impact assessment, the security measures…

He can be internal to the company, that is to say that he can be an employee, but he can also be external to the company, that is to say that the company can call upon a third company to carry out its DPO missions. There is a list of cases in which the appointment of a DPO is mandatory, however nothing prevents you from appointing a DPO even if you do not fit into this list of cases.

Therefore, a priori there is no contraindication to the appointment of a DPO who is located outside the European Union. However, if you make this choice, it is up to you to verify that the DPO you choose is completely aware of the principles and rules of the GDPR, since it is possible that he is not subject to it. Therefore, he does not have to work with the GDPR on a regular basis. So, if you make this choice, it is up to you to verify that your compliance will not be tainted by this choice of DPO located outside the European Union.

The second point to which you must pay attention is the framework of transfers outside the European Union, because precisely if your DPO is located outside the European Union, unless it is located in a country recognized as adequate by the European Commission, you will have to implement transfer tools that are detailed in the GDPR, for example standard contractual clauses or binding corporate rules to secure your transfer. So be careful if you make this choice to properly frame your data transfer outside the European Union so as not to deviate from the GDPR.

That’s it for this video, I hope you liked it. If you did, don’t hesitate to subscribe to our channel and to like this video. You will find in the information bar information about our services and in particular the monthly legal watch as well as the legal advice in clinical research and as for me, I’ll see you soon for a new video.

Recherches utilisés pour trouver cet article :https://blogdelarechercheclinique com/rgpd-le-dpo-peut-il-etre-base-en-dehors-de-lunion-europeenne/#:~:text=Comment designer son DPO en dehors de lUnion Européenne

Can a patient request the deletion of data from his/her medical record?

Hello everyone, this is Manon DURAND, health lawyer at Pharmaspecific. We’re meeting again to talk about the General Data Protection Regulation (the GDPR), which is the reference text in terms of personal data protection, and which came into force in the European Union on May 25, 2018.

The question of the day is whether a patient can request that data contained in their medical record be deleted. The medical record is a set of documents that will trace the life of the patient concerning his health. So there can be histories of operations, treatments taken, medical visits… Except that the importance of this medical record is such that if a doctor consults a patient’s medical record and some information are missing, his decision making can be erroneous because he will not have all the information at his disposal.

This problem must be weighed against the principles of personal data protection, which require that a data subject, in this case the patient, may still have certain powers over his personal data. Indeed, the patient can ask for the deletion or rectification of personal data contained in his medical file; he can make this request to the hospital, but it is not without conditions.

Firstly, he can only do so if the data are inaccurate, ambiguous, outdated or incomplete. Secondly, he must be able to justify a legitimate reason for the deletion or rectification of his data. For example, a patient was able to obtain the deletion of his data on the grounds that a member of his family worked in the same hospital and that he did not want the member of his family to have access to his health information, in particular a pathology of which he was a victim.

So, if all these conditions are met, the patient will be able to ask for a modification or a deletion of his data, but in practice the reason must really be justified.

That’s all for today, I hope you enjoyed this video. If you do, don’t hesitate to subscribe to our channel, to like this video and you will find in the information bar the information on our services and in particular the monthly legal watch and the legal advice in clinical research. As for me, I’ll see you soon for a new video.

Recherches utilisés pour trouver cet article :https://blogdelarechercheclinique com/rgpd-un-patient-peut-il-demander-de-supprimer-des-donnees-de-son-dossier-medical/,peux t on effacer un dossier médical,supprimer ces données personnelles après un passage à lhôpital

Should clinical study technicians take the steps related to the GDRP ? Who should carry out these procedures?

Hello everyone, this is Manon DURAND, health lawyer at Pharmaspecific. We are meeting today once again to talk about the GDPR, the General Data Protection Regulation which is, I remind you, the reference text in terms of personal data protection within the EU. It came into force on May 25, 2018 in the EU member states.

The question of the day is whether clinical study technicians (CSTs) are responsible, at their level, for implementing the obligations related to the GDPR or whether it happens at another level. As a reminder, the clinical study technicians are the personnel who will be in charge of entering the study data that are collected from the patients in order to set up the proper conduct of the study. They are confronted with personal data on a daily basis. However, it is not up to them to implement the obligations related to the GDPR since this happens at the level of the data controller.

I remind you that the controller is the person who determines the purposes and means of the processing. In practice, in clinical research, it is the sponsor. Within the sponsor’s organization, there are different levels that can deal with GDPR compliance.

First of all, if a Data Protection Officer has been appointed – which is not always an obligation – if a Data Protection Officer has been appointed, he or she will be responsible for ensuring compliance with the DPMR, i.e., putting in place all the required tools, processing registers, impact assessment where appropriate, supervision of transfers outside the EU, etc.

If there is no DPO in the sponsor’s organization, it will happen either at the level of the legal department if there is one and if not directly at the management level. It is therefore not up to the clinical study technicians to implement GDPR compliance. On the other hand, they must, like all the personnel involved in the study, be trained in the rules of the GDPR, in its spirit and in the way in which the data must be processed, since they are confronted with this data on a daily basis, they must be able to know what they can or cannot do with the data.

I hope you enjoyed this video, if so, you can subscribe to our channel and like this video and you will find in the information bar all the information about our services such as the monthly legal watch or the legal advice in clinical research. As for us, we will soon meet again for a new video!

GDRP : Can an impact assessment be made after once the processing has begun?

Hello everyone, this is Manon DURAND, health lawyer at Pharmaspecific. We are meeting today to talk about the General Data Protection Regulation (the GDPR) which is, I remind you, the reference text in terms of personal data protection and which came into force in the European Union on May 25, 2018.

The question of the day is whether it is possible to implement a data protection impact assessment a posteriori, i.e. once the processing has already begun. The impact assessment is a tool to ensure compliance with the GDPR and is intended for processing operations that could generate high risks for the rights and freedoms of the data subjects, i.e., it balances the security measures implemented by the data controller with the rights and freedoms of the data subjects.

So, in practice, the impact assessment can be done as you wish, but the CNIL provides a software called PIA that allows you to perform your impact assessment in a very clear and simple way. So, you can use this software and it is better for all these reasons to set up the impact assessment before your processing because it will allow you, if you find that some security measures are insufficient or are badly used, to adopt corrections before your processing.

However, the GDPR is not always straightforward so you may have forgotten to implement your impact assessment. If this is the case, there is nothing to stop you from doing it anyway during your processing. This will allow you, if you have corrections to make on certain security measures, to identify and implement them and, otherwise, if you identify a data breach, you can still notify the CNIL to be truly in compliance with the GDPR.

In conclusion, the impact assessment is preferably set up before the processing, but nothing prevents you from setting it up during your processing if you have not been able to do it before. Please refer to the CNIL website to know in which case you have to set up an impact assessment. And I remind you that this is the responsibility of the data controller with the help of his processor, if necessary.

That’s it for this video, I hope you liked it. If you did, don’t hesitate to subscribe to our channel and to like this video and you will find in the information bar information on our services and in particular the monthly legal watch and the legal advice in clinical research. As for me, I’ll see you soon for a new video.

Recherches utilisés pour trouver cet article :https://blogdelarechercheclinique com/rgpd-peut-on-faire-une-analyse-dimpact-a-posteriori/