Skip to 0 minutes and 3 seconds TRIX MULDER: You have learned that a GDPR applies to processing of personal data. This means that if an organisation uses your personal data, for whatever purpose, they have to follow the rules of the GDPR. In the last video, we introduced Anna to you. We saw that she was in pain and she will probably need medical attention. As a patient, her doctor will need to process her personal data. This makes Anna the data subject. Her doctor can identify her by her personal data. The doctor, in this case, is the controller, because he determines the purpose and means of the processing.
Skip to 0 minutes and 36 seconds It is the doctor who decides that he needs Anna’s personal data in order to provide medical care and that he will, for example, use a computer programme to process her digital patient file. If the doctor decides to store the data, for example, in the Cloud, the organisation hosting the Cloud becomes the processor. After all, this organisation hosts the patient’s file on behalf of the doctor. Any organisation processing personal data, like Anna’s doctor, will need to reflect upon the reasons for processing. Processing cannot not be done lightly, especially when it comes to health data, which is considered to be sensitive data.
Skip to 1 minute and 12 seconds According to the GDPR, there are seven principles for processing personal data, namely lawfulness, fairness, and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability. If the doctor wants to process his patient’s personal data, the GDPR determines that he needs to do so lawfully, fairly, and in a transparent manner. The GDPR does not provide explanation on how to process data fairly and transparently. It is understood that by following the GDPR, data will be processed fairly and transparently. As regards lawfulness of processing, the GDPR provides six legal grounds for lawful processing. This includes processing necessary for the performance of a contract and protecting the vital interests of the data subjects.
Skip to 2 minutes and 2 seconds If Anna goes to her doctor, the legal ground for processing data will be in her contract with her doctor. If Anna were to collapse on the street, the paramedic will be able to process her data lawfully, in order to protect her vital interests. The GDPR furthermore determines that data minimisation and accuracy are important when processing personal data. Data minimisation means that Anna’s doctor can only process the data that is necessary for Anna’s treatment and no more than that. In healthcare, accuracy is, of particular importance, considering that data determines the treatment of a patient. This means that the data needs to be kept up to date.
Skip to 2 minutes and 40 seconds So if it turns out that Anna needs antibiotics for an infection, her doctor needs to be sure that she is not allergic to the antibiotics he prescribed. These examples all relate to data processed in a medical context. However, personal data, including health data, are also processed outside the medical context, for example, in the apps we saw Anna using. We will come back to this phenomena during this course.
Principles and lawfulness of processing
The GDPR applies to the processing of personal data. Organisations and companies processing personal data for whatever purpose need to follow the rules of the GDPR.
In this course you already met Anna. She is a data subject who can be identified on the basis of her personal data by her doctor. Her doctor is the controller, because he determines the purpose and means of processing (what data needs to be collected and how it needs to be collected). The doctor can also ask a processor to process Anna’s data on his behalf and under his instruction.
Can you think of any other examples where data subjects, data controllers and data processors interact with each other? Post your ideas on the discussion board and take a look at the examples from your fellow learners.
© University of Groningen