Skip to 0 minutes and 3 seconds MELANIA TUDORICA: In this activity, you’ll learn about consent and you discussed it with fellow learners. You may have come to the conclusion that Anna never signed a document giving her consent for medical treatment. In the Netherlands, the legal basis for medical treatment is a contract, which is most of the time entered upon implicitly. The very fact that you go to your doctor already implies consent to this contract. This means that consent as a basis for lawful processing, as determined by the GDPR, is only needed if the medical data is used for another purpose than the necessary treatment. An example of another purpose is using the data for medical research. We will explain more about this in Week 2.
Skip to 0 minutes and 43 seconds However, health data is not only used within a medical context. We saw Anna use a running app. You may recollect that health data is part of a special category of personal data, which is also referred to as sensitive data. The GDPR prohibits processing of this type of data, unless one of the conditions mentioned in Article 9 are met. One of these exemptions is explicit consent given by the data subject. This means that Anna has to agree with the processing of her health data by any app. In this case, the running app. The GDPR provides for a number of conditions for consent. A controller, such as an app company, has to be able to demonstrate that consent has been given.
Skip to 1 minute and 57 seconds You don’t always have to actually agree with the whole policy, but you may be asked to give the app access to, for example, your GPS as location. This practice does not seem to be in line with the provisions of the GDPR. Consent is one of the principles to protect data subjects like Anna. The GDPR provides for more rights for data subjects. You will learn more about this in the next activity.
Consent and health data
Within a medical context, the legal basis for processing health data is often the (implicit or explicit) contract between a patient and a medical professional (Article 6 (1, b) GDPR). Anna never had to sign a document giving her consent for medical treatment. Health data can however also be processed outside the medical context, such as Anna’s running app.
Health data is part of a special category of personal data (sensitive data). The GDPR prohibits processing of this type of data unless one of the conditions mentioned in Article 9 GDPR is met. Healthcare providers who are bound by professional secrecy are exempted from this prohibition (Article 9 (2, h and 3)). One other exemption is explicit consent given by the data subject. This means that processing of health data outside the medical context needs to be based on Anna’s explicit consent. She has to agree for example with the processing of her health data by the running app.
© University of Groningen