Skip to 0 minutes and 3 secondsMELANIA TUDORICA: In this activity, you'll learn about consent and you discussed it with fellow learners. You may have come to the conclusion that Anna never signed a document giving her consent for medical treatment. In the Netherlands, the legal basis for medical treatment is a contract, which is most of the time entered upon implicitly. The very fact that you go to your doctor already implies consent to this contract. This means that consent as a basis for lawful processing, as determined by the GDPR, is only needed if the medical data is used for another purpose than the necessary treatment. An example of another purpose is using the data for medical research. We will explain more about this in Week 2.

Skip to 0 minutes and 43 secondsHowever, health data is not only used within a medical context. We saw Anna use a running app. You may recollect that health data is part of a special category of personal data, which is also referred to as sensitive data. The GDPR prohibits processing of this type of data, unless one of the conditions mentioned in Article 9 are met. One of these exemptions is explicit consent given by the data subject. This means that Anna has to agree with the processing of her health data by any app. In this case, the running app. The GDPR provides for a number of conditions for consent. A controller, such as an app company, has to be able to demonstrate that consent has been given.

Skip to 1 minute and 23 secondsA privacy policy is the most common way to inform people on how their data is going to be processed. Privacy policies have to be written in clear and plain language. As you saw earlier, this is not always the case. When presented with a privacy policy, the user is sometimes asked to agree with its content. However, the question is if people actually read the privacy policy. Research has shown that a vast majority of people never do. Sometimes, when downloading an app, if you look closely, you see that you can click on the privacy policy in order to read it.

Skip to 1 minute and 57 secondsYou don't always have to actually agree with the whole policy, but you may be asked to give the app access to, for example, your GPS as location. This practice does not seem to be in line with the provisions of the GDPR. Consent is one of the principles to protect data subjects like Anna. The GDPR provides for more rights for data subjects. You will learn more about this in the next activity.

Consent and health data

Within a medical context, the legal basis for processing health data is often the (implicit or explicit) contract between a patient and a medical professional (Article 6 (1, b) GDPR). Anna never had to sign a document giving her consent for medical treatment. Health data can however also be processed outside the medical context, such as Anna’s running app.

Health data is part of a special category of personal data (sensitive data). The GDPR prohibits processing of this type of data unless one of the conditions mentioned in Article 9 GDPR is met. Healthcare providers who are bound by professional secrecy are exempted from this prohibition (Article 9 (2, h and 3)). One other exemption is explicit consent given by the data subject. This means that processing of health data outside the medical context needs to be based on Anna’s explicit consent. She has to agree for example with the processing of her health data by the running app.

A privacy policy is in this case the most common way to inform people on how their data is going to be processed. Privacy policies have to be written in clear and plain language and a controller has to be able to demonstrate that consent has been given. When presented with a privacy policy, users are sometimes asked to agree with its content. However, in such cases, the question arises whether people actually read the privacy policy.

Share this video:

This video is from the free online course:

Protecting Health Data in the Modern Age: Getting to Grips with the GDPR

University of Groningen