Principles and lawfulness of processing

TRIX MULDER: You have learned that a GDPR applies to processing of personal data. This means that if an organisation uses your personal data, for whatever purpose, they have to follow the rules of the GDPR. In the last video, we introduced Anna to you. We saw that she was in pain and she will probably need medical attention. As a patient, her doctor will need to process her personal data. This makes Anna the data subject. Her doctor can identify her by her personal data. The doctor, in this case, is the controller, because he determines the purpose and means of the processing.

It is the doctor who decides that he needs Anna’s personal data in order to provide medical care and that he will, for example, use a computer programme to process her digital patient file. If the doctor decides to store the data, for example, in the Cloud, the organisation hosting the Cloud becomes the processor. After all, this organisation hosts the patient’s file on behalf of the doctor. Any organisation processing personal data, like Anna’s doctor, will need to reflect upon the reasons for processing. Processing cannot not be done lightly, especially when it comes to health data, which is considered to be sensitive data.

According to the GDPR, there are seven principles for processing personal data, namely lawfulness, fairness, and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability. If the doctor wants to process his patient’s personal data, the GDPR determines that he needs to do so lawfully, fairly, and in a transparent manner. The GDPR does not provide explanation on how to process data fairly and transparently. It is understood that by following the GDPR, data will be processed fairly and transparently. As regards lawfulness of processing, the GDPR provides six legal grounds for lawful processing. This includes processing necessary for the performance of a contract and protecting the vital interests of the data subjects.

If Anna goes to her doctor, the legal ground for processing data will be in her contract with her doctor. If Anna were to collapse on the street, the paramedic will be able to process her data lawfully, in order to protect her vital interests. The GDPR furthermore determines that data minimisation and accuracy are important when processing personal data. Data minimisation means that Anna’s doctor can only process the data that is necessary for Anna’s treatment and no more than that. In healthcare, accuracy is, of particular importance, considering that data determines the treatment of a patient. This means that the data needs to be kept up to date.

So if it turns out that Anna needs antibiotics for an infection, her doctor needs to be sure that she is not allergic to the antibiotics he prescribed. These examples all relate to data processed in a medical context. However, personal data, including health data, are also processed outside the medical context, for example, in the apps we saw Anna using. We will come back to this phenomena during this course.