Transfer of health data

As you have seen in the previous step, Anna’s data is shared frequently between the various organisations involved in her medical journey.

Anna’s General Practitioner (GP) shares information with her gynaecologist who shares it with her colleague abroad. They all share information with Anna’s insurance company for payment of her medical bills. The GDPR refers to this as ‘disclosing personal data’ to a recipient. A recipient is a natural or legal person, public authority, agency or other body, to which the personal data are disclosed. In Anna’s case, her GP needs to disclose Anna’s health data to her gynaecologist so that she can treat her. Her gynaecologist needs to disclose Anna’s health data to her colleague in Germany so that he can continue the treatment and provide a second opinion. Both gynaecologists need to disclose their findings to her GP so that he has full knowledge of what is going on for future treatment as he is, in general, her first point of contact for medical issues. When this data is shared, the receiver becomes the controller of this data. The data has been obtained from another controller, not from the data subject.

Article 14 of the GDPR determines that where personal data has not been obtained from the data subject, the controller has the obligation to provide the data subject with information about the processing activities. However, this obligation does not apply if the data subject already has the information, if providing the information proves impossible or would involve a disproportionate effort, if obtaining or disclosing the information is laid down by law or if the personal data remains confidential subject to an obligation of professional secrecy. Anna’s data can thus be shared between her GP and her gynaecologists without them having to inform her, because the latter exemption applies: all parties are bound by professional secrecy. They do however need to ensure security of the data and keep records of categories of recipients based on Article 30 in order to demonstrate compliance with the GDPR upon request by the national supervisory authority. If an app company who processes health data wants to disclose information to a recipient, the exemptions do not apply. This means that the recipient does need to provide the data subject with information including the identity and contact details of the (new) controller, the purpose of processing, the categories of personal data concerned, recipients, etc.

Data beyond the EU

In Anna’s case, her medical journey remains within the EU. If Anna were however to seek medical attention outside the EU and her patient file would be transferred outside the EU, the provisions of Chapter V of the GDPR would apply. This Chapter provides for provisions on transfers of personal data to third countries, meaning outside the EU. The general principle for transfers is that the provisions of this Chapter need to be complied with by the controller or processor in order to ensure a similar level of protection as provided by the GDPR after transfer of the data. The European Commission decides whether a third country ensures an adequate level of protection (Article 45). If there is no decision in this regard by the Commission, then transfers may only take place if appropriate safeguards are provided and enforceable data subject rights and effective legal remedies are available (Article 46). If there is no decision by the Commission and there are no safeguards put in place, then the transfer may still take place if one of the conditions of Article 49 are met. This includes for example the explicit consent to the proposed transfer by the data subject.

This is however not the only way in which data can be transferred abroad. Due to the very nature of modern technologies, data is not necessarily bound by countries’ or EU borders. Data can be located, stored and processed anywhere in the world. This raises new challenges and concerns with regard to the protection of personal data, especially if data flows to and from countries outside the EU. Therefore, Article 3 determines that the GDPR applies to processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU if the processing activities relate to offering goods or services or monitor the behaviour of data subjects. Thus, the GDPR, including the additional protection rules for sensitive data, also applies to an app company established outside the EU if it is processing personal data of data subjects within the EU. Anna’s running app, whether or not established in the EU, thus needs to comply with the GDPR.