Transfer of health data

Data beyond the EU
In Anna’s case, her medical journey remains within the EU. If Anna were however to seek medical attention outside the EU and her patient file would be transferred outside the EU, the provisions of Chapter V of the GDPR would apply. This Chapter provides for provisions on transfers of personal data to third countries, meaning outside the EU. The general principle for transfers is that the provisions of this Chapter need to be complied with by the controller or processor in order to ensure a similar level of protection as provided by the GDPR after transfer of the data. The European Commission decides whether a third country ensures an adequate level of protection (Article 45). If there is no decision in this regard by the Commission, then transfers may only take place if appropriate safeguards are provided and enforceable data subject rights and effective legal remedies are available (Article 46). If there is no decision by the Commission and there are no safeguards put in place, then the transfer may still take place if one of the conditions of Article 49 are met. This includes for example the explicit consent to the proposed transfer by the data subject.This is however not the only way in which data can be transferred abroad. Due to the very nature of modern technologies, data is not necessarily bound by countries’ or EU borders. Data can be located, stored and processed anywhere in the world. This raises new challenges and concerns with regard to the protection of personal data, especially if data flows to and from countries outside the EU. Therefore, Article 3 determines that the GDPR applies to processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU if the processing activities relate to offering goods or services or monitor the behaviour of data subjects. Thus, the GDPR, including the additional protection rules for sensitive data, also applies to an app company established outside the EU if it is processing personal data of data subjects within the EU. Anna’s running app, whether or not established in the EU, thus needs to comply with the GDPR.Protecting Health Data in the Modern Age: Getting to Grips with the GDPR

Our purpose is to transform access to education.
We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.
We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.
Learn more about how FutureLearn is transforming access to education