Presentation about the impact of the GDPR in eHealth, specifically for the pharma industry at the Dutch Pharmaceuticals and Law Association

1. EHEALTH AND
GDPR
VFenR - AVG wie doet er mee
24 mei 2018
Erik Vollebregt
www.axonadvocaten.nl

2. GDPR hateful eight
Connected health related top 8 points of attention:
1. Informed consent criteria
2. Data concerning health scope
3. Right to be forgotten (applies to commercial collection of
health data)
4. Impact assessment (and privacy by design)
• For data concerning health
• In case of profiling
5. Profiling requirements
• including right to object if processing significantly
affects data subject
6. Data portability right of user
7. Security requirements
8. Export of data to extra-EU jurisdictions

5. Health data case
study
• DPAs already take expansive view of
health data
• Performance data becomes health data

6. GDPR’s Hateful 8
Connected health related top 8 points of attention:
1. Informed consent criteria
2. Data concerning health scope
3. Right to be forgotten (applies to commercial collection of
health data)
4. Impact assessment (and privacy by design)
• For data concerning health
• In case of profiling
5. Profiling requirements
• including right to object if processing significantly
affects data subject
6. Data portability right of user
7. Security requirements
8. Export of data to extra-EU jurisdictions

7. Consent-based
business model tricky
‘GDPR: ‘means any freely given, specific,
informed and unambiguous indication of the
data subject's wishes by which he or she, by a statement or by a
clear affirmative action, signifies agreement to the processing of
personal data relating to him or her’
Recitals 32, 42 and 43 GDPR
• silence, pre-ticked boxes or inactivity do not constitute consent
• Processing for multiple purposes? Consent should be given for
all of them!
• Controller must be able to prove valid consent was obtained and
provide intelligible consent language
• Consent invalid “in a specific case where there is a clear
imbalance between the data subject and the controller” 7

8. Scope of ‘health data’

9. When is health data anonymous?
WP 216 on Anonymisation Techniques (para 2.2):
• Anonymisation is further processing personal data with the aim of
irreversibly preventing identification of the data subject.
• Several anonymisation techniques may be envisaged, there is no
prescriptive standard in EU legislation.
• Importance should be attached to contextual elements: account must be
taken of “all” the means “likely reasonably” to be used for (re-)
identification by the controller and third parties
• A risk factor is inherent to anonymisation: this risk factor is to be
considered in assessing the validity of any anonymisation technique –
pseudonomisation is not anonymisation (e.g. if linkable through
datasets)

10. Research – ‘Right to be forgotten’
Article 17 (1) GDPR: The data subject has the right to obtain the
erasure of personal without undue delay from the controller.
The ‘right to be forgotten’ ONLY does not apply if the processing
takes place:
‘for archiving purposes in the public interest, scientific or historical
research purposes or statistical purposes in accordance with
Article 89(1) in so far as the right referred to in paragraph 1 is likely
to render impossible or seriously impair the achievement of the
objectives of that processing.’ (article 17 (3) (d)
Right to be forgotten does apply in all commercial processing of
health data for the purpose of services!

11. Privacy by
design and
default,
PIAs

12. Impact Assessment
Article 35
• PIA prior to processing
• Authorities will make lists of operations subject to PIA
• Prior consultation of DPA regarding residual risks (article 36)

13. Impact Assessment

14. Profiling requirements
• Profiling based on health data -> always PIA
• 'profiling' means any form of automated processing of personal data
consisting of the use of personal data to evaluate certain personal
aspects relating to a natural person, in particular to analyse or predict
aspects concerning that natural person's performance at work, economic
situation, health, personal preferences, interests, reliability, behaviour,
location or movements;
• Data subject must be informed
• Article 22: right not to be subject to a decision based solely on
automated processing, including profiling, which produces legal effects
concerning him or her or similarly significantly affects him or her, unless
• decision is necessary for performance or entering into contract
• decision is based on explicit consent
• AND:
• explicit consent in case of profiling based on health data
• suitable measures to safeguard the data subject's rights and
freedoms and legitimate interests are in place

15. Data portability right
• Controller must inform data subject about right, and:

16. Security
Data controllers and processors should implement appropriate
technical & organizational measures to protect data from loss or
any form of unlawful processing
• Article 32 defines security principles
Security measures must take into account (recital 78):
• Nature of the data to be protected and consequences of security
breach
• State of the art
• Security by design
• Aim to prevent unnecessary collection and further processing of
personal data
• Overriding principle: Plan-Do-Check-Act
• Data breach notification (article 33/34)
• to DPA (<72 hours) and to data subject
• processor must inform controller

17. Export
Chapter 5
Export only with legal basis:
• Adequacy decision (or Privacy Shield)
• Appropriate safeguards (BCR and SCCs) ensuring third party rights for
data subjects, approved code or certification mechanism
• Specific situation
• informed consent
• necessary for performance of contract

18. Known unknowns and wide open
doors
• This means that member states can still require geofencing, hosting
accreditation and things like that for processing of genetic, biometric
and/or health data!
• Only restriction is that these cannot be contrary to the requirements of
the internal market and must be proportionate

19. Bonus slides on GDPR
implementation in NL

20. What’s interesting in the AVG implementation
act?
Article 19 – cooperation protocols with other CAs in NL (typical Dutch thing)
Exercise of discretion under article 9 (4) GPDR:
Article 24 UAVG re processing that is necessary for archiving purposes in
the public interest, scientific or historical research purposes or statistical
purposes in accordance with Article 89(1) based on Union or Member State
law - additional requirements in Article 24 (b), (c) and (d):
Research must be in general interest
Asking consent must be impossible or prohibitively difficult
Safeguards against unjustifiable damage to data subjects privacy
Seems to exclude commercial research given general interest criterion
What about vigilance and PMS data?

21. What’s interesting in the AVG implementation
act?
Exercise of discretion under article 9 (4) GPDR:
Article 30 IAVG – exceptions re data concerning health
Processing of data concerning health allowed for government, pension funds,
employers or institutions active on their behalf for execution of tasks and re-
integration (Art 30 (1) – article 9 (2) (b) GDPR) – implementation of secrecy like
in article 9 (2) (h) GDPR
Processing of data concerning health allowed by schools and rehabilitation
services insofar as necessary for their tasks (Art 30 (2) – implementation of
secrecy like in article 9 (2) (h) GDPR
Processing of data concerning health for HCP, health institutions and social
services insofar as necessary for their tasks and insurance companies (Art 30
(3) – article 9 (2) (h) GDPR)
Processing on the above three bases only by persons under professional or
contractual secrecy (Article 30 (4))
Unclear if this includes contractual third parties referred to in Article 9 (2) (h) GDPR
(service providers to HCPs and health institutions)
If treatment or care require it then processing of data concerning health can be
mixed with processing of other categories of sensitive data (Article 30 (5)
Issue

22. What’s interesting in the AVG implementation
act?Convenient implementation table to check exercise of national discretion

23. Bonus slides on cybersecurity and
GDRP – MDR overlaps

24. General EU current security
regulations and standards: data
protection
• Protection against e.g. alteration and unauthorized access have
everything to do with cybersecurity, as these impact directly on safety
and performance of the device.
• Non harmonization of the Data Protection Directive is a big problem
because it leads to the situation of member states taking different views
on security terms requirements.
• Dutch NCA refers to ISO 27000 family as informal harmonised standard
• Dutch sauce ISO 27002 mandatory standard in Dutch healthcare
market (NEN 7510, 7512 and 7513)

25. General EU security regulations and
standards
• Currently authorities mainly approach cybersecurity issues via Data Protection
Directive, which features a secutiry regime in Article 17(1):

26. Privacy by design obligations for
medical devices
• WP 223: Controller has responsibility for security of IoT devices
• Parties purchasing OEM devices and solutions will want privacy by
design compliance warranties

27. Privacy by design obligations for
medical devices
WP 223 on end of life devices and remote monitoring / measuring devices

28. Concurrent privacy by design
requirements under GDPR
• General Data Protection Regulation has already entered into force,
transitional period ending 25 May 2018
• Will apply to any device that processes personal data, both on hardware
and software level – possible overlaps with MDR
• Requires privacy by
• Design
• Default
• Requires cybersecurity measures, but so does the MDR
• GSPRs 17.1, 17.2 and 17.4

29. GDRP security thinking
Recital 81: “the controller should use only processors providing sufficient
guarantees, in particular in terms of expert knowledge, reliability and
resources, to implement technical and organisational measures which will
meet the requirements of this Regulation, including for the security of
processing. ”

30. GDPR security thinking
• Under the MDR / IVDR costs of implementation are irrelevant for risk
reduction (AFAP principle in GSPR 2)

31. Security requirements

32. Security design requirements (art.
32)
Controller and the processor shall implement appropriate technical and
organisational measures to ensure a level of security appropriate to the
risk, including inter alia as appropriate:
(a) the pseudonymisation and encryption of personal data
(b) the ability to ensure the ongoing confidentiality, integrity, availability and
resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a
timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the
effectiveness of technical and organisational measures for ensuring the
security of the processing.
Take account of risks that are presented by processing, e.g. accidental or
unlawful destruction, loss, alteration, unauthorised disclosure of, or access
to personal data transmitted, stored or otherwise processed.

33. Overlap of risks and different
approaches
MDR / IVDR
• Security by design aimed to safeguard safety and performance (Safety,
Reliability and Availability (SRA) for cyber physical systems)
GDPR
• Security by design and default aimed at data integrity (Confidentiality–
Integrity–Availability (CIA) for corporate processes)
Map security risks under GDPR that are also (partially) safety and
performance risks under MDR / IVDR
• Those risks are subject to AFAP reduction by means of design insofar as
they concern the device (GSPR 2 and EN ISO 14971:2012 ZABC
annexes)

34. Overlap of risks and different
approaches - nice model
GDPR orientation
MDR / IVDR orientation

35. It all starts with a PIA and selection
of approaches based on that
Mandatory and prior to processing if processing is likely to
result in a high risk to the rights and freedoms of natural
person, especially in case of
(a) systematic and extensive evaluation of personal aspects
relating to natural persons based on automated processing
(incl. profiling), and on which decisions are based that
produce legal effects concerning the natural person or
similarly significantly affect the natural person;
(b) processing on a large scale of special categories of data
(e.g. health); or
(c) systematic monitoring of a publicly accessible area on a
large scale
• Mandatory advice of the data protection officer required
• Authorities to specify what processing subject to PIA

36. www.axonlawyers.com
THANKS FOR YOUR ATTENTION
Erik Vollebregt
Axon Lawyers
Piet Heinkade 183
1019 HC Amsterdam
T +31 88 650 6500
M +31 6 47 180 683
E erik.vollebregt@axonlawyers.com
@meddevlegal
B http://medicaldeviceslegal.com
READ MY BLOG:
http://medicaldeviceslegal.com