General Data Protection Regulation (GDPR)

Original Editor - Angeliki Chorti Top Contributors - Angeliki Chorti

Introduction[edit | edit source]

The General Data Protection Regulation (GDPR) is a European Union (EU) data protection law that provides a set of rules on how personal data should be gathered and handled. It empowers people with control over their personal data. Any business that collects, keeps and analyses data sourced from EU citizens should follow the GDPR guidelines.

Check-box-with-red-marker-screen.jpg

The main aim of the GDPR is to make sure that patients own their data at all times and use it for purposes for which they have given direct informed consent. Furthermore, the GDPR protects the following individual rights: [1]

  • Right to access: You have the right to obtain free of charge a copy of your personal data and related supplementary information. Access of the collected data can also be requested.
  • Right to rectification: A person has the right to request the rectification of their personal data or to have it completed. A month of the receipt of the request (or two months if the request is complex) is expected from the data controller to respond.
  • Right to erasure: A person has the right to request erasure of own personal data, for instance, where data are no longer necessary for the purposes for which they were collected or when consent was withdrawn.
  • Right to object: Under certain circumstances, and at any time, a person has the right to object to and stop the processing of their personal data.
  • Right to restrict processing: You have the right to request the restriction or suppression of your personal data. This right is not the same as the right to rectification and objection, although there are some linkages.
  • Right of data portability: You have the right to receive your personal data from an organisation in a commonly used form so that you can easily share it with another.
  • Right not to be profiled: Unless it is necessary by law or a contract, decisions affecting a person cannot be made on the sole basis of automated processing.

Employers, the public sector and some organisations whose core activities relate to regular and systematic monitoring of personal and sensitive data on a large scale will have to comply with the GDPR obligations and rights. However, these rights are not absolute (an absolute right can not be restricted or in-fringed under any circumstances, not even in exceptional cases such as when a state of emergency is declared) [2] and can be restricted by European Union or Member State law.

How does this relate to clinical practice?[edit | edit source]

All patient information should be collected and used appropriately and according to the requirements of the GDPR to protect personal and sensitive data. This may require organisational and technical security measures to protect patient data in clinical records against unauthorised disclosure or processing.

The same applies to digital services, such as telehealth services. Third parties may be used to process or store patient data for e.g. assessment and exercise programmes software or electronic medical records. These third parties should process and store the data in their systems according to GDPR requirements.

How does this relate to research?[edit | edit source]

Study subjects’ data within the European Union should be gathered and used by researchers and research organisations according to the requirements of the GDPR. [3] However, the GDPR does not provide a formal definition of what constitutes scientific research, but instead, mentions that processing of personal data for scientific research purposes should be interpreted in a broad manner. [4] Some information on data protection, collection and handling for research purposes can be found in Ethical Considerations for Health-Realted Research.

The History of the General Data Protection Regulation[edit | edit source]

The EU adopted the GDPR in 2016, as a replacement of the 1995 Data Protection Directive. EU's data protection laws have long been recognised as gold standard across the world. However, a lot of changes have taken place over the last 25 years. Technology has advanced immensely and this has brought huge transformations in modern societies that nobody could imagine. The new GDPR came into force on 25th May 2018. Since 2016, member states had 2 years to ensure its full implementation. GDPR is now recognised as law across the EU, and any relevant processing after this date is considered to fall into GDPR.

Key highlights in the history of GDPR include the following:

-24th October 1995: The European Data Protection Directive (Directive 95/46/EC) on the protection of individuals with regard to the processing of personal data and on the free movement of such data) is adopted.

-22nd June 2011: The European Data Protection Supervisor publishes an Opinion on the European Commission's Communication.

-25th January 2012: The European Commission proposes a comprehensive reform of the EU's 1995 data protection rules to strengthen online privacy rights and boost Europe's digital economy.

-7th March 2012: The European Data Protection Supervisor adopts an Opinion on the Commission's data protection reform package.

-23th March 2012: The Article 29 Working Party adopts an Opinion on the data protection reform proposal.

- 5th October 2012: The Article 29 Working Party provides further input on the data protection reform discussions.

-12th March 2014: The European Parliament demonstrates strong support for the GDPR by voting in plenary with 621 votes in favour, 10 against and 22 abstentions.

-15th June 2015: The Council reaches a general approach on the GDPR

-27th July 2015: The European Data Protection Supervisor publishes his recommendations to the European co-legislators negotiating the final text of the GDPR in the form of drafting suggestions. He also launches a mobile app comparing the Commission's proposal with the latest texts from the Parliament and the Council.

-15th December 2015: The European Parliament, the Council and the Commission reach an agreement on the GDPR.

-2nd February 2016:The Article 29 Working Party issues an action plan for the implementation of the GDPR.

-27th April 2016: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation.

-24th May 2016: The Regulation enters into force, 20 days after publication in the Official Journal of the EU.

-10th January 2017: European Commission proposal of two new regulations on privacy and electronic communications (ePrivacy) and on the data protection rules applicable to EU institutions (currently Regulation 45/2001) that align the existing rules to the GDPR.

-6th May 2018: Members States must have transposed the Data Protection Directive for the police and justice sectors into national legislation. Application from this day.

-22nd May 2018: Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC [First reading] - Preparation for the trilogue.

-25th May 2018: Corrigendum to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Corrigendum to Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA

-25th May 2018: The General Data Protection Regulation will apply from this day

GDPR - Rights and Obligations[edit | edit source]

Data Protection Authorities (DPAs)[edit | edit source]

Monitoring and implementation of the GDPR rests upon the data protection authorities (DPAs) of each Member State, who are the first contact point for the public, relevant organisations and businesses. [5]

The Data Controller and Data Processor[edit | edit source]

The Data Controller is the the natural or legal person or organisation who owns the data and sets the rules on how it is to be collected and processed. They are responsible for keeping a record of all processing activities and designating one or more data processors that can, in the name of the data controller, collect and process the data.

Each Member State's Data Protection Authorities (DPAs) is responsible for informing controllers and processors of their obligations and raising the general public’s awareness and understanding of the risks, rules, safeguards and rights in relation to data processing.[5] However, if personal data is processed in different EU Member States or the business or organisation is part of a group established in different EU Member States, that main contact point may be another Member State's DPA. [5]

The Data Protection Officer (DPO)[edit | edit source]

The DPO safeguards that the organisation is processing personal data in compliance with GDPR rules by advising the controller and processors about how to comply with GDPR. The DPO designation is made on the basis of professional qualities and knowledge of data protection law and practices. Sometimes, the data controller is required to appoint a data protection officer. This happens if:

  • Public authorities are responsible for the processing of data
  • the core activities of the controller or the processor require “by virtue of their nature, their scope and/or their purposes, regular and systematic monitoring of data subjects on a large scale” (Art. 37, (1) b) or
  • the core activities of the controller or the processor consist of processing, on a large scale, special categories of data or personal data relating to criminal convictions
  • national legislation might specifies further cases where there is an obligation to appoint a DPO.

GDPR Principles[edit | edit source]

GDPR follows seven guiding principles of data protection:

Lawfulness, fairness and transparency[edit | edit source]

- Lawfulness: a legally plausible reason to collect data needs to be established, for example, processing based on consent, public interest or legitimate interests.

- Fairness: data collection and handling should be undertaken in a way that people would expect to be reasonable. Cases of deception with the aim to obtain data, lead to the data controller breaching the principle of fairness.

- Transparency: transparency refers to which data is collected, for what purpose, for whom and for how long it will be kept; this information should be written as clearly as possible in an easily understandable language

Purpose limitation[edit | edit source]

Collected data for specified, explicit and legitimate purposes cannot be further processed in any other way. The data controller has to specify for which purposes personal data is collected. Sometimes, the data can still be processed for new purposes if those are compatible with the original one (e.g. archiving in the public interest; scientific or historical research; and statistical purposes) and consent has been provided, or there is a new legal provision that requires processing or allows it in the public interest.

Data minimisation[edit | edit source]

Personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed.

Accuracy[edit | edit source]

Data needs to be accurate and kept up to date. The data controller may proactively ensure the accuracy of data and if any of it is inaccurate, incorrect or misleading, then to either delete or rectify it. In some cases, the data controller can rely on demands from data subjects, in others, records will need to be updated anyway.

Storage limitation[edit | edit source]

Personal data should be kept for a predetermined period of time and no longer than necessary. When the purpose for keeping the data is no longer relevant or it is out of date the data should be deleted or anonymised. This ensures that data are not irrelevant, excessive, inaccurate or out of date and encourages controllers to set policies on retention limits.

Integrity and confidentiality[edit | edit source]

Appropriate measures are necessary to ensure the security of the data, including protection against unauthorised or unlawful processing, and against accidental loss, destruction or damage.

Accountability[edit | edit source]

The data controller is responsible and thus accountable for compliance with the GDPR, ensuring that all necessary measures are in place.

Legal Basis of GDPR[edit | edit source]

The GDPR is a replacement of the 1995 EU legal framework with some new compliance obligations e.g. higher sanctions than those enforced under the previous framework. [3]Article 6 of GDPR refers to six legal bases for the data processing operation:

Consent[edit | edit source]

The person's consent must fulfil the conditions under Article 7 of GDPR. This means that consent must be (i) freely given, (ii) specific, (iii) informed, (iv) unambiguous, and (v) at an appropriate age of consent (this can vary in Member States from 13 to 16 years). Informed consent must be given through a clear affirmative act and not just assume that consent has been granted. The data controller is responsible for demonstrating that consent was lawfully obtained, and for assuring good documentation and archiving of consent forms.[3]Since the data subject 's consent can be withdrawn at any time, this is the weakest lawful basis for data processing.

Performance of a contract[edit | edit source]

Contractual obligations may apply when the data subject has a contract with someone and they need to process the data subject's personal data. Sometimes a contract with the data subject is not necessary, but if someone asks you to do something as an initial step and you need to process their personal data to do so, then this legal basis applies.

The term contract is not always a formal legal document, e.g. it may be an oral statement, provided that it meets the requirements of contract law.

This legal basis does not refer to sensitive data. In this case, a separate legal basis must be identified.

Compliance with a legal obligation[edit | edit source]

This may apply when processing of personal data complies with a common law or statutory obligation, and this should be stated clearly.

Vital interest of the data subject[edit | edit source]

The data subject's vital interests must be protected. The interpretation of scope of vital interest must be narrow. This may apply to life-threatening situations in which a data subject cannot consent to the transfer of vital medical data.

Performance of a task carried out in the public interest or in the exercise of official authority vested in the controller[edit | edit source]

This legal basis is relevant to public authorities, but it can apply to any organisation that exercises official authority or carries out tasks in the public interest. It applies when someone wishes to perform a specific task in the public interest that is set out in law, or in public functions and powers that are set out in law. Processing is required in this case, otherwise, if tasks or powers can be exercised in a less intrusive way, this lawful basis does not apply.[6]

Legitimate interest of the controller or by a third party[edit | edit source]

An assessment of the necessity and the purpose of the processing operation as well as a balancing test between the interests of the data subject against those of the controller and third parties is required. In other words, the legitimate interest of the controller and of any stakeholder must be weighed against the interests and fundamental rights of the data subject. The legitimate interest of the controller or any third party should ultimately outweigh the interests and fundamental rights of the data subject in order for the processing to be lawful. Public authorities do not have this legal basis when fulfilling a public task. [3]

Resources[edit | edit source]

Data Ethics and GDPR - Chartered Society of Physiotherapy, UK

European Data Protection Supervisor. The History of the General Data Protection Regulation.

The General Data Protection Regulation (GDPR) An EPSU Briefing

References[edit | edit source]

  1. European Data Protection Supervisor. Rights of the Individual. Available from: https://edps.europa.eu/data-protection/our-work/subjects/rights-individual_en [accessed 21/1/24]
  2. Trstenjak V. Limitations of Fundamental Rights in EU Law: Are Human Rights Absolute? European Review. 2023:1-15.
  3. 3.0 3.1 3.2 3.3 Mondschein CF, Monda C. The EU’s General Data Protection Regulation (GDPR) in a Research Context. 2018 Dec 22. In: Kubben P, Dumontier M, Dekker A, editors. Fundamentals of Clinical Data Science [Internet]. Cham (CH): Springer; 2019. Chapter 5. Available from: https://www.ncbi.nlm.nih.gov/books/NBK543521/ [accessed 21/1/24]
  4. Privazy Plan. Recital 159 EU GDPR. https://www.privacy-regulation.eu/en/recital-159-GDPR.htm [accessed 21/1/24]
  5. 5.0 5.1 5.2 European Commission Directorate-General for Health and Food Safety. Question and Answers on the interplay between the Clinical Trials Regulation and the General Data Protection Regulation. Available from: https://health.ec.europa.eu/system/files/2019-04/qa_clinicaltrials_gdpr_en_0.pdf [accessed 21/1/24]
  6. ICO. Public Task. Available from: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/a-guide-to-lawful-basis/lawful-basis-for-processing/public-task/ [accessed 21/1/24]