Euro

The european project Training Activities to Implement the Data Protection Reform (TAtoDPR) has received funding from the European Union’s Rights, Equality and Citizenship (REC) Programme of the European Union under Grant Agreement No. 769191

The contents of this Journal represent the views of the author only and are his/her sole responsibility. The European Commission does not accept any responsibility for use that may be made of the information it contains.

Home / ISSUES / Issue / The protection of health data in compliance with the GDPR

back print content


The protection of health data in compliance with the GDPR

Ph.D. Avv. Maria Cristina Gaeta, Postdoctoral Research Fellow in Law at Suor Orsola Benincasa University of Naples, Ph.D. in Law at Federico II University of Naples, Coordinator of the Editorial Team of EJPLT.

Wee Ltd is a company that deals with the provision of services relating to safety and hygiene in the workplace. In particular, the Cis Ltd provides these services for small and medium enterprises (SME).

To provide the appropriate services, Wee Ltd. collaborates with medical-health staff, who carry out inspections and medical visits.

About the staff employed, instead, the Cis Ltd consists of 10 employees, who perform the role of administrative with secretarial functions, customer service and IT security.

 Wee Ltd. contacts a law firm to request an advice and the privacy adjustment according to the new European legislation on data protection, in the manner deemed most appropriate.

 

Challenge Title:  The protection of health data in compliance with the GDPR

Use Case Author

Ph.D. Avv. Maria Cristina Gaeta, Postdoctoral Research Fellow in Law at Suor Orsola Benincasa University of Naples, Ph.D. in Law at Federico II University of Naples, Coordinator of the Editorial Team of EJPLT.

Topic

The protection of health data.

Overview

Wee Ltd is a company that deals with the provision of services relating to safety and hygiene in the workplace. In particular, the Cis Ltd provides these services for small and medium enterprises (SME).

To provide the appropriate services, Wee Ltd. collaborates with medical-health staff, who carry out inspections and medical visits.

About the staff employed, instead, the Cis Ltd consists of 10 employees, who perform the role of administrative with secretarial functions, customer service and IT security.

 Wee Ltd. contacts a law firm to request an advice and the privacy adjustment according to the new European legislation on data protection, in the manner deemed most appropriate.

 

1. Engage

Big idea

Privacy adjustment according to the new European legislation on data protection for Wee Ltd.

 

Essential Question

What processing of personal data is carried out by Wee Ltd.?

 

Initial resources

Company statute, company registration, minutes of the board of directors

 

Useful links:

-        Garante Privacy, Chiarimenti sull'applicazione della disciplina per il trattamento dei dati relativi alla salute in ambito sanitario, 7 marzo 2019 [doc. 9091942] https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9091942

 

-        Garante Privacy, Linee guida in materia di Dossier sanitario, 4 giugno 2015 [doc. 4084632] https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/4084632

 

-        Garante Privacy, Linee guida in tema di Fascicolo sanitario elettronico (Fse) e di dossier sanitario - 16 luglio 2009 [doc 1634116] https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/1634116

 

-        Bonomi M.S., Privacy e dati sanitari: le principali novità introdotte dal GDPR, in Federalismi, osservatorio di diritto sanitario 2018 http://www.astrid-online.it/static/upload/1710/17102018130849-4-.pdf

 

-        Iaselli M., Dati sanitari, come trattarli alla luce del Gdpr, in Altalex, 2018 https://www.altalex.com/documents/news/2018/04/11/dati-sanitari-come-trattarli-alla-luce-del-gdpr

 

-        GDPR: le novità apportate in ambito sanitario, in Diritto.it, 2018 https://www.diritto.it/gdpr-le-novita-apportate-ambito-sanitario/

 

Guiding Questions

List of the starting questions for the privacy adjustment:

-       What personal data are collected?

-       What are the purposes of the processing?

-       How long are the personal data kept? On which hosting server?

-       Is the data processing online or offline? In the first case, are there active cookies?

-       Who are the subjects involved in the processing of personal data?

-       Are privacy by default and privacy by design tools already in place?

Reflections

Other questions to be discussed:

-       Is it need to appoint a Data Protection Officer?

-       Is it need to carry out the data protection impact assessment?

Other notes

 

 

 

2. Investigate

Activity Description

-        Starting from the company's organisational model and personal data processed, what are the next steps?

-        What documents must be prepared for the privacy adjustment?

 

Resources

Support material:

Provide models to be used for the drafting of the privacy adjustment document.

 

Synthesis

Prepare a word file in which to indicate:

-        what are the necessary activities or documents to be prepared for the privacy adjustment?

-        what are the possible but unnecessary activities or documents that should be prepared for greater protection.

Reflections

Reflections on the activities and documents to be prepared.

 

Other notes

 

 

 

3. Act

Solution Prototypes

Possible solutions.

 

Let's read the solutions of some learners.

 

Solution

Let's definitively establish which activities and documents must be prepared for the privacy adjustment of Wee Ltd.

Implementation plan

 

-        How to proceed to prepare the privacy adjustment?

-        How long do we need?

-        What could be a fair and adequate compensation to ask the customer?

Evaluate

Evaluating the simulation carried out, what would you do differently next time in terms of activities and documentation to be provided for the privacy adjustment, timing and fees?

Other notes

 

 

 

4. Reflection and documentation

Case notes

Reflections on how this case could best be developed in the future.

  

 


  • Giappichelli Social