he health crisis due to COVID-19 is shaping a new reality in which the exchange and access to health data in a secure way will be more and more necessary. In this complex challenge converge both the respect for the individual rights as well as the interests of the patients and the need to promote the research in pursuit of the public interest. To face this challenge, we can find different approaches across Europe. In this webinar, we will present the experiences of three EU-funded projects (BigMedilytics, BodyPass, and DeepHealth), besides an overview of the legal framework and recommendations to enforce both national regulations and GDPR by an expert in data privacy and security.
5. 10010100100001010101001001001010100101
01010010001001001010001001001
10100100100101100011100101011011001
1011001010010010000010101001010111001010010100101010
10010100100001010101001001001010100101
01010010001001001010001001001
1001010010010101001001001010100101
01010010001000010100010100101001001001010001001001
❑National legislations.
✓ Additional safeguards:
o Legal pre-determination.
o Definition of purposes.
o Safeguard the fundamental rights and the interests of the data subject.
o Security measures…
❑Spanish Case:
✓ Organic Law 3/2018 on the Protection of Personal Data and the Guarantee of Digital Rights (17th
additional provision. Processing of health data).
o Consent: may include wide areas linked to a medical or research specialty.
▪ Reuse is allowed for purposes or areas of research related to the area in which the initial study was scientifically integrated.
Does not applies to trials.
o Public health research in cases of epidemics.
Health authorities and public institutions with competence in public health surveillance may carry out scientific studies without
the consent of the affected persons in situations of exceptional public health relevance and seriousness
▪ Vital interests of the data subject or of another natural person… Society?
o Pseudonymized data
(i) There is an express confidentiality and commitment and no re-identification agreement.
o(ii) security measures in place to prevent re-identification and access by unauthorised third parties.
o Further safeguards:
▪ Data Protection Impact Assessment.
▪ Previous Review by the Research Ethics Committee (DPO integrated in)
6. 10010100100001010101001001001010100101
01010010001001001010001001001
10100100100101100011100101011011001
1011001010010010000010101001010111001010010100101010
10010100100001010101001001001010100101
01010010001001001010001001001
1001010010010101001001001010100101
01010010001000010100010100101001001001010001001001
Principles:
❑ Transparency (arts. 13-14):
✓ Directly.
✓ When personal data have not been obtained from the data subject, Article 14 (3) (a) GDPR stipulates that the
controller shall provide the information “within a reasonable period after obtaining the personal data, but at the
latest within one month, having regard to the specific circumstances in which the personal data are processed”.
✓ Exemptions:
o National Law Exemption.
o the provision of such information proves impossible or would involve a disproportionate effort, in particular
for processing for archiving purposes in the public interest, scientific or historical research purposes or
statistical purposes, subject to the conditions and safeguards referred to in Article 89(1).
▪ Proves impossible by the controller “compulsory”.
▪ Disproportionate effort taking into account: the number of data subjects, the age of the data…
❑ Data minimization.
✓ Volume of data.
✓ Limited storage periods.
✓ Anonymisation preference.
❑ Purpose limitation:
✓ Compatibility presumption.
✓ Consent on trials (art. 28 CTR and EU Commission FAQ).