Reasons that justify the processing of health data

The processing of personal data requires special reasons justifying it. In the case of sensitive health data, additonal requirements must be met apart from the general data protection requirements. The Guidelines describe the practical reasons and possible exemptions using concrete examples (part 2 A.1 of the Guidelines (in German)) (PDF, 3 MB). They explain in particular the requirements regarding the approval by the person concerned, which is extremely important in practice, and present a best practice.

Organisational measures to protect health data

Companies that deal with sensitive health data must make organisational provisions to ensure the protection of these data. In the context of these provisions, employees must commit themselves to keep the data secret and a list of all data processing operations must be drawn up. One important requirement is the appointment of a data protection officer who advises the company concerned on data protection and keeps in contact with the competent supervisory authority (part 2 A.II of the Guidelines (in German)) (PDF, 3 MB).

A risk-based data protection impact assessment helps to identify the specific measures to be taken. The Guidelines present the necessary procedures and refer to further guidelines and practical cases (part 2 A.VI of the Guidelines (in German)) (PDF, 3 MB).

Measures to safeguard users’ rights

Persons concerned are granted various rights to protect their data. First, they must be informed by companies about the processing of their data in a data protection statement. Furthermore, persons concerned can request information about their data and/or the correction or deletion of their data. They can object to the further processing of (some of) their data or request the transfer of these data to other suppliers. When companies develop products they must therefore ensure that they can comply with these rights of persons concerned. In addition to the individual rights of persons concerned and their significance, the Guidelines contain proposals for relevant concepts for this purpose (part 2 A.III of the Guidelines (in German)) (PDF, 3 MB).

Data protection requirements

Data security is particularly important in the health sector. The persons concerned and the public react in a very sensitive way in case of data leaks. The GDPR specifies the binding required protection level. The Guidelines describe these requirements in more detail and present examples of adequate security measures as well as the procedure and the related requirements in case of data leaks. In addition, they refer to further guidelines published by data protection authorities and associations (part 2 A.IV and A.V of the Guidelines (in German)) (PDF, 3 MB).

Due to the increasing complexity of data processing, the data are often processed by several persons.

Common responsibility for data security

The general data protection requirements are to be met when several persons are involved in data processing. The Guidelines explain how cooperation can be agreed on and how persons concerned can be informed in line with the general rules (part 2 A.VII of the Guidelines (in German)) (PDF, 3 MB).

Processing by specialised service providers

However, the situation is different when a company commissions a specialised (technical) service provider to process health data on its behalf. This is often the case when cloud services are used. In the case of such data processing by service providers, the GDPR provides for certain privileges and exemptions from the strict requirements applied on the exchange of health data with other companies. In order to be granted such privileges and exemptions, the service provider needs to be commissioned as a contractor subject to instructions, taking account of specific requirements. The Guidelines outline the scope of the privileges and the conditions to be met for this type of processing, using examples. Special consideration is given to service providers abroad, making a distinction between EU countries, privileged third states, the United States and other third countries (part 2 C of the Guidelines (in German)) (PDF, 3 MB).

The requirements pertaining to data protection may vary for special data types. While data that are subject to professional confidentiality must comply with even stricter rules, the requirements do not need to be met in the case of effectively anonymised data.

Data subject to professional confidentiality

Data from doctors and members of other medical professions must meet special requirements as these medical professions are subject to professional discretion whose violation may be subject to criminal prosecution. In these cases, it must therefore not only be examined whether data protection requirements are met, but also whether the processing of data is permitted under professional rules (part 2 B of the Guidelines (PDF, 3 MB) (in German)).

Anonymisation of data

In the case of anonymous or anonymised data, the requirements of the GDPR do not need to be met as the data do not contain information about individuals. However, it should not be taken for granted that health data in particular have actually been anonymised. It must not be easy to identify the person to whom the data refer. This is not the case if the person can still be identified by means of information provided by third parties. As data on an individual’s health are very specific, it is relatively easy to identify persons especially on the basis of health data. The Guidelines therefore present various procedures to successfully anonymise health data (part 2 F.II of the Guidelines (PDF, 3 MB) (in German)).

The data protection requirements may also vary depending on the type of products offered.

Requirements for apps

Apps are a major part of mHealth. Thanks to mobile devices, users can benefit from health services provided anywhere. This, however, may imply special risks for their health data. The Guidelines outline what data protection requirements should be paid special attention to and what additional legal requirements must be taken into account (part 2 D of the Guidelines (PDF, 3 MB)) (in German).

Special requirements for profiling and automated decision-making

Many innovative digital health products make use of profiling and automated decision-making as additional instruments for diagnosis and therapy recommendations. For this purpose, specific personal aspects of natural persons are evaluated to analyse their health conditions. Theoretically, a diagnosis is possible on this basis without the involvement of natural persons. Such applications, however, are subject to particularly strict requirements in view of the related impact on the patients concerned. The Guidelines explain under which conditions the use of such instruments is permitted and what security arrangements must be taken (part 2 E of the Guidelines) (in German).

Big data evaluations

Big data applications are expected to contribute to making progress in the medical sector. The analysis of a huge amount of data helps to identify interactions. Apart from the rare case of anonymised data, such applications must meet special data protection requirements. The Guidelines provide an introduction to this topic and outline solutions (part 2 F.I of the Guidelines (PDF, 3 MB)) (in German).

It is very important for companies to be able to provide proof of compliance with data protection requirements, if necessary. For this purpose, a comprehensive documentation is needed. In addition, various bodies offer to examine whether data protection requirements have been complied with and issue the relevant certificates or certifications. The Guidelines give an overview of these bodies (part 3 of the Guidelines (in German)) (PDF, 3 MB).