Expert Advice Community

Guest

EU GDPR obligations

  Quote
Guest
Guest user Created:   Feb 13, 2018 Last commented:   Feb 13, 2018

EU GDPR obligations

My company software is used in the medical field. Our clients used it in the cloud (saas). They are mostly healthcare facilities and their patient's data is stored in our software/application. To comply with the GDPR, our company has just to ensure the security of the information system, correct? So data encryption, data access policies, etc ...?
0 0

Assign topic to the user

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Andrei Hanganu Feb 13, 2018

Answer:

My understanding from your question is that you are a processor and your healthcare customer are the controllers.

Under the EU GDPR the processors have the following obligations:

1. To appoint a representative if based outside of the Union - art. 27 (https://advisera.com/eugdpracademy/gdpr/representatives-of-controllers-or-processors-not-established-in-the-union/ );
2. To ensure certain minimum provisions in contracts with controllers – art. 28(3) https://advisera.com/eugdpracademy/gdpr/processor/ ;
3. Not appoint sub-processors without specific or general authorization of the controller and to ensure there is a contract with the sub-processor containing certain minimum provisions - art. 28(2) & (4) https://advisera.com/eugdpracademy/gdpr/processor/ ;
4. Only to process personal data on the instructions of the controller unless required to process for other purposes by Union or Member State law (but not foreign law, such as US law) – art. 29 https://advisera.com/eugdpracademy/gdpr/processing-under-the-authority-of-the-controller-or-processor/ ;
5. To keep a record of processing carried out on behalf of a controller – art.30 https://advisera.com/eugdpracademy/gdpr/records-of-processing-activities/
6. To co-operate with the supervisory authorities – art. 31 https://advisera.com/eugdpracademy/gdpr/cooperation-with-the-supervisory-authority/ ;
7. To implement appropriate security measures – art. 32 https://advisera.com/eugdpracademy/gdpr/security-of-processing/ ;
8. To notify the controller of any personal data breach without undue delay – art.33 (2) https://advisera.com/eugdpracademy/gdpr/notification-of-a-personal-data-breach-to-the-supervisory-authority/ ;
9. To comply with the rules on transfers of personal data outside of the Union – art. 44 https://advisera.com/eugdpracademy/gdpr/general-principle-for-transfers/
10. All of these requirements as well technical and organizational measures an be found in our EU GDPR Toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/

In terms of security measures you should apply all necessary security measures to protect the personal data considering the fact that you are processing health related data which is considered special category of data, and a good starting point is the use of ISO27001 as best practice. Our EU GDPR Toolkit has a folder containing a collection of security policies that would come in handy as well.

Don`t forget about setting up a data breach management process because you would need to notify the controllers in case of a data breach.

You might find these materials helpful for your EU GDPR implementation tasks:
- Article: “Does ISO 27001 implementation satisfy EU GDPR requirements?” https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/;
- Article: “EU GDPR controller vs. processor – What are the differences?” https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Feb 13, 2018

Feb 13, 2018

Suggested Topics

Guest user Created:   Feb 26, 2020 EU GDPR
Replies: 1
0 0

EU GDPR Data

Guest user Created:   Jul 12, 2019 EU GDPR
Replies: 1
0 0

EU GDPR and Data Processing