EU GDPR obligations

Answer:

My understanding from your question is that you are a processor and your healthcare customer are the controllers.

Under the EU GDPR the processors have the following obligations:

1. To appoint a representative if based outside of the Union - art. 27 (https://advisera.com/eugdpracademy/gdpr/representatives-of-controllers-or-processors-not-established-in-the-union/ );
2. To ensure certain minimum provisions in contracts with controllers – art. 28(3) https://advisera.com/eugdpracademy/gdpr/processor/ ;
3. Not appoint sub-processors without specific or general authorization of the controller and to ensure there is a contract with the sub-processor containing certain minimum provisions - art. 28(2) & (4) https://advisera.com/eugdpracademy/gdpr/processor/ ;
4. Only to process personal data on the instructions of the controller unless required to process for other purposes by Union or Member State law (but not foreign law, such as US law) – art. 29 https://advisera.com/eugdpracademy/gdpr/processing-under-the-authority-of-the-controller-or-processor/ ;
5. To keep a record of processing carried out on behalf of a controller – art.30 https://advisera.com/eugdpracademy/gdpr/records-of-processing-activities/
6. To co-operate with the supervisory authorities – art. 31 https://advisera.com/eugdpracademy/gdpr/cooperation-with-the-supervisory-authority/ ;
7. To implement appropriate security measures – art. 32 https://advisera.com/eugdpracademy/gdpr/security-of-processing/ ;
8. To notify the controller of any personal data breach without undue delay – art.33 (2) https://advisera.com/eugdpracademy/gdpr/notification-of-a-personal-data-breach-to-the-supervisory-authority/ ;
9. To comply with the rules on transfers of personal data outside of the Union – art. 44 https://advisera.com/eugdpracademy/gdpr/general-principle-for-transfers/
10. All of these requirements as well technical and organizational measures an be found in our EU GDPR Toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/

In terms of security measures you should apply all necessary security measures to protect the personal data considering the fact that you are processing health related data which is considered special category of data, and a good starting point is the use of ISO27001 as best practice. Our EU GDPR Toolkit has a folder containing a collection of security policies that would come in handy as well.

Don`t forget about setting up a data breach management process because you would need to notify the controllers in case of a data breach.

You might find these materials helpful for your EU GDPR implementation tasks:
- Article: “Does ISO 27001 implementation satisfy EU GDPR requirements?” https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/;
- Article: “EU GDPR controller vs. processor – What are the differences?” https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/