The client is a small company that is a staff of four or five. They are based in the US and provide neurologic brain testing for patients usually suffering from a stroke. The tests are administered by a doctor or a health clinic. Recently, there is a clinic in Italy that plans on using their software. The number of patients, for the near future, may only be a few dozen.
I have done some research but can't find an exact answer to these questions:
1. Does the company need to have a formal EU Representative?
2. Are there companies that provide EU Representation services?
3. Does this representative need to keep the Record of Processing Activities?
4. If there is one thing that must be focused on to be GDPR compliant, what would that be?
Assign topic to the user
EU GDPR DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
EU GDPR DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
EU GDPR DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
"The client is a small company that is a staff of four or five. They are based in the US and provide neurologic brain testing for patients usually suffering from a stroke. The tests are administered by a doctor or a health clinic. Recently, there is a clinic in Italy that plans on using their software. The number of patients, for the near future, may only be a few dozen.I have done some research but can't find an exact answer to these questions:1. Does the company need to have a formal EU Representative?
Yes, the company needs to have a formal EU Representative because they are offering a service/product in an EU Member State.
Are there companies that provide EU Representation services?
Yes, there are consulting firms and lawyers specialized in GDPR and Data Protection laws that offer this service. The company needs an EU Representative located in the country where the service/product is offered as stated in article 27 paragraph 3 GDPR.
Does this representative need to keep the Record of Processing Activities?
Yes, article 30 GDPR requires that “Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility.” The Record is required because the project will involve health data, which follow under article 9 GDPR and need special protection (this category of data is also known as sensitive data).
If there is one thing that must be focused on to be GDPR compliant, what would that be?"
There is more than one thing to be focused on to be GDPR compliant, but thinking of your project, involving health data which is the particular category of personal data under Article 9 GDPR, I shall say consent and information to the data subject. Patients need to be informed and aware that their data will be processed and transferred to a US company (transfer shall comply with Standard Contractual Clauses) and of course the security of data processing. Information to data subject and safety of data processed is the core of GDPR. Our Toolkit helps organization implement GDPR requirements.
Here you can find more information for starting to be compliant with GDPR:
- A summary of 10 key GDPR requirements https://advisera.com/eugdpracademy/knowledgebase/a-summary-of-10-key-gdpr-requirements/
- List of mandatory documents required by EU GDPR https://advisera.com/articles/list-of-mandatory-documents-required-by-eu-gdpr/
- 3 steps for data transfers according to GDPR https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/
If you need to understand how to comply with GDPR, you can consider enrolling in our free online training:
- EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//
Here you can find all information about our EU GDPR Toolkit and the expert support: https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/
Comment as guest or Sign in
Feb 01, 2021