I would like to express my appreciation towards you continual help regarding GDPR and other regulatory requirements. I find all of them very helpful and insightful.
We manufacture medical devices and some of them are adapted in order to meet customers` needs. To do so, we require minimal health information, just to help us design and manufacture the device. There is a form that is filled in with the information required either by customers (most of the time) or by us and reviewed by customers. This forms never leave the offices and they are saved in password protected folders. Also, when we process this information we do not assign a full name, but a number representing the specific customer or their initials.
Would we need explicit consent request to be added to the forms that contain brief health related information or could this be covered by the Contract lawful basis?
Thank you in anticipation. Any help will be very much appreciated.