Answer: There is no restriction for hospitals to send patient data to a third party if the hospital has proper privacy notice to inform the patients of such data and if there are binding legal arrangements in place to ensure that the recipients of data comply with the requirement of Article 28 of the EU GDPR.
2. Does the GDPR restrict hospitals in any way from having the third party conduct computations on the encrypted data in order to anonymize and erase the data?
Answer: Hospitals as data controllers can instruct the third processors to anonymize the data and strip it form any attributes that can be linked to a data subject.
3. Does the GDPR restrict hospitals in any way from subsequently using the fully anonymized data for purposes without direct consent, i.e. even commercial purposes?