1. Obligation to obtain explicit consent when processing patient data

At the stage of collecting patient data, a member must obtain consent from the patient to ensure the lawfulness of the processing of personal data (Article 6(1)(a),). In particular, a member must obtain explicit consent from the patient for processing the ‘biometric data' (Article 4(14)), 'data concerning health' (Article 4(15)), such as facial photos, oral photos, radiographs, treatment details, etc (Article 9(1), (2)(a)).

2. Obligation to provide information

A member must provide all of the following information to the patient (Article 13).

• the identity and the contact details of the controller and, where applicable, of the controller's representative;
• the contact details of the data protection officer, where applicable;
• the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
• where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
• the recipients or categories of recipients of the personal data, if any;
• where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.
• the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
• the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
• where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
• the right to lodge a complaint with a supervisory authority;
• whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data; m
• the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

3. Other Obligation as a controller

As a controller, a member may bear the following obligations under the GDPR.

• maintains a record of processing activities (Article 30)
• designates a Data Protection Officer (DPO) (Article 37)
• implements Data Protection Impact Assessment (DPIA) under the supervision of the DPO and trains its employees for data protection (Article 39).
• obtains the explicit consent of a patient in case of automated individual decision-making, including profiling (Article 22), and has the consent of the holder of parental responsibility over a child for the child’s data processing, in which case it makes reasonable efforts to verify if such consent is given or authorized by the lawful person, taking into consideration available technology (Article 8).
• obtains the explicit consent of a patient in case of transfer of personal data to third countries (Article 49).
• allows a patient to exercise his or her rights guaranteed by GDPR as follows: the right to receipt of his or her data (Articles 13 and 14), the right to access (Article 15), the right to rectification (Article 16), the right to erasure (Article 17), the right to restriction of processing (Article 18), the right to data portability (Article 20), the right to object (Article 21) and the right not to be subject to an automated individual decision-making, including profiling (Article 22).
• complies with the obligations of data protection by design and by default (Article 25)
• implements technical and operational measures reasonably necessary to prevent the data from leakage and breach (Article 32).
• notifies a personal data breach to the supervisory authority within 72 hours after having become aware of it (Article 33) and communicates a personal data breach to a data subject without undue delay if the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons (Article 34).

Any questions regarding this guide, please contact admin@assemblecircle.com