14 March MedTech Europe: GDPR National Legislation State of Play Webinar

Transcription

1 14 March 2018 MedTech Europe: GDPR National Legislation State of Play Webinar

2 GDPR National Legislation State of Play - Germany Susanne Werry, Senior Associate Clifford Chance LLP

3 Interaction of the GDPR and the German data Protection law General Overview - GDPR GDPR as one comprehensive European law on data protection GDPR Aim: Abolishment of fragmentation via full harmonization Adopted on 27 May 2016 Enforceable as of 25 May 2018 Directly applicable as a regulation But: Opening clauses allow for local law amendments regarding certain areas

4 Interaction of the GDPR and the German data Protection law General Overview - German data Protection law First country in Europe to pass an implementation law Germany: First country in Europe to pass an implementation law German Data Protection Amendment Act containing the new German Federal Data Protection Act (Bundesdatenschutzgesetz-neu, BDSGnew ) was enacted and published on 5 July 2017 Entry into force: on 25 May 2018 together with the GDPR Replaces current German Federal Data Protection Act (Bundesdatenschutzgesetz) Consequence: BDSG-new and GDPR will both be applicable in Germany as of 25 May 2018

5 The New German Data Protection law Material Scope BDSG-new contains regulations for public and private sector For private companies the BDSG-new sets rules, e.g. for: video surveillance of public places (Sec.4 BDSG-new), data processing for other purposes, than initially intended (Sec. 24 BDSG-new), data processing in the context of employment (Sec. 26 BDSG-new), data processing related to consumer credits (Sec. 30 BDSG-new), scoring and credit checks (Sec. 31 BDSG-new), limitation of rights of the data subject (Sec BDSG-new), designation of a DPO (Sec. 38 BDSG-new), administrative fines, criminal provisions (Sec BDSG-new), procedural rules for private and public lawsuits (Sec. 20, 44 BDSG-new). But: Criticism as to the question of compliance of these rules with the GDPR

6 The New German Data Protection law Geographical Scope Broad geographical scope of application The new BDSG-new applies where: the controller or processor processes personal data in Germany; the processing of personal data occurs in the context of activities of a German establishment of the controller or processor; or where a European establishment does not exist, the processing occurs within the territorial scope of the GDPR.

7 The New German Data Protection law Details Examples of regulations with high relevance for Med Tech Companies Collection and use of employee data (Section 26 BDSG-new) Special categories of data (in particular Section 22 BDSG-new) Processing of data for research purposes and statistical purposes (Section 27 BDSG-new) Appointment of Data Protection Officers (Section 38 BDSG-new) Sanctions (Section 41 et seqq. BDSG-new)

8 GDPR National Legislation State of Play - Netherlands Erik Vollebregt, Partner Axon Lawyers

9 Implementation in the Netherlands Uitvoeringswet AVG (implementation act GDPR) As we speak still in full swing of being amended in Parliament No amendments specifically relevant to medtech industry Still also has to go through Senate and then declared applicable by Royal Decree DPA advised about it on 6 April 2017 DPA foresees an active educational role too Many administrative law and enforcement related recommendations Vote in Parliament on 13 March

10 What s interesting in the implementation act? Article 19 cooperation protocols with other CAs in NL (typical Dutch thing) Exercise of discretion under article 9 (4) GPDR: Article 24 UAVG re processing that is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law - additional requirements in Article 24 (b), (c) and (d): Research must be in general interest Asking consent must be impossible or prohibitively difficult Safeguards against unjustifiable damage to data subjects privacy Seems to exclude commercial research given general interest criterion What about vigilance and PMS data?

11 What s interesting in the implementation act? Exercise of discretion under article 9 (4) GPDR: Article 30 IAVG exceptions re data concerning health Processing of data concerning health allowed for government, pension funds, employers or institutions active on their behalf for execution of tasks and reintegration (Art 30 (1) article 9 (2) (b) GDPR) implementation of secrecy like in article 9 (2) (h) GDPR Processing of data concerning health allowed by schools and rehabilitation services insofar as necessary for their tasks (Art 30 (2) implementation of secrecy like in article 9 (2) (h) GDPR Processing of data concerning health for HCP, health institutions and social services insofar as necessary for their tasks and insurance companies (Art 30 (3) article 9 (2) (h) GDPR) Processing on the above three bases only by persons under professional or contractual secrecy (Article 30 (4)) Unclear if this includes contractual third parties referred to in Article 9 (2) (h) GDPR Issue (service providers to HCPs and health institutions) If treatment or care require it then processing of data concerning health can be mixed with processing of other categories of sensitive data (Article 30 (5)

12 What s interesting in the implementation act? Convenient implementation table to check exercise of national discretion

13 What else is going on? DPA is trying to scale up but finds that very difficult Everybody is trying to poach their people DPA has announced it wants to set examples in the healthcare industry as soon as GDPR is applicable Make sure it s not you DPA is quite focused on DPIA and technical stuff All enforcement cases result in public reports that are published

14 GDPR National Legislation State of Play - Spain Jesús Yañez Colomo, Partner ECIJA

15 AUTONOMY OF PATIENT National Legislation Characteristics (I)

16 Regional Legislation Characteristics (II)

17 Regional Legislation Characteristics (II)

18 Regional Legislation Characteristics (II)

19 Clinical Trial (I) RD 1090/2015, applies to all requests for authorization of a Clinical Trial and to requests for substantial modifications or notifications concerning the authorized ECs that are in progress or for which the report of results carried out as of January 13, To authorize a Multicenter Clinical Trial in Spain, the authorization issued by the AEMPS is required, and it is only necessary for an accredited CEIm to issue its positive opinion, which will be unique and binding (Article 12.2a), and the conformity at the center by contract. The process of processing authorization requests is simplified. Expires at 2 years if no subject is recruited and it is obligatory to publish results one year after the end date of the same. The AEMPS on its website will facilitate the registration of Clinical Trials with medicines for human use, through a database of free and free use, to serve as a source of information on clinical studies to any citizen.

20 Clinical Trial (II) Non-commercial clinical research: Research carried out by the researchers without the participation of the pharmaceutical industry or medical devices, which has all the following characteristics: The Sponsor is a university, hospital, public scientific organization, non-profit organization, patient organization or individual researcher. Ownership of the research data belongs to the Sponsor from the first moment of the study. There are no agreements between the developer and third parties that allow the use of the data for regulatory uses or that generate an industrial property. Design, realization, recruitment, data collection and communication of research results are kept under the control of the Sponsor. Due to their characteristics, these studies can not be part of a program of development for a marketing authorization of a product. New model of a single clinical trial contract for Spain. It will be signed with all the centers and will be sent to the CEIm. It will be agreed by the Interterritorial Council of the National Health System and the different autonomous communities. One of the problems will be the possible margin of negotiation with this unique model in special cases, although in principle independent trials improve. In this way, a centralized authorization for Europe is established, with a higher level of competence and effectiveness among centers.

21 Preparing for the GDPR Rethinking consent Under the GDPR, in order for consent to be validly given, the same has to meet a new set of onerous requirements. Among other criteria, consent has to be given in by a clear affirmative act that reflects a manifestation of free, specific, informed and unequivocal will of the data subject to accept the processing of personal data. Moreover, it has to be given in an intelligible language. Where does the problem arise? The GDPR does not accept that existing consents remain valid if they do not meet the new requirements of the law. Thus, companies that process a significant part of data with a consent basis (such as in the medical technology sector) must revisit their consent processes and ensure that the same are compliant with the new EU standards. A possible way to achieve this end would be to conduct a gap analysis for all consents obtained.

22 Conducting Risk Analysis All entities that process personal data are now required to conduct a risk analysis of each processing activity. Said analysis is a new comprehensive process that range from assessing processors to international transfers and categories of data. Whenever said analysis result in a high risk from a data protection standpoint (which, among other aspects, it is easy to occur with processing of health data), controllers are must perform an Privacy Impact Assessment (PIA) prior to the processing. Although conducting a PIA could, in theory, translate into an extra cost for the company, not performing a PIA whenever the same is required could result in both reputational damages as well as high penalties (ranging to a maximum of 4% of the company s last year world wide turnover or EUR, whichever is deemed higher).

23 Addressing data subject s right to portability Among other new rights, data subjects are now entitled to receive personal data concerning them, which have been supplied to a controller, in a structured format, commonly used and readable, and transmit them to another controller without being prevented by the controller to which the data were given. On the medical technology industry, the issue of data portability is particularly important as patients can now request companies for data from their medical devices to be transferred to another provider. On this note, while the GDPR does not impose that technically compatible systems are maintained by controllers, it also sets down that data subjects shall have the right to receive the personal data concerning him or her ( ) without hindrance from the controller to which the personal data have been provided. One way to avoid possible issues pertaining to the exercise of this right is to think ahead, redesign systems and ensure that adequate procedures are in place.

24 GDPR National Legislation State of Play - France Olivier Proust, Partner Fieldfisher LLP

25 MedTech Europe: GDPR s implementation into French law Overview of the French data protection law Existing French data protection Act: French Data Protection Act of 6 January 1978 This Act was updated 19 times (last update: 20 janvier 2017) Amendment of the French Data Protection Act: Draft Bill amending French Data Protection adopted in a first hearing by the National Assembly (latest version: February 13th, 2018) Adds new provisions including for the health sector (art. 9, 4 / 36, 5 / 87 GDPR) Draft bill will be discussed in the Senate s public session from March 20th, 2018

26 MedTech Europe: GDPR s implementation into French law Processing of sensitive personal data: principle Changes in line with the GDPR but the introduction of the word supposed creates some uncertainty as to whether French law would comply fully with the GDPR.

27 MedTech Europe: GDPR s implementation into French law Processing of sensitive personal data: exceptions

28 MedTech Europe: GDPR s implementation into French law Additional limitations that apply to health data The draft Bill itself does not prescribe additional measures with regard to the processing of genetic data, biometric data and health data, and gives this competence to the CNIL to prescribe such additional measures. Additional changes in this respect can be expected.

29 MedTech Europe: GDPR s implementation into French law Prior consultation of the DPA New scope of Chapter IX is broader because applies to processing in the health sector in general, and not just for medical research purposes. Cf. CNIL s existing referentials MR001, MR002 and MR003

30 MedTech Europe: GDPR s implementation into French law Consent of minors This age was set at 16 years under the version of the Bill that was introduced in the National Assembly on December 13th, 2017 but was lowered to 15 years after the adoption of the text by the National Assembly. NB: the fact that consent must be obtained jointly by the minor and a parent or legal guardian.

31 MedTech Europe: GDPR s implementation into French law Rights of the data subjects

32 GDPR National Legislation State of Play - UK Cynthia O Donoghue, Partner ReedSmith LLP

33 INTRODUCTION The draft Data Protection Bill Aims to empower individuals to take control of their personal data and assist organisations in the lawful processing of personal data. Updates the data protection laws of the UK (repealing the Data Protection Act 1998). Currently being debated in Parliament. Will ensure the data protection standards of the GDPR are enshrined in UK law post-brexit. Additional functions to the ICO. Modernises and adds to the list of data protection offences.

34 OVERVIEW Part 1 Preliminary: sets out definitions (including personal data, processing, data subject and controller / processor). Part 2 General processing: scope of the GDPR, lawful bases of processing, children, special categories of personal data, automated decisionmaking, exemptions, transfer of personal data outside the EU, provision for archiving, research and statistical purposes. Part 5 The Information Commissioner: the role and powers of the ICO. Part 6 Enforcement: offences and defences.

35 Points of interest special category data Special category data (s.10) Includes: health data, genetic data, biometric data that might identify an individual, data concerning sex life, data concerning racial or ethnic origin. Tighter rules apply processing is permitted but the reasons are narrower. Relevant grounds for processing special category data Explicit consent (but can be withdrawn). Processing necessary in the interests of public health, including ensuring high standards of medicinal products or medical devices. Processing necessary for medical diagnosis, the provision of healthcare or treatment, so long as this is under the supervision of a responsible health professional. Processing necessary for scientific research or statistical purposes.

36 Points of interest new offences Two new criminal offences: (1) Re-identification of de-identified personal data (s.171) - Knowingly or recklessly re-identifying information that is de-identified (anonymised) personal data without the consent of the data controller responsible for the deidentification. Recommended by the National Data Guardian for Health and Care. Particularly relevant to researchers using huge data sets which are often pseudonymised to protect individual privacy. (2) Alteration etc of personal data to prevent disclosure (s.173) The alteration, defacing, blocking, erasure, destruction or concealment of information with the intention of preventing disclosure. Researchers and tech companies must review their best practice procedures in handling Subject Access Requests.

37 Points of interest unlawful retention and accountability Extended criminal offence of unlawful retention of data Considering and documenting how long data should be retained is a new focus. Unlawful retention of data without the consent of the controller even if the data was initially obtained lawfully (s.170(c)). Directors liability The Bill goes beyond the GDPR in boardroom accountability. Includes directors personal liability where a company breaches data protection legislation (s.191). Extends to managers, company secretary and other officers. Also applies if the offence was caused by neglect.

38 Points of interest children and consent Children and consent Article 8 of the GDPR states that children are able to give lawful consent to the processing of their personal data when they are at least 16 years old. The GDPR allows for Member States to lower the age, but no lower than 13. The Bill confirms that UK children from age 13 can give consent for the processing of their personal data in relation to information services.