Newsletter 63 June 2024


Neurodata: EDPS warns of 


non compliance 


with GDPR and Ethics

On 27 June 2024, the European Data Privacy Supervisor (EDPS) relased their Tech Dispatch Newsletter on NeuroData. They warn that the use of sensors in the brain to collect neurodata to monitor the behaviour of people are non compliant with GDPR and with ethics principles.


The EDPS writes: "in recent years, there is a worrying trend towards a technically possible, though ethically and legally questionable use of some neurotechnologies within a constantly evolving market of services. For example, several multinational companies use neuromarketing research services to measure human brain reaction to ads or products. In addition, a number of neuromarketing companies apply neuroimaging techniques to study, analyse and predict consumer behaviour


Neurotechnologies have also been used in portable devices for a number of daily activities including education, gaming and entertainment (e.g. wireless helmets connected to smartphones and personal computers). 


The use of artificial intelligence (‘AI’) systems may also make technically possible exploitation of neurodata for purposes such as law enforcement, screening of migrants and asylum seekers, as well as by private entities for instance for workplace or commercial surveillance


In this context, it is important to underline that that certain uses of neurodata pose unacceptable risks to fundamental rights and are likely unlawful under EU law


Read the TechDispatch from EDPS here: TechDispatch #1/2024 - Neurodata | European Data Protection Supervisor (europa.eu)



France: 


Home Trial Visits

As we explained in a previous Newsletter, in France Home Trial Visits ('HTVs') don't comply with the Methodologies of Reference MR001 and MR003 for Clinical Studies.


The French Data Protection Authority, the CNIL, published a clarification note (in French) on 16 May 2024:


What it says in a nutshell:

  1. If sites outsource HTVs to external nurses, it is compliant with the ‘Methodologies of Reference’ (‘MR’) MR001 and MR003 published by the CNIL because such nurses can be considered as being part of the healthcare team (we knew this already).
  2. If the sponsor contracts with a sub-contractor CRO for the HTVs (which is usually the case), the personal data processing complies with the MRs if:
  3. Patients are informed (in the ICF) that the CRO will be acting as a Processor for the Clinical Trial (this is usually the case).
  4. The CRO implements a partitioning between i) people having access to the identity of the patient ii) people having access to healthcare information about the patient
  5. The sub contractor keeps the patient data only for a limited duration


Usually CROs handling the Home Trial Visits comply with points a and c, but they NOT with b. So, this doesn’t bring anything new for organisations doing home trial visits in France.


To say it differently, organisations doing Home Trial Visits in France don't comply with French rules on data privacy and they have to request a specific authorisation from the CNI (for each study).

This is unless they draft a specific document.


The CNIL launched a call for public comments on all MRs, which will end on July 12; then it will take several months before the CNIL eventually updates the MRs. PharMarketing spoke with 2 health lawyers from the CNIL and they are aware that the MRs don’t make it easy for HTV. Let’s wait and see.


If you would like more information about how to make Home Trial Visits compliant with GDPR in France, contact Bertrand at b.p.lebourgeois ( at ) pharmarketing.net


The Swiss - US


Data Privacy Framework

You might remember from a previous Newsletter that the Data Privacy Framework ('DPF') is a data transfer agreement that has been agreed between the EU and the US on 10 July 2023, to allow the safe and compliant transfer of personal data from the European Economic Area (EEA) to the US. If the importing organisation in the US self certifies with the DPF on the website of the US Department of Commerce, then the transfer of personal data is allowed and is compliant with the General Data Protection Regulation (GDPR).


After the EU-US DPF was validated, the UK validated its own UK-US DPF with the US, and Switzerland started the process to implement a Swiss - US DPF.


The effective date of the Swiss-U.S. Data Privacy Framework ('DPF') Principles, including the Supplemental Principles and Annex I of the Principles is July 17, 2023; however, personal data cannot be received from Switzerland in reliance on the Swiss-U.S. DPF until the date of entry into force of Switzerland’s recognition of adequacy for the Swiss-U.S. DPF


The recognition of adequacy will enable the transfer of Swiss personal data to participating organizations consistent with Swiss law.

Organizations that self-certified their compliance pursuant to the Swiss-U.S. Privacy Shield that wish to enjoy the benefits of participating in the Swiss-U.S. DPF must comply with the Swiss-U.S. DPF Principles.


What Swiss authorities said:

10 July 2023 - The Federal Data Protection and Information Commissioner (FDPIC) has taken note of the EU-US Data Privacy Framework and the corresponding EU adequacy decision. Switzerland is also engaged in discussions on a parallel framework with the U.S. (Swiss-U.S. Data Privacy Framework), these discussions are well advanced. As of September 1, 2023, it will be the responsibility of the Federal Council to decide on the adequacy of states under the new Swiss data protection legislation. It will be up to the Federal Council to determine whether the U.S. can be added to the list in due course. Until such a framework is finalized, Switzerland's adequacy list will remain unchanged.


Read about the EU-US DPF here: https://ec.europa.eu/commissio...


Read more from Swiss authorities here: https://www.edoeb.admin.ch/edo...


For more information on the Swiss ==> US DPF, contact Bertrand at b.p.lebourgeois ( at ) pharmarketing.net



France: 


CNIL Builds a Registry of 


Healthcare Data Warehouses

In June 2024, the French Data Protection Authority, the CNIL, reached out to several of our clients to get information on the Healthcare Data Warehouses ('HDW') that they developed and maintain.


A HDW is a data base where an organisation puts healthcare data coming from at least 2 different sources. Here are 2 typical examples of HDW:

  • hospital puts in a big database all patient data coming from care provided and from administrative elements, from bioanalysis performed outside the hospital, etc.
  • big pharma puts in a big data base the patient data from all clinical trials they have performed as a sponsor in the past decades.


The CNIL sent an excel document to populate with the following information:

  • Objective of the HDW
  • Who is the Data Controller
  • Is the Controller compliant with the guidelines of the CNIL for HDW?
  • Who are the stakeholders?
  • Is a Healthcare Network part of the HDW?
  • Categories of Personal Data collected
  • Number of data subjects
  • Number of countries
  • Number of studies run on the HDW


You are planning to implement a Healthcare Data Warehouse and you need directions to be compliant to the GDPR, healthcare laws, and local guidelines like the one from the French CNIL? 

==> Contact Bertrand at b.p.lebourgeois@pharmarketing.net to learn how to comply with data privacy, IT security and local health laws.


Switzerland: 


Revised Data Protection Law: 


Obligation to have a 


Swiss Data Protection Representative

10 months after the new Swiss Data Privacy Law came into force on 1st September 2023, we wanted to give you a quick update on the impacts for organisations based outside of Switzerland and also for those based in Switzerland.


What are the impacts for organisations?

  • Swiss Data Protection Representative ('CH DPR') Mandatory if High Risk
  • Any organisation in the world processing personal data of people based in Switzerland, and which don't have an office in Switzerland must appoint a Swiss Data Protection Representative ('CH DPR') if a personal data processing might result in an important impact on the private life of data subjects ('high risk'). For example, any activity processing patient data is considered as 'high risk', even if the data set are de-identified (= 'pseudonymised').
  • The CH DPR must be located in Switzerland.
  • PharMarketing has consultants based in Switzerland with experience on data privacy and of life sciences industry, who can act as a CH DPR for your organisation.
  • Extraterritoriality: like in the EU/UK GDPR, the Swiss LPD ('Loi sur la Protection des Données' in French) or new Federal Act on Data Protection ('FADP' or 'nFADP') in English has extraterritoriality. And the definition of the LPD is wider than the one from the GDPR: the LPD states that any organisation worldwide which activity could have an impact on the private life of data subjects based in Switzerland are subject to the LPD.
  • Records of Processing Activities ('ROPA'), data breaches and privacy governance:
  • All organisations globally must draft a ROPA and procedures for managing personal data violations, personal data breaches and personal data governance.
  • DPIA mandatory if risk important
  • It is mandatory to draft a Data Privacy Impact Assessment if the risk for the private life of data subjects is deemed to be important.
  • DPO not mandatory
  • The revised LPD introduces the notion of Advisor on Data Protection ('ADP') (in French: 'Conseiller à la protection des données'). It is not mandatory to appoint an APD for commercial organisations.


For more information on the impacts of the revised LPD, or if you need a CH DPR, contact Bertrand at b.p.lebourgeois@pharmarketing.net



New Administrative Order in France 


for Health Data Hosting rules

On 16 May 2024, the administrative order of 26 April 2024 modifying the order of 11 June 2018 regarding the certification of healthcare data hosting in France ('Hébergement de Données de Santé' or 'HDS') was published in the Official Journal.


The new items brought by this Order are the following:

  • It takes into account the ISO 27002 norm on IT security.
  • it reminds of the language which should be in the contract between the hosting company and its clients; the order recommends to use the language provided by the Standard Contractual Clauses provided by the EU Commission ('SCCs') and to make sure the contract contains data privacy language.
  • The healthcare data should be hosted only in the European Economic Area ('EEA'), which is made of the EU plus Norway, Iceland and Lichtenstein. If not, the hosting company should indicate in the contract and on its website the list of countries, and if any extra-territorial laws might harm the private life of patients, the risk analysis they performed showing that the risk for the private life of the patients are limited. We recommend that the client also drafts its own risk analysis.
  • the Order clarifies the meaning of activity 5 'administration and management of an Information System containing health data'.
  • The reference guideline clarifies what the 'validation of interventions' means.


France is not the only country to make it mandatory to use a certified healthcare hosting company: for example, the UK has a similar mandate.


However, this mandate applies only to the healthcare data collected during care provided by a Healthcare Professional ('HCP') to a patient. At this time, in France it doesn't apply to patient data collected during the course of a clinical trial.

Download the new administrative order here: https://www.legifrance.gouv.fr...


If you would like guidance regarding this mandate of a certified healthcare data hosting, contact Bertrand at b.p.lebourgeois@pharmarketing.net or Karine at k.i.renault@pharmarketing.net or Caroline at c.x.josse@pharmarketing.net.



Breaches of Health Data: 


Decisions of EU Authorities

European Data Protection Authorities published several decisions related to the processing of health data in the past months.

Such decisions shed light on the key measures to implement to stay compliant with privacy (and healthcare) laws and avoid a critical finding.

Thanks to GDPR hub NOYB for all these valuable information!


ITALY:


Fact:

The Italian Data Protection Authority, the Garante, fined a hospital €75,000 after it processed health data for purposes other than simply providing healthcare to the data subject. It noted that further processing would have needed specific consent from the data subject. Read more or edit on GDPRhub...


Takeaway:

Personal data can be processed only for a specific objective. If you want to reuse such personal data for another objective, then you must at the minimum inform the data subjects of such reuse, and in some cases reobtain their consent


Fact:

The Italian DPA reprimanded a processor for having breached Article 5(1)(f) GDPR and Article 32 GDPR since, following a software updatethe platform of a healthcare provider suffered a vulnerability and allowed logged-in patients to access other reports. Read case here: Garante per la protezione dei dati personali (Italy) - 9973790 - GDPRhub


Takeaway:

Make sure that after a software update, your IT service provider does what is called a 'non regression test' and checks that everything is working fine.


ROMANIA:

Fact:

The Romanian DPA found a physician to have breached Article 5 GDPRArticle 6(1) GDPR and Article 9 GDPR for recording a patient on his personal telephone, without her consent, and posting the video on his Facebook page. The DPA issued a fine of 9919.2 RON (equivalent to €2000). Read the case here: ANSPDCP (Romania) - Fine to a physician for recording a patient on his personal telephone - GDPRhub


Takeaway:

A physician can process the healthcare data of its patients for the objective of providing care, but he/she cannot reuse the data for another objective without informing the patient and obtaining its consent.


SWEDEN:

Fact:

The Swedish Supreme Administrative Court (Högsta förvaltningsdomstolen) ruled that the EU General Data Protection Regulation (GDPR) qualifies as a law prohibiting the publication of personal health data as per the Freedom of Expression Act. This decision came after Verifiera AB was reprimanded for publishing court decisions containing sensitive health information.

Takeaway:

No organisation can collect, process or publish personal health data unless it has a waiver as per article 9.2 of the GDPR. In addition, organisation must check that they have a valid legal basis and objective, and that they informed the patient of the processing, or, if mandatory that they obtained the consent of the patient before processing the data.


For any question on breaches of healthcare data, how to prevent them and what to do if one takes place, feel free to contact one of our expert Healthcare consultants at contact(at)pharmarketing.net


  1. We are a Swiss company and we collect quality of life information from Swiss patients: Do we need to appoint a Data Protection Officer?  yes / no

    answer: no; a Data Protection Officer is not mandatory in Switzerland, even if some local data protection authorities say it can be a good idea.

  2. My company is based in Germany and we will start recruiting patients in Switzerland for a clinical study; we don't have an office in Switzerland: do we need to appoint a Swiss Data Protection Representative there yes / no

    answer: yes because a quality of life study is a personal data processing with         large volume of data and which could result in significant risk to the private life of data subjects.
    
Share by: