General Data Protection Regulation in Medical Technology
Since 25 May 2018, the General Data Protection Regulation (GDPR) has been valid throughout the EU. But not only European companies have to deal with the extensive regulations. The GDPR also forces third countries to ensure the protection of personal data. In principle, anyone who processes personal data of natural persons from the Union falls within the scope of the Regulation. In particular, the higher sanctions of up to 20 million euros or up to 4 % of the total annual turnover achieved worldwide will bring the issue of data protection to the fore.

Processing of Personal Data
It is unavoidable – if not already done – to examine the data protection management now and to adapt it to the requirements of the GDPR. In principle, the processing of personal data is forbidden if there is no provision of permission under Article 6 (e.g. personal consent, fulfillment of a contract) of the GDPR or other legal provisions. The GDPR focuses on strengthening the rights of data subjects. Data subjects have the right to information, correction and deletion and can revoke their consent at any time and without justification. The duty to provide information includes information on the duration of storage, the legal basis for processing, processing activities and the forwarding of information to third parties or third countries. The data stock must be kept up-to-date, incorrect data must be deleted and may only be kept for as long as is necessary for the purpose. This means that all data subjects have the „right to be forgotten“.

All processing operations must be recorded in a special register. The register shall contain, inter alia, information on processing, responsibilities, deadlines for deletion and shall include an initial risk assessment. Based on the result of the risk assessment, technical and organizational measures must be implemented. For high-risk processing, a data protection impact assessment must be carried out. The obligation to keep a register does not apply to companies that employ fewer than 250 people, provided that no processing of special data categories (e.g. religious convictions) is available. Since the declaration of religious affiliation is mandatory for companies in Germany regarding accounting (church tax), an exception to this obligation is virtually excluded.

Tasks of the Data Protection Officer
In addition, persons responsible are subject to the reporting obligation and must inform the relevant supervisory authority of any type of data breakdown. To this end, companies should develop internal processes to ensure that all data protection breaches are reported immediately. Communication with the supervisory authority is the responsibility of the data protection officer. A data protection officer must be appointed and notified if there is regular and systematic monitoring or if the core activity of the data protection officer is the processing of personal data. Public bodies must always appoint a data protection officer. The same applies, according to the German Federal Data Protection Act, if personal data of more than 20 persons are processed. This would mean that companies employing more than 20 people who have access to computers (e.g. Outlook) would have to report a data protection officer to the responsible supervisory authority. A contact address must be included in the imprint on the company’s website.

All in all, the GDPR calls on companies to overwork their processes, implement new processes, train employees, identify processing activities, introduce technical and organizational measures for data protection and assess the consequences of a data breakdown and keep the corresponding risk low.

The GDPR covers a multitude of new requirements and places the protection of personal data worldwide in the foreground.

Do you already comply with the requirements of the GDPR? Have you already notified your data protection officer and created the list of processing activities? We will be happy to support you to that you have a GDPR-compliant data pro-tection management in the future..

Please contact us for further details on the subject of „General Data Protection Regulation“ or for a non-binding offer.