Data Protection and Data Security in the EU: the European General Data Protection Regulation

Abstract

The European General Data Protection Regulation (GDPR) is the fundamental set of rules that constitutes the framework of data protection legislation in Europe. Although national legislators can define the conditions of permission for the processing of health data, the GDPR contains a wide range of requirements that must be fulfilled when processing health data.The processing of personal data is prohibited. Health data or genetic data may only be processed if processing is permitted by law or if the person whose data are to be processed has expressly consented to the processing. Personal data also includes pseudonymous data. Persons whose data are processed have, in principle, “data protection rights:” they must be informed about the processing and can, for example, request information about the processing or correction, deletion or transmission of the data.Article 5 GDPR contains principles that must be guaranteed for every processing operation of personal data. In particular, the processing must be transparent for the data subjects and the data may only be processed within the scope of the previously defined, clear and legitimate purposes. Personal data must be necessary and appropriate to the purposes for which they are processed. It must be specified at the start of processing how long the data will be stored; unlimited storage of data is illegal.The security of the data must be guaranteed for the entire duration of processing, from the beginning of collection to deletion. The principles “Privacy by Design” and “Privacy by Default” must be applied. Requirements for the implementation of the specifications to be fulfilled with regard to the security of the processing can be found in Article 32 GDPR.If personal data is processed in a third country, that is, a country outside the EU or EEA, the requirements of Chapter V of the GDPR must be met.The GDPR contains many other requirements, in particular the need to prove that the requirements of the GDPR are being complied with in processing personal data (“accountability”). Ultimately, this proof can only be provided by describing the process workflows, documenting the processing and checking whether the described processes are complied with.KeywordsEuropean General Data Protection Regulation (GDPR)Rights of the data subjectData ProtectionData Security