The General Data Protection Regulation (GDPR) recognises data concerning health as a special category of data and provides a definition for health data for data protection purposes. Though the innovative principles introduced by the GDPR (privacy by design or the prohibition of discriminatory profiling) remain relevant and applicable to health data as well, specific safeguards for personal health data and for a definitive interpretation of the rules that allows an effective and comprehensive protection of such data have now been addressed by the GDPR. Processes that foster innovation and better quality healthcare, such as clinical trials or mobile health, need robust data protection safeguards in order to maintain the trust and confidence of individuals in the rules designed to protect their data.
Opinion of 5 March 2009 on the proposal for a directive on standards of quality and safety of human organs intended for transplantation, OJ C192, 15.08.2009, p. 6
Opinion on the proposal for a Directive on the application of patient's rights in cross-border healthcare, OJ C 128, 06.06.2009, p. 20
Opinion of 4 June 2008 on the notification for prior checking regarding pre-employment and annual medical check-ups (Case 2007-176)
This opinion concerns the pre-employment and annual medical check-ups organized at the CPVO. The recommendations of the EDPS include the following:
Regarding data quality, the scope of data collected on the medical overview form and the information included on the certificate of fitness should be revised to comply with the principles of relevance and proportionality. As to the conservation of the data, a reasonable, definite time frame must be established by the CPVO for the conservation of each category of employee and candidate medical data held by the CPVO. On information to data subjects, clear and specific information needs to be provided to data subjects regarding all items listed under Articles 11 and 12 of the Regulation. With respect to the pre-employment medical check-up, the EDPS also recommends the additional information on anti-discrimination referred to in point 3.8.4 of the Opinion. Finally, with regard to processing data on behalf of controllers, the service contracts concluded with the CPVO Physician and the CPVO Medical Centre should be modified to address data protection aspects pursuant to Article 23 of the Regulation. Instructions should be provided to the processors to comply with the minimum data protection safeguards recommended in this Opinion.