GDPR scope - "Personal data" definition - General Data Protection Regulation

#1
Hello everybody,

As a young graduate, I just dived into the GDPR as my first mission. I've been reading a lot on it, and I finally came back to the fundamental question : does it apply to us as a company? Let me explain.
Our device is meant to be used in a hospital. It collects monitoring data from the patient. The data collected is of course made available for health professional in the hospital, so they can use it in order to take care of the patient. Hence, they are able to link the data to the patient. However, the company will never have access to the name of the patient, and will not be able to link the data to the patient, making him/her impossible to identify for us. Moreover, the data collected won't enable us to know anything about his/her habits and tastes. It will just be numbers, without a link to anybody in particular.
By collecting and hosting this data, our aim is to simply analyze it to determine if there are any patterns that could later help health professional to prevent certain issues.


  • In this specific case, would anyone know if the data the company will have access to will be considered as "personal" since it will just be numbers ?

  • Does the GDPR still apply to us as a company?

  • What would this specific situation change for us?


I thank in advance anybody who will take the time to read this, and maybe give some help !


Kind regards,
Laura
 
Elsmar Forum Sponsor

mihzago

Trusted Information Resource
#2
In general, I think the requirements do not apply to you, especially if the device is not connected to your company servers or in no way transfers the data to your infrastructure.

However, I just did a very similar assessment for a company with a product used during surgery, and I recommended that although the GDPR does not directly apply, there are a number of technical controls that can be implemented in the device to assist the health practitioners or health institutions to comply with the GDPR requirements on their end; especially Article 32, Security of processing.
Some examples are use of login/password to access the device; access to functionality based on roles (admin, user, service, etc.); ability to purge or de-identify data, and a few others.


Also, consider what data you collect during customer support interactions.
 

QAengineer13

Quite Involved in Discussions
#3
I agree with mihzago's comment and in-addition also think about the "Privacy by design " concepts., i.e Proactive not reactive, Privacy as the default setting, Privacy embedded into design, Full functionality ( Positive-sum ,not zero-sum), End to End security, Visibility and transparency , Respect for user privacy into the design if its not too late..... Also think about Data classification, Metadata and role-based access controls (Governance)
 
#4
Thank you for your answer mihzago, I would just have a few comments/further questions if you allow me :)

In general, I think the requirements do not apply to you, especially if the device is not connected to your company servers or in no way transfers the data to your infrastructure.
The device is connected to the company servers. But what will be transfered to us will be numbers (such as heart rate) only. In that case, the company will never be able to identify the person these numbers come from. My question is, "In this specific case, are those numbers still considered as personal data as they do not refer to a person anymore ?". And depending on this first answer, then how does the GDPR would apply ?

However, I just did a very similar assessment for a company with a product used during surgery, and I recommended that although the GDPR does not directly apply, there are a number of technical controls that can be implemented in the device to assist the health practitioners or health institutions to comply with the GDPR requirements on their end; especially Article 32, Security of processing.
Some examples are use of login/password to access the device; access to functionality based on roles (admin, user, service, etc.); ability to purge or de-identify data, and a few others.


Also, consider what data you collect during customer support interactions.
Thank you a lot for these recommendations and examples. There are definitely options to explore for us !
 

mihzago

Trusted Information Resource
#5
Based on the Recital 26 below, if the data is completely devoid of any personal information, or information that may allow identification, then the regulation would not apply.

Recital 26 Not applicable to anonymous data*
1The principles of data protection should apply to any information concerning an identified or identifiable natural person.
2Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person.
3To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly.
4To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.
5The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. 6This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.
 

Mark Meer

Trusted Information Resource
#6
I've got another case to consider:

- The device software allows users (therapists) to create multiple "accounts" for each of their clients.

- The "account" information is just a bunch of open fields, none of which are mandatory. For example, in a "Name" field, the clinician could enter the client's actual name, a pseudonymisation, or nothing at all.

- The device is networked to our servers strictly for the purpose of pushing software updates - none of the account data is ever transmitted.

------
Not certain if/how the GDPR applies in this case.
- Personal data is only maintained if the user chooses to enter personal data.
- This data is never transmitted even though the device is networked. That being said, I'm not certain how continuous networking exposes risk of possible access by unintended means (hacking, malware,...etc.).

Any advice/input much appreciated!
MM
 
Thread starter Similar threads Forum Replies Date
Ed Panek GDPR in Urgent Healthcare Setting Other ISO and International Standards and European Regulations 1
M GDPR - Is anonymizing sufficient to address right to erasure? Medical Information Technology, Medical Software and Health Informatics 3
C How medical device manufacturers are implementing standards like GDPR and HIPAA Other ISO and International Standards and European Regulations 5
D HIPAA and GDPR applies? Medical therapy device ISO 13485:2016 - Medical Device Quality Management Systems 0
MrTetris GDPR - Purposes and duration of data collection Other ISO and International Standards and European Regulations 8
MrTetris GDPR - General Data Protection Regulation - Only applicable to EU data? Other ISO and International Standards and European Regulations 6
Marc Privacy Policy - EU GDPR Compliance - 1 December 2018 Elsmar Cove Forum ToS and Forum Policies 0
L Implementation of ISO 27001 as part of the GDPR compliance journey Other Medical Device Related Standards 2
K GDPR - Is it really necessary for the DPO(s) to be knowledgeable to Data Privacy Law? IEC 27001 - Information Security Management Systems (ISMS) 3
F DPA 2018 & GDPR 2016 EU Medical Device Regulations 1
M GDPR - Data portability and Data Deletion EU Medical Device Regulations 6
Q GDPR consulting service for Medical device Company EU Medical Device Regulations 0
S GDPR (General Data Protection Regulation) - My company is ISMS certified IEC 27001 - Information Security Management Systems (ISMS) 3
Marc GDPR - EU Directive 2016/679 and the Elsmar Cove Discussion Forum Elsmar Cove Forum ToS and Forum Policies 3
W EU GDPR General Data Protection Regulation - What we need to update for our QMS EU Medical Device Regulations 14
T GDPR impact on ISO 9001 and Quality ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
T GDPR - General Data Protection Regulation (EU and UK 2018) Other ISO and International Standards and European Regulations 7
A Scope of ISO 13485 certificate ISO 13485:2016 - Medical Device Quality Management Systems 1
K Medical Device Repairs and ISO Scope ISO 13485:2016 - Medical Device Quality Management Systems 3
K Software Updates in the Field and ISO scope ISO 13485:2016 - Medical Device Quality Management Systems 2
I IATF Lab Scope Testing Qualification and Competency Documentation IATF 16949 - Automotive Quality Systems Standard 3
Crimpshrine13 Laboratory Scope - Calibration vs. Test Methods - IATF 16949 IATF 16949 - Automotive Quality Systems Standard 3
silentmonkey Are risks in supply chain and development activities within scope of MDD? EU Medical Device Regulations 3
D Limited Scope for second site Question? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
J Scope of ISO 9001 clause 10.2 in the product life cycle ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 2
A IATF 16949 4.3.1 - Determining the scope of the quality management system - supplemental IATF 16949 - Automotive Quality Systems Standard 9
hockeyhead Existing process never included in AS9100 scope of certification AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 10
G APQP Scope and scale tool APQP and PPAP 2
R NRTL - Scope Question - Off-the-Shelf Plug In IEC 60601 - Medical Electrical Equipment Safety Standards Series 0
D ISO 9001:2015 4.3 Determining the Scope of the QMS ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
M Scope of Combined ISO 9001 and IATF 16949 QMS - Non-automotive customers ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
O MDSAP Reduction in Scope Other Medical Device Related Standards 0
D Do non-IATF customers need to be included in audit scope? IATF 16949 - Automotive Quality Systems Standard 23
K Restricted Scope of ISO 13485 Certification ISO 13485:2016 - Medical Device Quality Management Systems 7
C IATF 16949 - Scope or not? IATF 16949 - Automotive Quality Systems Standard 2
S Similar scope medical products connected by WIFI US Food and Drug Administration (FDA) 2
N IATF 16949:2016 7.1.5.3.2 External Laboratory - How to approve the Testing Laboratory without accreditation scope IATF 16949 - Automotive Quality Systems Standard 2
qualprod To raise a NC beyond the audit scope? Two signatures were missing ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 11
D CE Marking Requirements MDD & MDR - new product development covered under same scope EU Medical Device Regulations 1
P Scope of application for IEC 60601-1-11 Medical electrical equipment — Part 1-11 IEC 60601 - Medical Electrical Equipment Safety Standards Series 3
M ISO 27001 ISMS scope for companies with subsidiaries IEC 27001 - Information Security Management Systems (ISMS) 0
T AS9100D - Scope of QMS for New Company - Only Choosing a Function Subset Due to Management AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 14
R Scope of ISO 13485 certification ISO 13485:2016 - Medical Device Quality Management Systems 6
D Scope of Facility - Our auditor asked us last week for our "Scope of the Facility" AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 12
L Dying a slow SCOPE death - NEW ISO APG Paper on Scope and Applicability May 2020. AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 3
P Dropping ISO 9001 limits the scope of the ISO 13485 audit? ISO 13485:2016 - Medical Device Quality Management Systems 6
W Scope of MRB (Material Review Board) Responsibilities Misc. Quality Assurance and Business Systems Related Topics 5
P ISO 80369-7 standard - Interpreting which Parts should be in scope Other Medical Device Related Standards 7
I Sales Documents in scope for ISO-9001:2015? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
V Exclusion of 'Design and Development' from scope of certification ISO 13485:2016 - Medical Device Quality Management Systems 9

Similar threads

Top Bottom