The document summarizes key points from a seminar on data protection and the new General Data Protection Regulation (GDPR). It discusses definitions of personal data and health data, consent requirements, privacy by design, data transfers, security obligations, data breaches, the data protection officer role, and impact assessments. The new GDPR brings significant changes including tougher consent standards, higher fines for violations, additional rights for data subjects, and new responsibilities for processors. Member states still have flexibility in some implementation areas, and full compliance will require preparation.
This document provides an overview of key data management protection acts and regulations including the Gramm-Leach-Bliley Act (GLB Act), Health Insurance Portability and Accountability Act (HIPAA), and relevant enforcement mechanisms. The GLB Act requires financial firms to explain their information sharing practices and implement data safeguards. HIPAA establishes privacy and security standards for protected health information and allows certain uses and disclosures for treatment, payment and healthcare operations. Both acts define applicable entities, customers, and information and include provisions for security plans, employee training, and penalties for non-compliance.
The document provides an overview of Malaysia's Personal Data Protection Act 2010. It discusses key aspects of the Act including the establishment of a Personal Data Protection Commissioner, the 7 data protection principles, and requirements around notice, consent, disclosure, security, retention, data integrity and access. It also discusses some examples of data breaches and penalties for non-compliance. The Act aims to regulate the processing of personal data and protect privacy as digital data and internet usage continues to grow significantly.
The U.S. Healthcare Implications of Europe’s Stricter Data Privacy RegulationCognizant
U.S. healthcare organizations must soon comply with the EU’s General Data Protection Regulation (GDPR) - which goes far beyond the Health Insurance Portability and Accountability Act (HIPAA) - or face major fines. Here’s a guide to get started.
This document provides an introduction to information governance training. It covers key topics like confidentiality, data protection, freedom of information, record keeping, and information security. Regarding confidentiality, it discusses the duty of confidence healthcare workers have toward patient information and the Caldicott principles for justified use of confidential data. It also introduces scenarios to illustrate proper and improper handling of personal information.
EU Medical Device Clinical Research under the General Data Protection RegulationErik Vollebregt
Presentation about medical devices patient data management under the EU General Data Protection Regulation at the Medical Device Clinical Research Conference in November 2015
The document summarizes a half-day public seminar on the Malaysian Personal Data Protection Act (PDPA) 2010 that will take place on July 25, 2011. It will cover topics such as what PDPA 2010 is, why compliance is needed, the seven data protection principles, and how the new law may impact businesses. The seminar will be led by Noriswadi Ismail from Quotient Consulting and include a question and answer session.
Presentation at the Silicon Flatirons Center at the University of Colorado School of Law. Providing an update on the latest issues and trends in data privacy and data security in the US. Focusing on recent actions of the FTC and state governments.
This document provides an overview of key data management protection acts and regulations including the Gramm-Leach-Bliley Act (GLB Act), Health Insurance Portability and Accountability Act (HIPAA), and relevant enforcement mechanisms. The GLB Act requires financial firms to explain their information sharing practices and implement data safeguards. HIPAA establishes privacy and security standards for protected health information and allows certain uses and disclosures for treatment, payment and healthcare operations. Both acts define applicable entities, customers, and information and include provisions for security plans, employee training, and penalties for non-compliance.
The document provides an overview of Malaysia's Personal Data Protection Act 2010. It discusses key aspects of the Act including the establishment of a Personal Data Protection Commissioner, the 7 data protection principles, and requirements around notice, consent, disclosure, security, retention, data integrity and access. It also discusses some examples of data breaches and penalties for non-compliance. The Act aims to regulate the processing of personal data and protect privacy as digital data and internet usage continues to grow significantly.
The U.S. Healthcare Implications of Europe’s Stricter Data Privacy RegulationCognizant
U.S. healthcare organizations must soon comply with the EU’s General Data Protection Regulation (GDPR) - which goes far beyond the Health Insurance Portability and Accountability Act (HIPAA) - or face major fines. Here’s a guide to get started.
This document provides an introduction to information governance training. It covers key topics like confidentiality, data protection, freedom of information, record keeping, and information security. Regarding confidentiality, it discusses the duty of confidence healthcare workers have toward patient information and the Caldicott principles for justified use of confidential data. It also introduces scenarios to illustrate proper and improper handling of personal information.
EU Medical Device Clinical Research under the General Data Protection RegulationErik Vollebregt
Presentation about medical devices patient data management under the EU General Data Protection Regulation at the Medical Device Clinical Research Conference in November 2015
The document summarizes a half-day public seminar on the Malaysian Personal Data Protection Act (PDPA) 2010 that will take place on July 25, 2011. It will cover topics such as what PDPA 2010 is, why compliance is needed, the seven data protection principles, and how the new law may impact businesses. The seminar will be led by Noriswadi Ismail from Quotient Consulting and include a question and answer session.
Presentation at the Silicon Flatirons Center at the University of Colorado School of Law. Providing an update on the latest issues and trends in data privacy and data security in the US. Focusing on recent actions of the FTC and state governments.
An introduction to the General Data Protection Regulation (GDPR) and its implications for research data management. Presentation given by Tim Rodgers of Imperial College London at the London Area Research Data meeting, held at the London School of Hygiene & Tropical Medicine on 17th Nov 2017.
This document discusses the legal aspects of big data analyses under European data protection laws. It provides an overview of key concepts regarding big data and data protection, including the EU's support for big data development and the requirements of the Data Protection Directive and upcoming General Data Protection Regulation. The regulation requires consent for processing sensitive personal data like health information, gives individuals rights to access and portability of their data, and places limits on profiling activities. Specific rules for genetic testing also require explicit written consent.
The document summarizes Malaysia's Personal Data Protection Act of 2010, which regulates the processing of personal data related to commercial transactions. It defines key terms, outlines 7 data protection principles, and discusses the rights of data subjects, offenses/penalties, and requirements for data users and sensitive personal data. It proposes a two-stage action plan for organizations to comply with the new law.
iHT2 Health IT Summit in Austin 2012 – Deborah C. Peel, MD, Founder and Chair, Patient Privacy Rights, ase Study “Considerations and Opportunities: Will Digital Health Data and Patient Altruism Transform Healthcare Research?”
General Data Protection Regulation (GDPR) | Privacy Law in India |Bivas Chatterjee
This PPT deals with Privacy Law in India and GDPR. It also deals with GDPR compliance and result of non compliance for companies specially Indian companies dealing with European Citizen's personal data. It also deals with GDPR in connection with the use of Bitcoin, cloud, Artificial Intelligence, Big Data and IOT. So Enjoy reading and also be connected with my blog at cyberchatterjee.blogspot.com .
General Data Protection Regulation (GDPR) for Identity ArchitectsWSO2
https://wso2.com/solutions/regulatory-compliance/gdpr/
The EU General Data Protection Regulation (GDPR) has many identity architects uniquely positioned to help their organizations to comply with the ruling.
Effective from 25th May 2018, the regulation 2016/679 of the European parliament and of the council, replaces the Data Protection Directive 95/46/EC and is designed to harmonize data privacy laws across Europe. It aims to protect and empower all EU residents' data privacy and to reshape the way organizations across the region approach data privacy. GDPR is also quite prominent due to the heavy penalties introduced for violators — which could be as much as 4% of the annual global turnover or €20 million (whichever is greater).
In this webinar we will discuss all technical aspects of the regulation and what steps you as an identity architect can take to ensure that your security strategy is primed for GDPR.
Overview of the Egyptian Personal Data Protection LawFatmaAkram2
Egypt has recently enacted the first Personal Data Protection Law (PDPL), which has been published in the Official Gazette on 15 July 2020 and has entered into force on 16 October 2020. The PDPL reflects many of the requirements of the EU’s General Data Protection Regulation (GDPR). The Executive Regulations of the PDPL shall be issued within six (6) months from the entry into force of the PDPL. Organizations shall comply with the provisions of the PDPL and its Executive Regulations within a grace period of one (1) year from the issuance of the Executive Regulations.
The PDPL covers almost all aspects of personal data protection stated under the GDPR. In this presentation, you will find a summary of the important data protection provisions stipulated under the PDPL, and the similarities and differences between the GDPR and the PDPL.
Presentation at the yearly Regulanet conference about application of EU data protection rules to medical devices and end-to-end solutions incorporating medical devices.
- Data privacy refers to standards protecting personal data like names, addresses, and genetic information that can identify research subjects. It is an important human right and failure to comply can result in fines and legal consequences.
- Key regulations and guidelines on data privacy include the EU Data Protection Directive, Clinical Trials Directive, General Data Protection Regulation, and ICH GCP guidelines. They require protecting subject confidentiality, obtaining consent, and having security measures for electronic and paper records.
- Clinical data managers should be trained on privacy requirements and ensure access to data is restricted and minimum personal information is collected.
This document summarizes key aspects of data protection regulations including the transition from the Data Protection Directive (DPD) to the General Data Protection Regulation (GDPR). It discusses definitions of personal data and health data, requirements around anonymization and pseudonymization, consent requirements, research data protections, data transfer and security rules, and new obligations to notify authorities of data breaches. The presentation concludes with contact information for Sofie van der Meulen of Axon Advocaten law firm in Amsterdam.
1) Privacy is about individuals having control over their personal health information in the face of technologies that reduce their control.
2) The Health Information Privacy Code 1994 is a code of practice that modifies New Zealand's 12 privacy principles into 12 rules governing the collection, use, and disclosure of identifiable health information.
3) The rules aim to balance individuals' privacy rights with other interests like research and public health, requiring open collection and use of information for its original purpose while allowing some exceptions like medical emergencies.
General Data Protection Regulation or GDPRNupur Samaddar
General Data Protection Regulation or GDPR,he way companies across the world will handle their customers' personal information and creating strengthened and unified data protection for all individuals within the EU.
The document provides an overview of the history and key aspects of the General Data Protection Regulation (GDPR) in the European Union. It discusses how the GDPR came into effect in 2018 to replace the 1995 Data Protection Directive and strengthen data privacy for EU citizens. The summary highlights that the GDPR has a broad territorial scope, establishes strict rules for processing personal data, defines core concepts like consent, and introduced the principle of accountability to ensure compliance.
Confidentiality and Data Protection in Health CareVaileth Mdete
Information governance in healthcare involves managing patient data throughout its lifecycle according to certain principles like accountability, transparency, integrity, protection, compliance, availability, retention, and disposition. It aims to balance access to health information with security of sensitive personal data. Key goals of information governance include maintaining privacy of electronic health records, improving care quality and safety, and reducing costs. Healthcare organizations face challenges with growing data volumes, expanding use of data, and ensuring interoperability across systems. Proper information governance is important for protecting patient privacy and rights regarding their personal health information.
Data Privacy and consent management .. .ClinosolIndia
Data privacy and consent management are critical aspects of ensuring that individuals' personal information is handled responsibly and ethically, particularly in healthcare settings where sensitive medical data is involved. Data privacy refers to the protection of personal information from unauthorized access, use, or disclosure, while consent management involves obtaining and managing individuals' permissions for the collection, storage, and processing of their data.
In healthcare, patients entrust providers with their sensitive medical information, expecting that it will be kept confidential and used only for legitimate purposes related to their care. Robust data privacy measures include encryption, access controls, and anonymization techniques to safeguard patient data from unauthorized access or breaches. Additionally, healthcare organizations must adhere to regulatory standards such as HIPAA in the United States or GDPR in the European Union, which outline specific requirements for the protection of patient information and impose penalties for non-compliance.
Consent management plays a crucial role in ensuring that individuals have control over how their data is used. Patients should be informed about the purposes for which their data will be collected and processed, as well as any potential risks or benefits associated with its use. Obtaining informed consent involves providing individuals with clear and transparent information about their privacy rights and giving them the opportunity to consent to or decline the use of their data for specific purposes. Consent management systems help healthcare organizations track and manage patients' consent preferences, ensuring that data is used in accordance with their wishes and legal requirements.
Effective data privacy and consent management practices not only protect individuals' privacy rights but also foster trust and transparency in healthcare relationships. By implementing robust security measures, respecting patients' autonomy, and promoting informed decision-making, healthcare organizations can uphold the principles of data privacy and consent while leveraging data responsibly to improve patient care and outcomes.
The document discusses data protection and the General Data Protection Regulation (GDPR) which takes effect in May 2018. It provides an overview of key aspects of the GDPR including its scope, definitions of personal and special categories of data, the grounds for processing each type of data, and the six data protection principles of the GDPR around lawful and fair processing, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality. Organizations are advised to review their data protection practices to ensure compliance with the GDPR.
TrustArc Webinar - Privacy in Healthcare_ Ensuring Data SecurityTrustArc
In a healthcare landscape where data flows are constant, and patient trust is paramount, it’s critical to understand and implement adequate data security and privacy practices. Start navigating the importance of privacy in healthcare for 2023 and beyond. Remembering that privacy is more than just checking a box is essential.
To better understand how to measure privacy in a healthcare setting correctly, healthcare leaders must understand how to grow and maintain privacy programs effectively and have insights into their privacy methods.
Whether you are wondering what data privacy is or already know, this webinar will help you better understand the importance of privacy in protecting you and your clients.
This document discusses health-related data, including types of data, legal constraints around sharing data, and best practices for managing data. It covers:
1) Different types of health data like medical records, generated data, and acquired data. It also defines personal, identifying, and anonymized data.
2) Legal requirements for sharing data, including various acts and regulations around privacy, confidentiality, and individuals' rights to their data.
3) Best practices for managing data sharing and security, including obtaining consent, implementing access agreements, having governance committees, and separating identifiable from non-identifiable data.
An introduction to the General Data Protection Regulation (GDPR) and its implications for research data management. Presentation given by Tim Rodgers of Imperial College London at the London Area Research Data meeting, held at the London School of Hygiene & Tropical Medicine on 17th Nov 2017.
This document discusses the legal aspects of big data analyses under European data protection laws. It provides an overview of key concepts regarding big data and data protection, including the EU's support for big data development and the requirements of the Data Protection Directive and upcoming General Data Protection Regulation. The regulation requires consent for processing sensitive personal data like health information, gives individuals rights to access and portability of their data, and places limits on profiling activities. Specific rules for genetic testing also require explicit written consent.
The document summarizes Malaysia's Personal Data Protection Act of 2010, which regulates the processing of personal data related to commercial transactions. It defines key terms, outlines 7 data protection principles, and discusses the rights of data subjects, offenses/penalties, and requirements for data users and sensitive personal data. It proposes a two-stage action plan for organizations to comply with the new law.
iHT2 Health IT Summit in Austin 2012 – Deborah C. Peel, MD, Founder and Chair, Patient Privacy Rights, ase Study “Considerations and Opportunities: Will Digital Health Data and Patient Altruism Transform Healthcare Research?”
General Data Protection Regulation (GDPR) | Privacy Law in India |Bivas Chatterjee
This PPT deals with Privacy Law in India and GDPR. It also deals with GDPR compliance and result of non compliance for companies specially Indian companies dealing with European Citizen's personal data. It also deals with GDPR in connection with the use of Bitcoin, cloud, Artificial Intelligence, Big Data and IOT. So Enjoy reading and also be connected with my blog at cyberchatterjee.blogspot.com .
General Data Protection Regulation (GDPR) for Identity ArchitectsWSO2
https://wso2.com/solutions/regulatory-compliance/gdpr/
The EU General Data Protection Regulation (GDPR) has many identity architects uniquely positioned to help their organizations to comply with the ruling.
Effective from 25th May 2018, the regulation 2016/679 of the European parliament and of the council, replaces the Data Protection Directive 95/46/EC and is designed to harmonize data privacy laws across Europe. It aims to protect and empower all EU residents' data privacy and to reshape the way organizations across the region approach data privacy. GDPR is also quite prominent due to the heavy penalties introduced for violators — which could be as much as 4% of the annual global turnover or €20 million (whichever is greater).
In this webinar we will discuss all technical aspects of the regulation and what steps you as an identity architect can take to ensure that your security strategy is primed for GDPR.
Overview of the Egyptian Personal Data Protection LawFatmaAkram2
Egypt has recently enacted the first Personal Data Protection Law (PDPL), which has been published in the Official Gazette on 15 July 2020 and has entered into force on 16 October 2020. The PDPL reflects many of the requirements of the EU’s General Data Protection Regulation (GDPR). The Executive Regulations of the PDPL shall be issued within six (6) months from the entry into force of the PDPL. Organizations shall comply with the provisions of the PDPL and its Executive Regulations within a grace period of one (1) year from the issuance of the Executive Regulations.
The PDPL covers almost all aspects of personal data protection stated under the GDPR. In this presentation, you will find a summary of the important data protection provisions stipulated under the PDPL, and the similarities and differences between the GDPR and the PDPL.
Presentation at the yearly Regulanet conference about application of EU data protection rules to medical devices and end-to-end solutions incorporating medical devices.
- Data privacy refers to standards protecting personal data like names, addresses, and genetic information that can identify research subjects. It is an important human right and failure to comply can result in fines and legal consequences.
- Key regulations and guidelines on data privacy include the EU Data Protection Directive, Clinical Trials Directive, General Data Protection Regulation, and ICH GCP guidelines. They require protecting subject confidentiality, obtaining consent, and having security measures for electronic and paper records.
- Clinical data managers should be trained on privacy requirements and ensure access to data is restricted and minimum personal information is collected.
This document summarizes key aspects of data protection regulations including the transition from the Data Protection Directive (DPD) to the General Data Protection Regulation (GDPR). It discusses definitions of personal data and health data, requirements around anonymization and pseudonymization, consent requirements, research data protections, data transfer and security rules, and new obligations to notify authorities of data breaches. The presentation concludes with contact information for Sofie van der Meulen of Axon Advocaten law firm in Amsterdam.
1) Privacy is about individuals having control over their personal health information in the face of technologies that reduce their control.
2) The Health Information Privacy Code 1994 is a code of practice that modifies New Zealand's 12 privacy principles into 12 rules governing the collection, use, and disclosure of identifiable health information.
3) The rules aim to balance individuals' privacy rights with other interests like research and public health, requiring open collection and use of information for its original purpose while allowing some exceptions like medical emergencies.
General Data Protection Regulation or GDPRNupur Samaddar
General Data Protection Regulation or GDPR,he way companies across the world will handle their customers' personal information and creating strengthened and unified data protection for all individuals within the EU.
The document provides an overview of the history and key aspects of the General Data Protection Regulation (GDPR) in the European Union. It discusses how the GDPR came into effect in 2018 to replace the 1995 Data Protection Directive and strengthen data privacy for EU citizens. The summary highlights that the GDPR has a broad territorial scope, establishes strict rules for processing personal data, defines core concepts like consent, and introduced the principle of accountability to ensure compliance.
Confidentiality and Data Protection in Health CareVaileth Mdete
Information governance in healthcare involves managing patient data throughout its lifecycle according to certain principles like accountability, transparency, integrity, protection, compliance, availability, retention, and disposition. It aims to balance access to health information with security of sensitive personal data. Key goals of information governance include maintaining privacy of electronic health records, improving care quality and safety, and reducing costs. Healthcare organizations face challenges with growing data volumes, expanding use of data, and ensuring interoperability across systems. Proper information governance is important for protecting patient privacy and rights regarding their personal health information.
Data Privacy and consent management .. .ClinosolIndia
Data privacy and consent management are critical aspects of ensuring that individuals' personal information is handled responsibly and ethically, particularly in healthcare settings where sensitive medical data is involved. Data privacy refers to the protection of personal information from unauthorized access, use, or disclosure, while consent management involves obtaining and managing individuals' permissions for the collection, storage, and processing of their data.
In healthcare, patients entrust providers with their sensitive medical information, expecting that it will be kept confidential and used only for legitimate purposes related to their care. Robust data privacy measures include encryption, access controls, and anonymization techniques to safeguard patient data from unauthorized access or breaches. Additionally, healthcare organizations must adhere to regulatory standards such as HIPAA in the United States or GDPR in the European Union, which outline specific requirements for the protection of patient information and impose penalties for non-compliance.
Consent management plays a crucial role in ensuring that individuals have control over how their data is used. Patients should be informed about the purposes for which their data will be collected and processed, as well as any potential risks or benefits associated with its use. Obtaining informed consent involves providing individuals with clear and transparent information about their privacy rights and giving them the opportunity to consent to or decline the use of their data for specific purposes. Consent management systems help healthcare organizations track and manage patients' consent preferences, ensuring that data is used in accordance with their wishes and legal requirements.
Effective data privacy and consent management practices not only protect individuals' privacy rights but also foster trust and transparency in healthcare relationships. By implementing robust security measures, respecting patients' autonomy, and promoting informed decision-making, healthcare organizations can uphold the principles of data privacy and consent while leveraging data responsibly to improve patient care and outcomes.
The document discusses data protection and the General Data Protection Regulation (GDPR) which takes effect in May 2018. It provides an overview of key aspects of the GDPR including its scope, definitions of personal and special categories of data, the grounds for processing each type of data, and the six data protection principles of the GDPR around lawful and fair processing, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality. Organizations are advised to review their data protection practices to ensure compliance with the GDPR.
TrustArc Webinar - Privacy in Healthcare_ Ensuring Data SecurityTrustArc
In a healthcare landscape where data flows are constant, and patient trust is paramount, it’s critical to understand and implement adequate data security and privacy practices. Start navigating the importance of privacy in healthcare for 2023 and beyond. Remembering that privacy is more than just checking a box is essential.
To better understand how to measure privacy in a healthcare setting correctly, healthcare leaders must understand how to grow and maintain privacy programs effectively and have insights into their privacy methods.
Whether you are wondering what data privacy is or already know, this webinar will help you better understand the importance of privacy in protecting you and your clients.
This document discusses health-related data, including types of data, legal constraints around sharing data, and best practices for managing data. It covers:
1) Different types of health data like medical records, generated data, and acquired data. It also defines personal, identifying, and anonymized data.
2) Legal requirements for sharing data, including various acts and regulations around privacy, confidentiality, and individuals' rights to their data.
3) Best practices for managing data sharing and security, including obtaining consent, implementing access agreements, having governance committees, and separating identifiable from non-identifiable data.
Overview of privacy and data protection considerations for DEVELOPTrilateral Research
This document discusses ethical, privacy, and data protection considerations for a project called DEVELOP. It outlines relevant ethical values like autonomy, dignity, inclusion and beneficence. It also discusses the right to privacy under the European Convention on Human Rights and EU data protection law. The document provides an overview of the EU Data Protection Directive and the new General Data Protection Regulation. It raises specific privacy and data protection issues like informed consent, data minimization, and anonymity that DEVELOP should address.
EU General Data Protection Regulation top 8 operational impacts in personal c...Erik Vollebregt
Presentation to the Personal Connected Health Alliance about the top 8 operational impacts of the EU General Data Protection Regulation on companies in the personal connected health field.
Legal and ethical considerations for sharing research dataOpenAIRE
Irena Vipavc Brar ( Social Sciences Data Archives / CESSDA)
Aimed at researchers in social sciences, but of interest for other fields as well, Irena Vipavc Brar gives an overview of the most important legal and ethical considerations when sharing research data. She discusses the implications of GDPR for scientific research, informed consent and ethical aspects of dealing with personal data, and legal issues.
Links: https://www.cessda.eu/Research-Infrastructure/Training/Expert-Tour-Guide-on-Data-Management
The document outlines privacy guidelines for the implementation of the Philippine Health Information Exchange (PHIE) in accordance with the Data Privacy Act of 2012. The PHIE aims to facilitate sharing of health information among providers to improve patient care, while protecting individual privacy. Key points include: obtaining patient consent prior to sharing data; limiting access, use and disclosure of health information; implementing security measures like encryption; and penalties for violations of privacy and data protection laws. The goal is to promote public health through better health systems, while safeguarding each individual's right to privacy of their health information.
The Privacy Law Landscape: Issues for the research communityARDC
Presentation by Anna Johnston of Salinger Privacy to ARDC's 'GDPR and NDB scheme: Intersection with the Australian research sector' webinar on 13 September 2018
Paperless Lab Academy 'legal aspects of big data analytics' Axon Lawyers
This document provides an overview of legal aspects related to big data analytics. It defines big data and discusses legal perspectives on data protection and privacy in the context of big data. The document outlines how the collection and analysis of large datasets can constitute processing of personal data, raising issues of consent, data minimization, anonymization, and security. It also discusses how regulations like the EU's General Data Protection Regulation aim to address privacy challenges from big data while balancing opportunities for innovation.
This document provides an overview of legal aspects related to big data analytics. It defines big data and discusses legal perspectives on data protection and privacy in the context of big data. The document outlines how the collection and analysis of large datasets can constitute processing of personal data, raising issues of consent, data minimization, anonymization, security and data breaches. It also discusses how regulations like the EU's General Data Protection Regulation aim to address privacy challenges from big data while balancing opportunities for innovation.
Similar to Seminar General Data Protection Regulation (20)
Vitafoods B2C communication in the funtional food Axon Lawyers
1) The document discusses the legal framework for health, nutrition, and medical claims regarding functional foods and nutraceuticals in B2C communication in the EU.
2) It outlines the differences between nutrition claims, health claims, and medical claims and the conditions for using each type of claim. Nutrition claims relate to nutrient content while health claims relate the relationship between a food and health. Medical claims are not allowed for foods.
3) The document also discusses requirements for food information to consumers regarding ingredients, legibility, and nutrition declarations according to the Food Information to Consumers Regulation.
Vitafoods marketing functional food to childrenAxon Lawyers
The document discusses marketing functional foods to children in the EU. It outlines WHO recommendations to reduce marketing of unhealthy foods to children. In the EU, health claims must meet strict criteria and not mislead consumers. National self-regulatory bodies in countries like the Netherlands set rules for food advertising to children, generally prohibiting advertising of foods high in fat, sugar, or salt for children under 12. Effectiveness of self-regulation is debated as some find additional restrictions are still needed.
Vitafoods eu clinical trials regulationAxon Lawyers
The document discusses the key changes to the legal framework for clinical trials in the EU under the new Clinical Trials Regulation, including streamlined application procedures, a single submission process, increased transparency requirements, and clarification around what products are considered medicinal products versus food or dietary supplements.
The document summarizes the current status and future changes to novel food regulations in the EU. It discusses the four categories of novel foods, the authorization procedures, examples of novel foods that have received authorization, and how specific novel foods like algae, insects and duckweed are currently treated. It notes that the new regulations will centralize the authorization process and create a simplified procedure for traditional foods, while introducing provisions around nanomaterials and cloned animals.
Vitafoods Europe 2015: Clearer labels for consumersAxon Lawyers
The document summarizes the key aspects of the EU Food Information for Consumers Regulation, which aims to modernize and clarify food labeling requirements for consumers. It overviews the scope of the regulation, mandatory food information that must be included like ingredients and country of origin, new legibility requirements, and the upcoming mandatory nutrition declaration. It concludes that the regulation will increase administrative burden for industry but is intended to better support consumer choice and rebuilt trust following food scandals.
Hacking Health Camp Strasbourg health data & data protection in the Netherlands Axon Lawyers
This document summarizes key points about data protection and privacy in the Netherlands. It discusses the legal framework for data protection in the EU and Netherlands, including the Data Protection Directive, upcoming General Data Protection Regulation, and the Dutch Data Protection Authority. It covers definitions of personal data, parties involved in processing, rules around health data, data security, and recent developments around data breaches. The document also flags other legal issues that may be relevant for digital health technologies, like software qualifying as a medical device.
Conveying food innovations by health claimsAxon Lawyers
This document provides an overview of the legal framework for nutrition and health claims in the European Union and examples of how food innovations have conveyed through claims. It begins with definitions of nutrition claims and health claims and the authorization process. Two case studies are presented: a proprietary claim for plant sterol esters lowering cholesterol, and a claim for lycopene supporting platelet aggregation. The document concludes with a quiz to test understanding of claim types and conditions of use.
Sangyun Lee, 'Why Korea's Merger Control Occasionally Fails: A Public Choice ...Sangyun Lee
Presentation slides for a session held on June 4, 2024, at Kyoto University. This presentation is based on the presenter’s recent paper, coauthored with Hwang Lee, Professor, Korea University, with the same title, published in the Journal of Business Administration & Law, Volume 34, No. 2 (April 2024). The paper, written in Korean, is available at <https://shorturl.at/GCWcI>.
सुप्रीम कोर्ट ने यह भी माना था कि मजिस्ट्रेट का यह कर्तव्य है कि वह सुनिश्चित करे कि अधिकारी पीएमएलए के तहत निर्धारित प्रक्रिया के साथ-साथ संवैधानिक सुरक्षा उपायों का भी उचित रूप से पालन करें।
Defending Weapons Offence Charges: Role of Mississauga Criminal Defence LawyersHarpreetSaini48
Discover how Mississauga criminal defence lawyers defend clients facing weapon offence charges with expert legal guidance and courtroom representation.
To know more visit: https://www.saini-law.com/
This document briefly explains the June compliance calendar 2024 with income tax returns, PF, ESI, and important due dates, forms to be filled out, periods, and who should file them?.
Synopsis On Annual General Meeting/Extra Ordinary General Meeting With Ordinary And Special Businesses And Ordinary And Special Resolutions with Companies (Postal Ballot) Regulations, 2018
Business law for the students of undergraduate level. The presentation contains the summary of all the chapters under the syllabus of State University, Contract Act, Sale of Goods Act, Negotiable Instrument Act, Partnership Act, Limited Liability Act, Consumer Protection Act.
Guide on the use of Artificial Intelligence-based tools by lawyers and law fi...Massimo Talia
This guide aims to provide information on how lawyers will be able to use the opportunities provided by AI tools and how such tools could help the business processes of small firms. Its objective is to provide lawyers with some background to understand what they can and cannot realistically expect from these products. This guide aims to give a reference point for small law practices in the EU
against which they can evaluate those classes of AI applications that are probably the most relevant for them.
Lifting the Corporate Veil. Power Point Presentationseri bangash
"Lifting the Corporate Veil" is a legal concept that refers to the judicial act of disregarding the separate legal personality of a corporation or limited liability company (LLC). Normally, a corporation is considered a legal entity separate from its shareholders or members, meaning that the personal assets of shareholders or members are protected from the liabilities of the corporation. However, there are certain situations where courts may decide to "pierce" or "lift" the corporate veil, holding shareholders or members personally liable for the debts or actions of the corporation.
Here are some common scenarios in which courts might lift the corporate veil:
Fraud or Illegality: If shareholders or members use the corporate structure to perpetrate fraud, evade legal obligations, or engage in illegal activities, courts may disregard the corporate entity and hold those individuals personally liable.
Undercapitalization: If a corporation is formed with insufficient capital to conduct its intended business and meet its foreseeable liabilities, and this lack of capitalization results in harm to creditors or other parties, courts may lift the corporate veil to hold shareholders or members liable.
Failure to Observe Corporate Formalities: Corporations and LLCs are required to observe certain formalities, such as holding regular meetings, maintaining separate financial records, and avoiding commingling of personal and corporate assets. If these formalities are not observed and the corporate structure is used as a mere façade, courts may disregard the corporate entity.
Alter Ego: If there is such a unity of interest and ownership between the corporation and its shareholders or members that the separate personalities of the corporation and the individuals no longer exist, courts may treat the corporation as the alter ego of its owners and hold them personally liable.
Group Enterprises: In some cases, where multiple corporations are closely related or form part of a single economic unit, courts may pierce the corporate veil to achieve equity, particularly if one corporation's actions harm creditors or other stakeholders and the corporate structure is being used to shield culpable parties from liability.
3. “I was Patient Zero,” said Lewinsky, now 41, to an auditorium full of 1,000-
plus high-achieving millennials at Forbes’ inaugural 30 Under 30 summit in
Philadelphia. “The first person to have their reputation completely
destroyed worldwide via the Internet.”
https://www.ted.com/talks/monica_lewinsky_the_price_of_shame?languag
e=en
‘(…)…Don't matter if I step on the scene
Or sneak away to the Philippines
They still gon' put pictures of my derriere in the magazine
You want a piece of me?
You want a piece of me’
(Britney Spears – Lyrics ‘Piece of me’)
Ask Monica Lewinsky…
Ask Britney Spears…
Ask Jennifer Lawrence…
4. You want a piece of me?
• Privacy policy
Tell people WHY you want their data, tell them HOW you handle the data
and WHAT you are going to do with it.
• Privacy by design
Make privacy and security part of the development of your products.
6. Time to say goodbye…
6
to the Data Protection Directive!
7. And hi to the new General Data
Protection Regulation 2016/679
• Virtually everything we currently do will become more
complicated, more expensive, more administratively burdensome
• 261 pages, 108 of Recitals
• Regulation shall apply from 25 May 2018
• Regulation enters into force on 24 May 2016 (published in
the Journal on 4 May), but two year transition
• No grandfathering of existing consents etc
• Many clients target compliance by May 2017 to allow stress
testing of systems
Prepare now!
7
8.
9. Impact on healthcare?
Healthcare business related top 8 points of
attention:
1. Informed consent criteria
2. Data concerning health scope
3. Right to be forgotten (applies to
commercial collection of health data)
4. Impact assessment
• For data concerning health
• In case of profiling
5. Profiling requirements
• including right to object if
processing significantly affects data
subject
6. Data portability right of user
7. Security requirements
8. Export of data to extra-EU
jurisdictions
10. GDPR: processing of personal data
Definition of ‘processing’:
‘means any operation or set of operations which is performed on
personal data or on sets of personal data, whether or not by
automated means, such as collection, recording, organisation,
structuring, storage, adaptation or alteration, retrieval, consultation,
use, disclosure by transmission, dissemination or otherwise making
available, alignment or combination, restriction, erasure or
destruction.’
11. Parties involved in processing
• Controller:
The natural or legal person, public authority, agency or other body
which, alone or jointly with others, determines the purposes and
means of the processing of personal data; where the purposes and
means of such processing are determined by Union or Member
State law, the controller or the specific criteria for its nomination
may be provided for by Union or Member State law’
• Processor:
‘means a natural or legal person, public authority, agency or other
body which processes personal data on behalf of the controller’
• Third party
• Data subject
- Right to access
- Right to correction
- Right to erasure
- Right to objection
12. Personal data?
Personal data under DPD:
any information relating to an identified or identifiable natural
person ('data subject'); whether directly or indirectly identifiable.
“data relates to an individual if it refers to the identity, characteristics
or behaviour of an individual or if such information is used to
determine or influence the way in which that person is treated or
evaluated” (WP136)
Future scope of ‘personal data’ under GDPR?
13. Personal data under GDPR
Definitions for:
• Data concerning health – (sensitive data)
• Genetic data – (sensitive data)
• Biometric data
• Personal data:
‘personal data’ means any information relating to an identified or
identifiable natural person (‘data subject’); an identifiable natural
person is one who can be identified, directly or indirectly, in
particular by reference to an identifier such as a name, an
identification number, location data, an online identifier or to one or
more factors specific to the physical, physiological, genetic, mental,
economic, cultural or social identity of that natural person’
13
14. DPD: Health data
Health data is special category of data - processing prohibited
UNLESS
Explicit consent
OR
Medical treatment exemption:
Processing of the data is required for the purposes of preventive
medicine, medical diagnosis, the provision of care or treatment or
the management of health-care services, and those data are
processed by a health professional subject under national law or
rules established by national competent bodies to the obligation of
professional secrecy or by another person also subject to an
equivalent obligation of secrecy.
15. Scope of ‘health data’?
European Court of Justice in Case C-101/01 (Lindqvist):
‘In the light of the purpose of the directive, the expression “data
concerning health” used in Article 8(1) thereof must be given a wide
interpretation so as to include information concerning all aspects,
both physical and mental, of the health of an individual.’
Letter of WP29 of 5 February 2015 on data collected by mHealth
apps. Health data includes:
• Medical data: ‘data about the physical or mental health status of
a data subject (…) generated in a professional, medical context
• Health related data used in an administrative context
(information to public entities)
• Data about the purchase of medical products and services
provided that the health status can be determined
18. Biological samples?
• Recitals 13, 34 and 35: Genetic data should be defined as
personal data relating to the inherited or acquired genetic
characteristics of a natural person which result from the analysis
of a biological sample from the natural person in question. Prior
to analysis: is person identifiable?
Personal data relating to the inherited or acquired genetic
characteristics of a natural person which give unique information
about the physiology or the health of that natural person and which
result, in particular, from an analysis of a biological sample from the
natural person in question.
• Genetic data is regarded as personal data concerning health,
and is included among the special categories of data.
• Netherlands: Federa ‘Code Goed Gebruik’
- Secondary use for research/scientific purposes (no ‘objection’)
- Secondary use for commercial purposes (consent)
18
19. Privacy principles – art. 5 GDPR
1. Lawfulness, fairness and transparency
2. Purpose limitation
3. Data minimisation (adequate, relevant and limited)
4. Storage limitation
5. Integrity & confidentiality
6. Accountability (controller is responsible for compliance)
20. Anonymous information
Recital 26 GDPR:
‘The principles of data protection should not apply to anonymous
information, namely information which does not relate to an
identified or identifiable natural person or to personal data rendered
anonymous in such a manner that the data subject is not or no
longer identifiable.
This Regulation does not therefore concern the processing of such
anonymous information, including for statistical or research
purposes.’
20
22. Anonymisation
Anonymisation criteria WP29 Opinion 05/2014:
• Is it still possible to single out an individual?
• Is it still possible to link records relating to an individual?
• Can information about an individual be inferred?
Outcome after technique is applied: be as permanent as erasure of
the personal data – it should make processing of personal data
impossible. <- Realistic?
Absolute anonymisation is impossible -> focus on mitigating risks of
re-identification.
It’s not a one off exercise!
22
23. Pseudonomysation
GDPR: processing of personal data in such a manner that the
personal data can
• no longer be attributed to a specific data subject
• without the use of additional information,
• provided that such additional information is kept separately and
• is subject to technical and organizational measures to ensure
that the personal data are not attributed to an identified or
identifiable natural person
= security measure to reduce the linkability of a dataset to the
original identity of a data subject
23
24. Consent-based
business model tricky
‘GDPR: ‘means any freely given, specific,
informed and unambiguous indication of the
data subject's wishes by which he or she, by a statement or by a
clear affirmative action, signifies agreement to the processing of
personal data relating to him or her’
Recitals 32, 42 and 43 GDPR
• silence, pre-ticked boxes or inactivity do not constitute consent
• Processing for multiple purposes? Consent should be given for
all of them!
• Controller must be able to prove valid consent was obtained and
provide intelligible consent language
• Consent invalid “in a specific case where there is a clear
imbalance between the data subject and the controller” 24
29. Research – ‘Right to be forgotten’
Article 17 (1) GDPR: The data subject has the right to obtain the
erasure of personal without undue delay from the controller.
Last year: risk that statistical analyses will be “depowered” as a
result of exercise of right to withdraw consent and erasure of data.
Now: the ‘right to be forgotten’ ONLY does not apply if the processing
takes place:
‘for archiving purposes in the public interest, scientific or historical
research purposes or statistical purposes in accordance with
Article 89(1) in so far as the right referred to in paragraph 1 is likely
to render impossible or seriously impair the achievement of the
objectives of that processing.’
Right to be forgotten does apply in all commercial processing of
health data!
30. Privacy by design
• Know what to design for: do a PIA to identify and reduce risks of projects
• Designing projects, processes, products or systems with privacy in mind
at the outset can lead to benefits which include:
• Potential problems are identified at an early stage, when
addressing them will often be simpler and less costly
• Increased awareness of privacy and data protection across an
organisation
• Organisations are more likely to meet their legal obligations and
less likely to breach the GDPR
• Actions are less likely to be privacy intrusive and have a negative
impact on individuals
31. Privacy by design (art. 25 GDPR)
• Privacy by design requirements requires designing compliant policies,
procedures and systems at the outset of any product or process
development.
32. Privacy by default
• 'Privacy by default' requires that controllers implement appropriate
technical and organisational measures to ensure that, by default, only
personal data which are necessary for each specific purpose of the
processing are processed
• Implement appropriate technical and organisational
measures to ensure that, by default, only personal data
which are necessary for each specific purpose of the
processing are processed (e.g. amount collected, extent of
processing, storage period and accessibility).
33. Practical things
Practical measures to take (for example):
• implementing a privacy impact assessment template that the business
can populate each time it designs, procures or implements a new
system
• revising standard contracts with data processors to set out how
risk/liability will be apportioned between the parties in relation to the
implementation of 'privacy by design' and 'privacy by default'
requirements
• revisiting data collection forms/web-pages to ensure that excessive data
is not collected
34. Export
Export only with legal basis:
• Appropriate safeguards (BCR and SCCs) ensuring third party
rights for data subjects, approved code or certification
mechanism
• Privacy Shield
• Specific situation
• informed consent
• necessary for performance of contract
35. Data transfer outside EU
• Surveillance practices (PRISM)
Safe harbor for transfer to US?
Safe Harbor Certification merely means that the transfer of personal
data to the US is allowed in principle because it demonstrates the
adequacy of the US as jurisdiction
• Facebook case (Schrems, C-362/14) invalidates Safe Harbor
transfer mechanism
Alternatives:
• Data transfer agreement based on European
Commission’s standard contractual clauses
• Binding corporate rules blessed by a DPA
• Adequacy decision?
• “Privacy Shield” – text adopted by European Commission
36. Security
Data controllers and processors should implement appropriate
technical & organizational measures to protect data from loss or
any form of unlawful processing
• Article 32 defines security principles
Security measures must take into account (recital 78):
• Nature of the data to be protected and consequences of security
breach
• State of the art
• Security by design
• Aim to prevent unnecessary collection and further processing of
personal data
• Overriding principle: Plan-Do-Check-Act
• Data breach notification (article 33/34)
• to DPA (<72 hours) and to data subject
• processor must inform controller
40. Data breaches
NL: Legislative proposal adopted amending the Data Protection
Act and Telecommunications Act by incorporating a notification
obligation for data controllers in case of data breaches.
Until now: hundreds of notifications!
The Data Protection Authority can impose administrative fines up to
EUR 820.000 in case of violation of the notification obligation.
Notification obligation applies if:
• Security breach
• Entity in public or private sector (companies, governmental
organizations)
• The infringement leads to a significant risk of adverse impact on
the protection of personal data processed by the organization
(theft, loss or abuse of personal data).
41. Data Protection Officer (art. 37)
The controller and the processor shall designate a data protection
officer in any case where:
(a)[…]
(b)the core activities of the controller or the processor consist of
processing operations which, by virtue of their nature, their
scope and/or their purposes, require regular and systematic
monitoring of data subjects on a large scale; or
(c) the core activities of the controller or the processor consist of
processing on a large scale of special categories of data
pursuant to Article 9 (data concerning health).
• A group of undertakings may appoint a single data protection
officer provided that a data protection officer is easily accessible
from each establishment
• May be employed or consultant
• Details to be notified to DPA
42. Impact Assessment
Article 35
• PIA prior to processing – similar operations with similar risks can be
grouped
• Count on all grant funded projects and clinical trails or investigations or
registries that require ethics approval needing PIA
• Authorities will make lists of operations subject to PIA
44. Profiling requirements
• Profiling based on health data -> always PIA
• 'profiling' means any form of automated processing of personal data
consisting of the use of personal data to evaluate certain personal
aspects relating to a natural person, in particular to analyse or predict
aspects concerning that natural person's performance at work, economic
situation, health, personal preferences, interests, reliability, behaviour,
location or movements;
• Data subject must be informed
• Article 22: right not to be subject to a decision based solely on
automated processing, including profiling, which produces legal effects
concerning him or her or similarly significantly affects him or her, unless
• decision is necessary for performance or entering into contract
• decision is based on explicit consent
• AND:
• explicit consent in case of profiling based on health data
• Implement suitable measures to safeguard the data subject's
rights and freedoms and legitimate interests are in place
46. New responsibilities data
processor
• controller shall use only processors providing sufficient
guarantees to implement appropriate technical and
organizational measures in such a manner that processing will
meet the requirements of this Regulation and ensure the
protection of the rights of the data subject
• processor not allowed to engage another processor without prior
specific or general written authorisation of the controller and
without contract
• processor must also designate DPO (art. 37 (1))
47. What changes?
• Fines/penalties for breach
• Up to 4% of annual worldwide turnover for serious breaches
(eg requirements relating to international transfers or the basic
principles for processing)
• Up to 2% of annual worldwide turnover for other breaches
• Data protection becomes a fundamental right
• More access rights (e.g. data portability)
• Impact Assessments required
• Prior approval of impact assessment of each act of
processing (sets of similar processing can be grouped)
• Profiling requirements
• Explanation of automated processing logic
48. What changes?
• Consent requirements tougher
• Pseudonymous data remains personal data regardless of the
number and nature of steps taken to key code
• Biological samples = identifiable data?
• Exemptions for processing without consent
• Exemptions not suited for outsourced processing in eHealth
/ mHealth services and not drafted for regulatory clinical
data obligations or health technology assessments
• Technical standards
• Commission can issue technical standards related to
implementation of GDPR requirements
• Mandatory Privacy Officer
49. Known unknowns and wide open
doors
• This means that member states can still require geofencing, hosting
accreditation and things like that for processing of genetic, biometric
and/or health data!
• Only restriction is that these cannot be contrary to the requirements of
the internal market and must be proportionate
50. Case studies
• Personalized home-based HTN care
• Employee wellness programs
• Consumer Health Home monitoring
• Data for research vs data for commercial development
51. Questions
• Personal data? Sensitive data?
• Data subjects?
• Act of processing?
• For which purposes?
• Consent?
• Profiling?
• Sharing data? Export?
• Storage?
• Security?
• Vulnerabilities?
• Data breaches?
52. Sofie van der Meulen
Axon Advocaten
Piet Heinkade 183
1019 HC Amsterdam
+31 88 650 6500
+31 6 53 44 05 67
sofie.vandermeulen@axonlawyers.com
THANK YOU FOR YOUR ATTENTION!
53. Legal stuff
• The information in this presentation is provided for information
purposes only.
• The information is not exhaustive. While every endeavour is made
to ensure that the information is correct at the time of publication,
the legal position may change as a result of matters including new
legislative developments, new case law, local implementation
variations or other developments.
• The information does not take into account the specifics of any
person's position and may be wholly inappropriate for your
particular circumstances.
• The information is not intended to be legal advice, cannot be
relied on as legal advice and should not be a substitute for legal
advice.
Editor's Notes
Legal landscape under DPD
To the DPD
REGULATION – not a directive. Directly applicable in all EU Member States.
More complicated
More expensive
More administratively burdensome
Also research data is covered by the scope of the GDPR
Broader definition of personal data, or adding categories of personal data. However core of the definition is still in tact. Directly or indirectly identifiable
Potential future health status: any information where there is a scientifically proven or commonly perceived risk of disease in the future, such as obesity, blood pressure, personal habits involving tobacco, alcohol or drugs
Past, current and future health status of a data subject. Prior to this new definition the definitions was already broadened in the opinion of art. 29 working party which was referred to in Dutch case against Nike
Is a biological sample in itself personal data?
Still not clear what the scope is of anonymous information including for statistical or research purposes.
Identifiable? Taking into account costs and amount of time required for identification, the available technology and the technology at the time of the processing. There is no hard and fast rule.
http://www.privacy-analytics.com/de-id-university/webinars/anonymization-ema-policy-0070/
Anonymous datasets can be enriched or combined
Reuse of data
the result of processing for statistical purposes is not personal data, but aggregate data (recital 162)
Research data and purpose limitation
Still not entirely clear!
Article 49b IVDR on study performance data
Article 51: no personal data should be publicly availabe
Article 81: reference to data protection directive
Not sure how this will work out in practice! Result, clinical trials and clinical investigations will be conducted outside Europe to avoid any such risk.