Should a DPO be designated in a non-public health care facility?

According to the GDPR (Article 37(1)), the obligation to designate a DPO occurs in any case where:

  • the processing is carried out by a public authority or body;
  • the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale;
  • the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.

 

The way the provision specifying the obligation to designate a DPO is worded is vague, but such wording was used intentionally, precisely so that the data controller would analyze the situation himself or herself and assess whether such an obligation exists in his or her case.

What is more - the Article 29 WP Guidelines on Data Protection Officers (WP 243) recommend that conducting an assessment on the existence of an obligation to designate an inspector should be documented and even repeated from time to time, if necessary. After all, an organisation’s situation may change. For example, a small clinic may gradually expand its activities to include new services and benefits and after some time become a large-scale entity processing sensitive data.

In order to facilitate a controller’s assessment of whether it is required to designate a DPO, the Article 29 Working Party has provided indications in the above mentioned guidelines on what is meant by "core activity" or "large scale," as well as a number of practical, concrete examples of situations that meet these criteria. The guidance is based on the assumption that as practice evolves, standards will take shape that will enable more detailed and/or quantitative identification of "large scale" with respect to certain types of processing.

 

The Guidelines point out that for medical facilities,  while the main activity is the provision of healthcare, this activity would not be possible without the processing of data in the form of patients’ health records. The activity of hospitals is given as an example of "core activity involving large-scale processing of sensitive personal data". On the other hand, the processing of patient data by a single doctor or other healthcare professional (nurse, midwife) is cited as an example of processing that does not fall within the definition of large scale, according to Recital 91 of the GDPR.

It is worth adding that, based on the same grounds, the GDPR stipulates the obligation of designating a DPO by so-called processors, i.e. entities that process personal data on behalf of medical facilities in connection with the specialized services they provide for them, such as storing medical records or servicing IT or diagnostic equipment.

According to the GDPR (Article 37(1)), the obligation to designate a DPO occurs in any case where:

·       the processing is carried out by a public authority or body;

·       the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale;

·       the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.

 

The way the provision specifying the obligation to designate a DPO is worded is vague, but such wording was used intentionally, precisely so that the data controller would analyze the situation himself or herself and assess whether such an obligation exists in his or her case.

What is more - the Article 29 WP Guidelines on Data Protection Officers (WP 243) recommend that conducting an assessment on the existence of an obligation to designate an inspector should be documented and even repeated from time to time, if necessary. After all, an organisation’s situation may change. For example, a small clinic may gradually expand its activities to include new services and benefits and after some time become a large-scale entity processing sensitive data.

 

In order to facilitate a controller’s assessment of whether it is required to designate a DPO, the Article 29 Working Party has provided indications in the above mentioned guidelines on what is meant by "core activity" or "large scale," as well as a number of practical, concrete examples of situations that meet these criteria. The guidance is based on the assumption that as practice evolves, standards will take shape that will enable more detailed and/or quantitative identification of "large scale" with respect to certain types of processing.

 

The Guidelines point out that for medical facilities,  while the main activity is the provision of healthcare, this activity would not be possible without the processing of data in the form of patients’ health records. The activity of hospitals is given as an example of "core activity involving large-scale processing of sensitive personal data". On the other hand, the processing of patient data by a single doctor or other healthcare professional (nurse, midwife) is cited as an example of processing that does not fall within the definition of large scale, according to Recital 91 of the GDPR.

 

It is worth adding that, based on the same grounds, the GDPR stipulates the obligation of designating a DPO by so-called processors, i.e. entities that process personal data on behalf of medical facilities in connection with the specialized services they provide for them, such as storing medical records or servicing IT or diagnostic equipment.