Audit modelCompliance audit - Data warehouses in the healthcare sector
GDPRCNIL
CNIL compliance checklist relating to the processing of personal data implemented for the purpose of creating data warehouses in the field of health.
1. Who are these guidelines intended for?
1.1. 1.1. The proposed data warehouse falls within the scope of these guidelines
The data warehouses covered by this standard are implemented to enable the data they contain to be re-used.
The guidelines do not apply to :
data warehouses implemented by a private company on the basis of its legitimate interest ;
the processing of personal data implemented solely for the purposes of preventive medicine, medical diagnosis, the administration of care or treatment, or the management of healthcare services and implemented by healthcare professionals and healthcare systems or services (e.g. dematerialised medical records). Such processing does not require prior formalities with the CNIL;
the processing of personal data when the individual has given his or her explicit consent for this purpose. Such processing does not require prior formalities with the CNIL;
data warehouses matched with the main database of the National Health Data System as defined in article L. 1461-1 of the French "code de la santé publique".
2. Purpose(s) of the data processing activity and governance
1. Purposes
1.1. 2.1.1. The warehouse is implemented to allow the reuse of the data it contains (research, evaluations, calculation of indicators, etc.)
1.2. 2.1.2. Do the purposes for which data is used in the warehouse correspond to the authorised uses?
Any use of the data in the warehouse by the data controller and for his exclusive use, is for the purposes of :
- production of indicators and strategic management of the activity, under the responsibility of the physician responsible for medical information;
- improving the quality of medical information or optimizing coding within the framework of the program for the medicalization of information systems (PMSI);
- operation of tools to assist in medical diagnosis or management;
- carrying out feasibility studies (pre-screening);
- carrying out research, studies and evaluations in the health field.
Apart from the uses mentioned above, the data controller must consider whether or not it is necessary to carry out specific formalities with the CNIL for any re-use of the data.
1.3. 2.1.3. Do the uses of the data correspond to the authorised uses?
The data are not and will not be used :
- for the purpose of promoting the products mentioned in II of Article L. 5311-1 CSP to health professionals or health institutions;
- for the purpose of excluding guarantees from insurance contracts, nor for modifying the insurance contributions or premiums of an individual or a group of individuals presenting the same risk
2. Governance
2.1. 2.2.1. Governance is provided for to organize and supervise the operation of the warehouse (if necessary with shared bodies if the data controller wishes to implement several different data warehouses)
2.2. 2.2.2. A first body (steering committee or equivalent) determines the strategic and scientific orientations of the warehouse.
This body :
- maintains an exhaustive list of the data in the warehouse and justifies its necessity ;
- involves an IMG and a representative of the conference or the institutional medical committee (if applicable)
2.3. 2.2.3. A second body (scientific and ethical committee, or equivalent) systematically gives a prior, reasoned opinion on project proposals requiring the re-use of data from the warehouse.
- Only projects that have been examined may use the warehouse, and the opinion of the second body is communicated without delay to the project leader;
- a list of the processing operations on which the committee has given its opinion is communicated periodically, at least once a year, to the data protection officer of the controller
2.4. 2.2.3.4. This second body (scientific and ethical committee, or equivalent) is composed of :
- at least one person involved in health ethics ;
- a person who is independent of the data controller
- health professionals and medico-social professionals
- researchers;
- a representative of the users or of a patients' association
3. Legal basis(s) of the processing
3.1. 3.1. The warehouse enables the controller to carry out its public interest mission(s) (legal basis for processing - Article 6-1-e of the GDPR)
4. Personal data that can be included in the warehouse
4.1. 4.1. The data collected and processed by the data controller are only :
- data contained in the medical and administrative file or single computerized file of the data subject, the collection of which is justified by his or her care and/or ;
- data from research projects, studies and evaluations in the field of health previously carried out and whose retention period has not expired
4.2. 4.2.1. The directly identifying data that may be collected are kept in a separate space from the other data:
- name, first names ;
- sex, gender, civil status ;
- marital status ;
- day, month, date and place of birth;
- date, place and cause of death, if present in the medical record; telephone, e-mail and home address;
- Permanent Patient Identifier (PPI) number;
- Episode of Care Identifier (EPI) number;
- National Health Identification Number (NIR-INS).
4.3. 4.2.2. No sensitive data, other than those mentioned, are collected:
- weight, height, reports (medical, RCP, etc.), test results, results from analysis of biological samples, medical imaging, data relating to adverse effects and events ;
- prescriptions ;
- medical and paramedical observations;
- data from medical devices or measuring equipment and any element of the medical file;
- personal or family history, diseases or associated events;
- medico-administrative data from the local PMSI1 ;
- genetic data strictly necessary to meet the objectives or purposes of the warehouse and having been interpreted prior to their entry into the warehouse, which may in no case be used for the purpose of identifying or re-identifying individuals; they must have been collected as part of the medical care of the person concerned or a research project, provided that the person concerned has not objected prior to the examination being carried out, in accordance with the provisions of Articles L. 1130-5 of the public health code and that he/she has been informed on this occasion of the possibility of re-use of the results obtained for subsequent research purposes;
- sexual life ;
- data revealing ethnic origin;
- photographs and/or videos and/or voice recordings that do not allow direct identification of the persons concerned (for example, with masking of the face, eyes, distinctive signs) and collected under conditions that comply with the provisions applicable to image rights and voice rights;
- data relating to professional life (profession, employment history, unemployment, work trips and travel, professional exposure, INSEE socio-professional category, etc.);
- level of education (e.g. primary, secondary, higher);
- social security affiliation, complementary insurance (mutual insurance, private insurance);
- travel (e.g., to the place of care or research: mode, duration, distances or trips);
- use of tobacco, alcohol, drugs ;
- lifestyle and behaviours, e.g.: dependency (alone, institutionalized, independent, bedridden), assistance (homemaker, family), physical exercise (intensity, frequency, duration), diet and eating behaviour, leisure activities;
- lifestyle (e.g., urban, semi-urban, nomadic, sedentary), housing (private home, apartment building, floor, elevator, etc.);
- vital status and cause of death;
) quality of life scale or other information about the person's quality of life; exposure to known health risks (physical, chemical, biological, and environmental, etc.)
4.4. 4.2.3. No data concerning the professionals, other than those mentioned, is collected:
- identification data: surname, first name, title ;
- function, department and unit of practice ;
- professional contact information (e-mail address and professional telephone number);
- ADELI number or RPP number (excluding the registration number)
4.5. 4.3.1. The initial collection of data is scientifically justified by the health or medico-social care or by the carrying out of a specific research, study or evaluation project and is provided for by a protocol
4.6. 4.3.2. No data is collected solely to feed the warehouse
4.7. 4.4. For any reuse, the need to process data from the warehouse shall be justified, for each category, in the application submitted to the appropriate warehouse governance body
4.8. 4.5. The directly identifying data mentioned from the repository are collected in the warehouse only for the purpose of:
- recontact patients to offer them the opportunity to participate in future studies or to inform them of research projects that reuse their data included in the repository;
- recontact patients following the discovery of genetic characteristics that may be responsible for a condition that justifies preventive measures or care for them or their families, except in cases where the patient has objected;
- recontacting patients following related discoveries linked to the identification of risk factors and/or syndromic identifications that could modify their management; warning a person of a health risk to which he or she is exposed
4.9. 4.6. The directly identifying data mentioned in 4.2.1. are used only for purposes justified by the controller.
For example, information on the day of birth of a person may be collected if the performance of a search is conditional on an age criterion
4.10. 4.7.1. The relevance of the data included in the warehouse is regularly re-evaluated by the competent governance body.
This relevance is assessed with regard to the projects carried out and planned
4.11. 4.7.2. Data that is no longer required will be deleted
4.12. 4.8. Stored separately from pseudonymized data and using the processes described in security requirements SEC-LOG- 4 through SEC-LOG-6 are:
- directly identifying data;
- matching tables; and
- DNA data;
- Location tracking data
5. Information access
5.1. 5.1. Particular attention is paid to the management of the access rights of persons authorized to access the data contained in the warehouse
5.2. 5.2. Access to and use of directly identifying data is restricted to the purposes listed in point 4.5 and only to those persons responsible for carrying out the operations necessary to achieve these purposes
5.3. 5.3. Only authorized research teams are recipients of pseudonymized data (internal or external to the controller).
The data made available to them are strictly necessary for the achievement of the objectives of their research, study or evaluation projects
5.4. 5.4. Apart from the research teams, only the authorized internal personnel of the data controller are recipients of pseudonymized data.
The data made available to them are strictly necessary for the accomplishment of their missions
6. Data retention periods
6.1. 6.1. The data retention period meets the criteria set out in Article 5.1.e of the GDPR:
- the data is kept in a form that allows the identification of the data subjects for no longer than is necessary for the purposes for which it is processed;
- data may be kept for longer periods insofar as they are processed exclusively for archival purposes in the public interest, for scientific or historical research purposes or for statistical purposes in accordance with Article 89(1), provided that the appropriate technical and organisational measures required by this Regulation are implemented in order to guarantee the rights and freedoms of the data subject (storage limitation)
6.2. 6.2.1. The data mentioned in 4.2.2 (sensitive data of the persons concerned) are deleted at the latest 20 years after their collection in the context of care or research
6.3. 6.2.2. The data mentioned in 4.2.1 (data identifying the data subjects) are deleted when the retention period for sensitive data (in 4.2.2.) has expired, and at the latest 20 years after their collection
6.4. 6.3. At the end of these periods, the data are anonymized or destroyed
7. Information for individuals
7.1. 7.1. The persons whose data were collected at the time they were taken in charge are informed about the constitution of their data and the deposit of their data in the warehouse
1. Information to (re)admitted patients after the warehouse is established
1.1. 7.1.1. New patients, as well as those undergoing follow-up, are informed individually of the constitution of the warehouse
1.2. 7.1.2. The information note for individuals contains all the information mentioned in Article 13 of the RGPD
1.3. 7.1.3. The information note highlights the re-use of data as well as the modalities for exercising the rights of access and opposition
2. Information from patients admitted before the warehouse is set up
2.1. 7.2.1. Patients admitted prior to the establishment of the repository and no longer being monitored are informed individually of the establishment of the repository.
If patients cannot be informed individually, the controller invokes an exemption to individual information (point 7.2.4.) and provides for collective information (point 7.2.6.).
2.2. 7.2.2. The information note for individuals contains all the information mentioned in Article 14 of the RGPD
2.3. 7.2.3. The information note highlights the re-use of data as well as the modalities for exercising the rights of access and opposition
2.4. 7.2.4. In the event of a request for an exception to the individual information requirement for the constitution of the warehouse, the exception invoked by the controller is justified by the fact that the provision of the information would require a disproportionate effort, based for example on:
- the number of data subjects ;
- the age of the data;
- the absence of a postal or electronic address among the data held by the controller;
- the cost and time of providing the information
Furthermore, the exception invoked applies only to those categories of persons for whom the provision of information would require a disproportionate effort
2.5. 7.2.5. In order to compensate for the lack of individual information, measures are planned and implemented to protect the rights and freedoms as well as the legitimate interests of the persons concerned. These measures are detailed in the AIPD
2.6. 7.2.6. In the absence of individual information (for all or some of the data subjects), information is made publicly available, for example :
- by the dissemination of an information note on the constitution of the warehouse on the website of the data controller, in a dedicated and accessible section, supplemented by detailed information on each processing operation implemented from the warehouse ;
- by setting up a "transparency portal" on the controller's website (warehouse and subsequent re-use of data);
- by communicating about the warehouse on social networks, regional media, patient associations;
- by issuing a press release informing about the establishment of this warehouse
3. Information for people involved in research projects
3.1. 7.3.1. Individuals whose research data are included in the warehouse are informed individually of this re-use of their data, in accordance with the provisions of Article 14 GDPR
3.2. 7.3.2. If the exception to the obligation to provide individual information is used, the conditions detailed in points 7.2.4. to 7.3.2. are met.
3.3. 7.3.3. The retention period for research data has not expired
4. Information to the data subjects of each of the data re-uses
4.1. 7.4.1. The controller shall establish a "transparency portal" on its website, informing data subjects of research projects reusing their data included in the warehouse.
The patient information notes refer to this transparency portal
4.2. 7.4.2. Data subjects are informed of each re-use of their data for research, study or evaluation purposes. This information can be provided via the "transparency portal".
5. Information for professionals
5.1. 7.5.1. Professionals working in the data controller's establishments after the warehouse has been implemented and whose data are added to the warehouse are informed individually and in writing of all the information provided for in Article 13 of the GDPR.
The information is at least disseminated in the medical committee or conference of the institution, on the intranet of the institution and by means of posters in the rest areas of the staff.
In addition, the information sheet may take the form of a letter or e-mail attached to the pay slip or employment contract.
5.2. 7.5.2. If the warehouse contains data of professionals who are not or no longer working in the establishments when the warehouse is implemented, and the data controller is not the employer of the professionals: each of them is informed individually in writing, including the information provided for in Article 14 of the RGPD
8. Individual rights
8.1. 8.1. General information, intended for health professionals and patients, is provided by the data controller in addition to the individual information and prior to the implementation of the warehouse.
This general information is provided through a public information campaign, for example on social networks, within the establishments and through the publication of inserts in the regional press
8.2. 8.2. Professionals and patients may exercise the following rights under the conditions set forth in the GDPR:
- right of access,
- right of rectification,
- right to erasure,
- right to limit processing, right to object
8.3. 8.3. The patient's right to object may be exercised by any means. Moreover, people can object to the processing of their data in the warehouse as soon as they are informed
8.4. 8.4. A specifically trained and empowered person (e.g. the DPO of the controller) ensures that the rights of the data subjects are exercised. His/her contact details are communicated to the data subjects and appear in the various information media
8.5. 8.5. Mechanisms are provided to ensure the exercise of the rights of individuals, where identifying data or means of matching identity are not kept.
The data controller may not rely on Article 11 RGPD to dismiss requests to exercise the rights provided for in the RGPD
8.6. 8.6. Mechanisms for feeding the warehouse allow individuals to exercise their right to object in a permanent manner and may provide a means of re-identifying the data of individuals exercising their other rights
9. Security
1. Network partitioning
1.1. 9.1.1. Partitioning measures separating the network flows specific to the warehouse from the rest of the information system flows have been implemented on the communication network within which the warehouse is hosted or made accessible
1.2. 9.1.2. Filtering measures are implemented to restrict the transmission and reception of these network flows to specifically identified and authorized machines for the operation of the warehouse
1.3. 9.1.3. All data transmissions to and from the warehouse, as well as all internal data flows within the warehouse, are subject to encryption measures in accordance with Annex B1 of the General Security Reference System ("RGS") in order to guarantee their confidentiality
2. Logical and cryptographic partitioning
2.1. 9.2.1. Personal data in the warehouse is collected or stored on systems and databases separate from those used for patient care
2.2. 9.2.2. Personal data are encrypted at rest by algorithms and key sizes that comply with appendix B1 of the RGS, and an operational procedure for key management has been formalized
2.3. 9.2.3. Backups of the warehouse are encrypted at rest in accordance with Appendix B1 of the RGS
2.4. 9.2.4. In the event that directly identifying data or mapping tables are stored in the warehouse, these are logically separated from the pseudonymized data by cryptographic means.
For example: patient administrative data and correspondence tables are encrypted with different keys than those used to encrypt the health data in the warehouse
2.5. 9.2.5. Access to the two separate data categories defined in requirement 9.2.4. is via different user accounts, or via a single user account that must choose one of the different clearance profiles assigned to it at login
2.6. 9.2.6.1. If genetic or location tracking data is collected, it is encrypted separately with a specific key from the other data in the warehouse
2.7. 9.2.6.2. The decryption key for DNA or location tracking data can only be used by the clearance profiles responsible for feeding the warehouse and exporting data to a workspace
3. Constitution and feeding of the warehouse
3.1. 9.3.1. Appropriate security measures are in place for data collection circuits.
For example: transit directories are purged regularly. Strict access control to the data collected is in place
3.2. 9.3.2. In the case where the warehouse is manually fed via data entry software which also allows consultation of the data entered, access to this software is secured via strong authentication in accordance with requirement 9.7.1.
4. Pseudonymization of data
4.1. 9.4.1.1. No internal number, such as a patient record number, is directly reused as an identifier within the warehouse
4.2. 9.4.1.2. A unique pseudonymous identifier is used, allowing, where appropriate, the matching of pseudonymized data stored in the warehouse with directly identifying data
4.3. 9.4.1.3. This unique pseudonymous identifier is dedicated to a single repository and is generated by a cryptographic hash function resistant to brute force attacks or a cryptographically secure pseudo-random number generator
4.4. 9.4.1.4. Data is pseudonymized prior to its integration into the warehouse
4.5. 9.4.2. In the case where the warehouse integrates existing pseudonymized datasets, a new unique pseudonym number respecting the conditions of the requirement of points 9.4.1.1. to 9.4.1.4. is generated when the warehouse is fed
4.6. 9.4.3. In the event that data relating to health professionals are collected, these data are pseudonymized
4.7. 9.4.4. In the case where unstructured documents are added to the repository, they are subject to a deletion or masking step prior to their integration into the repository.
The masking or deletion operation is applied to both the visible content of the documents (such as mail headers and image inserts), the metadata contained in these files (such as the name of the imaging operator), and the attributes of the files (such as their name).
This step involves removing identifying data about patients and healthcare professionals or replacing it with generic terms or dummy data. For example, NIR, birth name, first name, postal code, city or phone number will be replaced by generic terms such as "NIR", "NAME_OF_BIRTH", "FIRST_NAME", "POSTAL_CODE", "CITY" or "TEL".
This requirement applies to office documents and printouts (such as medical reports and prescriptions), scanned documents, medical imaging and any form of biomedical test results. It also covers free-form comments contained in databases
5. Physical access to data
5.1. 9.5. Physical access to the servers and premises housing the warehouse infrastructure is secured by adequate protection measures; in particular, physical access control measures
6. Management of authorizations and logical access to data
6.1. 9.6.1. Different authorization profiles are provided to manage access to data as needed and in an exclusive manner
6.2. 9.6.2. Data access granularity is provided for each clearance profile, while respecting requirement 9.2.5. relating to the partitioning of correspondence tables and directly identifying data.
For example: a profile may contain either access only to aggregated data and/or access to pseudonymized data, or access only to directly identifying data
6.3. 9.6.3. The persons authorized to access personal data are individually authorized according to a procedure involving validation by :
- one of the bodies responsible for the governance of the warehouse; or
- by their line manager in the case of engineers and system and network administrators
6.4. 9.6.4. Privileged accesses with extended rights, especially for administration and maintenance, are reserved for a restricted team and limited to what is strictly necessary
6.5. 9.6.5. A manual or automatic review of authorizations is carried out regularly and at least annually, as well as at the end of each research project using the data in the warehouse
6.6. 9.6.6. Access permissions are withdrawn as soon as the authorizations are withdrawn, for example after an employee leaves the company or after a change in his/her duties
7. Authentication for the consultation and administration of the warehouse
7.1. 9.7.1.1. Access to personal data is subject to strong (multi-factor) authentication using at least two distinct authentication factors
7.2. 9.7.1.2. If one of these factors is a password, it complies with the CNIL's recommendations on passwords (Deliberation No. 2017-012 of January 19, 2017 at the date of writing of this repository, or any other update of this recommendation)
7.3. 9.7.2. This strong authentication is implemented for both internal and external access to the warehouse
7.4. 9.7.3. All data transmissions to and from the warehouse, as well as all internal warehouse flows, performed automatically without user action, are performed by servers mutually authenticated by certificate or equivalent authentication device.
A password alone is not considered an equivalent authentication device to a certificate
8. Workspace
8.1. 9.8.1. Warehouse data is manipulated by researchers only in workspaces internal to the warehouse and specific to each research project, watertight with the warehouse database and watertight from each other (only exchange capabilities between workspaces are possible for sharing data that will have undergone the anonymization process detailed in Requirement 9.9.1.)
8.2. 9.8.2.1. Datasets imported into a research project-specific workspace are minimized and limited to only the data needed for the project
8.3. 9.8.2.2. A unique pseudonym number specific to each workspace is generated under the same conditions as in requirement 9.4.1 (in the case of cohort tracking, the same unique pseudonym number can be reused in several workspaces)
9. Exporting data out of the warehouse and out of the workspaces
9.1. 9.9.1. With the exception of data related to re-identification procedures 9.12.1. through 9.12.3, only anonymized datasets are exported out of the warehouse or workspace.
The anonymization process produces a dataset that complies with the three criteria defined by G29 Opinion No. 05/2014 or any subsequent EDPS opinion on anonymization. This compliance is documented and demonstrable.
Failing that, if these three criteria cannot be met, a re-identification risk assessment is conducted and documented
9.2. 9.9.2. Data exports are subject to prior validation by a manager in order to endorse the principle, particularly with regard to requirement 9.9.1.
9.3. 9.9.3.1. Exports are monitored automatically or manually by a specialized operator to verify their anonymity
9.4. 9.9.3.2. In the case where this monitoring is automatic, any export identified as non-conforming is subject to an alert and quarantine in the warehouse, and is then manually checked by a specifically trained and empowered manager
9.5. 9.9.4. The systems implemented in the warehouse relating to the production of indicators and the strategic management of the activity of a health care institution allow only anonymous returns, including taking into account the filtering and selection functionalities of these returns.
This rendering process complies with the three criteria defined by G29 Opinion No. 05/2014 or any subsequent EDPS opinion on anonymization. This compliance is documented and demonstrable.
Failing that, if these three criteria cannot be met, a study of the risks of re-identification is conducted and documented
9.6. 9.9.5. Refunds referred to in requirement 9.9.4. are exported in accordance with requirements 9.9.2. and 9.9.3.
10. User awareness and workstation security
10.1. 9.10.1. Each person authorized to access the warehouse is trained to respect medical secrecy and is regularly made aware of the risks and obligations inherent in processing health data
10.2. 9.10.2. Each person authorized to access the warehouse signs a confidentiality charter specifying, in particular, his or her obligations with regard to the protection of personal health data and with regard to the security measures implemented in the warehouse, as well as the penalties for non-compliance with these obligations
10.3. 9.10.3.1. The workstations of persons authorized to access the warehouse, including external users accessing the workspaces only, are subject to specific security measures, for example by setting up named accounts, adequate authentication, automatic session locking, storage media encryption and filtering measures
10.4. 9.10.3.2. In the event that the workstations are not under the control of the controller, the security measures to be implemented at the workstations are governed by an agreement between the parties concerned
11. Logging
11.1. 9.11.1. The actions of users of the warehouse workspaces are subject to logging measures. In particular, connections to the warehouse (identifiers, date and time), requests and operations carried out are traced
11.2. 9.11.2. The accesses of engineers and system and network administrators are carried out through a specific system ensuring a strong authentication as well as the detailed traceability of the accesses and actions carried out (for example, an administration bastion can be used to control the accesses and to record the sessions)
11.3. 9.11.3 A control of the traces is carried out regularly and at least bimonthly, as well as at the end of each period of habilitation linked to a research project. This control is carried out by :
- a solution that performs automatic monitoring with alerts processed manually by an authorized operator;
- or by a semi-automatic control via execution of programs allowing a selection of abnormal traces, followed by a manual rereading by an authorized operator
11.4. 9.11.4. The logging traces defined in requirements 9.11.1 and 9.11.2 are kept for a period of between 6 months and one year
12. Re-identification procedures
12.1. 9.12.1. The data controller has put in place a secure operational procedure to ensure the exercise of the rights of individuals and, where appropriate, the lifting of pseudonymity and the correct re-identification of data subjects.
This procedure makes it possible, on the basis of the additional information necessary for the unique identification of the person, to find or calculate the corresponding unique pseudonym number, then to select from the warehouse, with this unique pseudonym number alone, the data corresponding to the applicant and to carry out the operations necessary for the proper exercise of his or her rights (deletion of data or extraction for transmission)
12.2. 9.12.2. Where appropriate, and in the event of a duly justified and documented need, the controller has put in place a secure operational procedure to recontact patients to offer them the opportunity to participate in research.
This procedure makes it possible, from a list of medical criteria, to select the unique pseudonymous identifiers corresponding to the targeted patients, then, by mobilizing the correspondence table(s) of the warehouse with these pseudonyms only, to select the identifying data corresponding to these patients in order to export them for this sole purpose
12.3. 9.12.3. Where appropriate, the controller has implemented a secure operational procedure to re-identify patients in the event of a medical emergency.
This procedure makes it possible, by mobilizing the correspondence table(s) of the warehouse, to select the identifying data of the patients concerned from their unique pseudonym number, and to export them for this sole purpose
12.4. 9.12.4. Clearances and access for the re-identification procedures defined in requirements 9.12.1. through 9.12.3. are restricted to a small team and limited to what is necessary. The members of this restricted team are specifically trained for this procedure
12.5. 9.12.5. The controller has implemented adequate measures to manage the risks inherent in these re-identification procedures and in particular to ensure that they can only be used in the case of a request from a data subject or a duly authorised health professional
13. Management of security incidents and personal data breaches
13.1. 9.13.1. The data controller has established a procedure for managing and handling security incidents and personal data breaches, specifying the roles and responsibilities and the actions to be taken in the event of such incidents
13.2. 9.13.2 Any security incident, whether malicious or not and whether intentional or unintentional, which results, even temporarily, in the compromise of the integrity, confidentiality or availability of Personal Data, is documented internally in a breach log
13.3. 9.13.3. Where such an incident is likely to result in a risk to the rights and freedoms of data subjects, the resulting data breach shall be notified to the Commission in accordance with Article 33 of the GDPR
13.4. 9.13.4. In the event that the breach is likely to result in a high risk to the rights and freedoms of an individual, the controller shall communicate the data breach to the data subjects as soon as possible, in accordance with Article 34 of the GDPR
10. Subcontractors
10.1. 10.1. If a service provider is used: a contract is concluded with the service provider in accordance with the provisions of Article 28 RGPD
10.2. 10.2. The division of responsibilities for security and data breach management between the warehouse manager and the provider is set forth in the contract
10.3. 10.3. The Provider shall keep a register of processing activities in accordance with Article 30.2 GDPR
10.4. 10.4. The subcontractor used by the warehouse is exclusively from the jurisdictions of the European Union or from a country considered adequate in the sense of article 45 of the RGPD
10.5. 10.5. If the subcontractor is hired to host, store or retain the data: it is approved or certified as a health data host in accordance with the provisions of the Public Health Code
11. Data transfers outside the European Union
11.1. 11.1. The establishment and operation of the warehouse does not involve the transfer of personal data, directly or indirectly identifiable, outside the European Union or to a country that does not have an adequate level of protection
12. Data Protection Impact Assessment (DPA)
12.1. 12.1. A complete data protection impact assessment meeting the requirements of Article 35 of the GDPR has been carried out
12.2. 12.2. The impact assessment is reviewed and updated on a regular basis, in particular in case of substantial changes in the processing or in case of new risks for the data subjects
Created at:01/01/2023
Updated on :07/29/2024
License : © Creative commons :
Attribution / Pas d'utilisation commerciale
CC-BY-NC
Attribution / Pas d'utilisation commerciale
CC-BY-NC
author :
Uses :1