We Provide Local DPOs and


DPRs in all the Countries where 


it is now Mandatory


If your organisation processes (or asks a sub-contractor to process) personal data from people based in EU, EEA, UK, Switzerland, Singapore, Brazil, Moldova, Serbia, China, Turkey and many other countries, you must appoint a local Data Protection Officer ('DPO') and / or a Local Data Protection Representative ('DPR').


Such DPOs and DPRs must know the life sciences industry and must of course know privacy laws


Your sub-contractors might also need to appoint such local DPOs/DPRs.


In some countries this applies for any personal data collected, in some others it applies only if you collect or process sensitive personal data like health data, or if you meet a given threshold.


This applies even if personal data are encoded ('pseudonymised' personal data). 


In addition, in some countries you must register with the local Data Protection Authority ('DPA').


Some of these countries accept that the local DPO role be played by a Central DPO based in another country, but some don't.


Don't risk to get a critical finding, operations stopped and/or a financial penalty!


==> To check if you fall under some of these obligations, contact us for a free diagnostic: Bertrand at b.p.lebourgeois ( at ) pharmarketing.net, or Ersi at e.i.michailidou ( at ) pharmarketing.net.





US: New Privacy Laws in 4 US States / 


Final Rule for Restricting Transfers


New laws in 4 US States:


New privacy laws took effect in 4 U.S. states on 1st January 2025: Laws in Delaware, Iowa, Nebraska and New Hampshire are now enforceable.


In addition, New Jersey's comprehensive statute took force on 15 January 2025.


Thanks to IAPP for the note and read more hereUS State Privacy Legislation Tracker


DOJ issues final rule for restricting sensitive data transfers to adversarial countries:


In December 2024, the US Department of Justice Issued its Final Rule Addressing Threat Posed by Foreign Adversaries’ Access to Americans’ Sensitive Personal Data, read here. There are 6 countries of concern: China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela. 

Health data (PHI), genomic data and biometric data are part of the perimeter. Entities 50 percent or
more owned by a covered person are considered covered persons.


Thresholds: the final rule’s prohibitions and restrictions generally apply to covered data transactions involving sensitive personal data that exceeds certain bulk volume thresholds. “Bulk” refers to any amount of sensitive personal data, whether the data is anonymized, pseudonymized, de-identified, or encrypted, that exceeds certain thresholds in the aggregate over the preceding 12 months before a “covered data transaction.”




New Zealand, New York and India : 


Privacy Laws to Come

In a nutshell:


New Zealand: The Privacy Amendment Bill is coming soon – here’s what you need to know



New York: the Health Information Privacy Act awaits enactment by the governor. Full story


India: India extends draft DPDPA rules consultation, read here.





Examples of Non-Compliance


with Health Data Privacy


Data Protection Authorities published several decisions related to the processing of health data in the past months.

Such decisions shed light on the key measures to implement to stay compliant with privacy (and healthcare) laws and avoid a critical finding.


For each decision, we propose key takeaways: use them as ideas and guidelines for your own organisations: check that such measures are implemented at your organisation, and if not, talk to your management (or talk to us!).

Many thanks to GDPR hub NOYBto databreaches.net and to IAPP for all this valuable information!


Italy:


Fact:


The Italian DPA fined a plastic surgeon €20,000 for the publishing of images taken of a data subject during an aesthetic surgery on Instagram, without the data subject's prior consentRead more or edit on GDPRhub...


Comment:


Images of patients are personal data; furthermore they are sensitive personal data. And publishing sunch data on a social media can lead to a high risk for the private life of the patient: for example the person can get nuisance emails or calls, or receive mean comments from its neighbours or colleagues


Whereas the surgeon can process personal data of patients for providing care without asking the patients' consent (according to Italian healthcare laws), publishing images on a social network is clearly for a different objective, here probably for advertising. Therefore the surgeon needs to identify which GDPR legal basis can make this personal data processing compliant with the GDPR. In this case, it is the GDPR consent of the patients.


Takeaway:


This incident is about the reuse of personal data for a different objective. Your organisation can reuse personal data for a different objective, but in such case you need to make sure that date subjects were informed and that you have a valid legal basis to do so. In doubt, take the advice of an expert or ask your local DPA.


Netherlands:


Fact:


Hundreds of Dutch medical records bought for pocket change at flea market: Robert Polet, a 62-year-old techie and apparent bargain hunter from Breda, a city in the southern part of the Netherlands, inadvertently happened upon a 15GB trove of sensitive medical records after picking up a quintet of 500GB hard drives for €5 ($5.21) each.


After hooking them up when he returned home, Polet found medical data on the HDDs, including the Dutch equivalent of Social Security Numbers, dates of birth, home addresses, medication details, and other GP and pharmacy data. The records were from 2011-2019 and pertain mainly to individuals around the Utrecht, Houten, and Delft regions.


Read more here: Hundreds of Dutch medical records bought for pocket change at flea market – DataBreaches.Net


Takeaway:


All hardware, and this especially hard disks, should be physically deleted before putting to the bin. We mean breaking the disk with a hammer or similar tool. The reason is that a logical deletion is not enough: it has been demonstrated that there can be remaining magnetic inscriptions on the disk even after a 'delete all' instruction has been run. A simple way to make sure no data will be readible anymore is to give the hard disks to a company specialised in such destruction, and to ask them to provide a certificate of destruction for each device.


Poland:


Fact:


A hospital  was fined PLN 29,684 (€7,045) after a data breach: they sent data concerning health from a patient to a wrong recipient, but never asked the wrong recipient to delete such personal data and did not notify the data subject nor the Polish Data Protection Authority ('DPA') in due time. The DPA ordered the hospital inform the patient about the breach and to explain which additional security measures they will put in place. Also the hospital had evaluated the breach as low risk for the private life of the patient, but, as the patient name + social security number + health data had leaked, the risk for the private life for the patient was very high. Read more or edit on GDPRhub...


Takeaway:


First, always be transparent to people and act promptly.

Second, the data breach in question is what we call a 'point to point' personal data breach, as it took place between one person at the hospital and one wrong recipient. Such 'point to point' personal data breaches are very simple to mitigate when you act promptly: the sender just needs to ask the wrong recipient to delete the personal data received in error and to confirm deletion. 

Third, make sure all staff are regularly trained on privacy, so they know what to do if something happens; this is especially important in an organisation processing health data.


Fact:


Poland's DPA, the UODO, issued two fines totaling PLN1.15 million (277 576 euros) to medical center Centrum  Medyczne Ujastek after its video monitoring technology allegedly did not comply with data processing regulations. The UODO claimed the medical center did not conduct risk assessments or enlist data deletion standards for its video monitoring technology that could collect sensitive patient information. Full story


Takeaway:


If your organisation plans to implement a CCTV, make sure you conduct a risk analysis for the private life of people; Also, your organisation will need to inform all employees and visitors by means of an information notice and by info signs at the entrance of the premises. In several countries, you will also have to notify and get a formal agreement from an authority before putting such CCTV in place. Pay attention to the storage duration of the video recordings, which should be proportionate to the objectives of implementing the CCTV


US:


Fact:


Researcher Jeremiah Fowler reports that he found unsecured data with 1,674,218 records belonging to DM Clinical ResearchDM Clinical Research is a Texas-based network of more than 24 multi-therapeutic clinical trial sites involved in research on vaccines, internal medicine, pediatrics, gastroenterology, psychiatry, neurology, women’s health, and more. DM Clinical Research’s site claims that they have tens of thousands of patients enrolled. Read more




IT for Dummies: Key 


Items to Pay Attention in a 


Contract with a Software Provider


At PharMarketing, we appreciate that most of our readers are versed in biology, medical, chemistry, manufacturing, legal, regulatory, clinical operations, but few of them feel comfortable with IT:


So, we decided to start a series on 'IT for Dummies', to help you grasp key and useful facts about IT security in a simple way.


After discussing Best Practices with an External Hard Disk last month, let's look at the key clauses you want to have in a contract with a Cloud software provider.


The key items to look at are the following:


  1. Service Level Agreement ('SLA')
  2. Security measures in place to protect hosting of your data
  3. Countries where your data will be hosted
  4. Compliance with privacy laws
  5. Possibility to test the software before a new release is implemented
  6. Possibility to audit the software provider remotely or on site
  7. Possibility to get the data back in case of contract termination or if software company dissolves
  8. Compliance with GxP if applicable


NB: this is not an exhaustive list, but in our experience these are the most important points to discuss with your software provider before you sign the contract.


Now let's look in more detail at each of these items:


  1. Service Level Agreement ('SLA'): a SLA is a clause where the software provider commits to deadlines in case of unavailability of the cloud and more generally to a service level.
  2. Security measures in place to protect hosting of your data: as a client, you are entitled to ask the software provider to indicate the Technical and Organizational Security Measures they have put in place: this can go from staff training, security of the premises where the IT servers are, penetration tests, cybersecurity measures, role based access, etc.
  3. Countries where your data will be hosted: this is important as some countries can decide they own your data or that they can get a copy of your data, and some other countries are on 'black lists', as described in the article on the transfer from the US to some countries in this Newsletter; also some countries have privacy laws protecting your data, but some don't.
  4. Compliance with privacy laws: the software provider must demonstrate why they think they comply with existing privacy laws (from your country and from his country), and that they checked that their sub-contractors also comply.
  5. Possibility to test the software before a new release is implemented: this is really important: the vendor should not 'impose' you a new release of the software without you having the time and environment to test the new version: the vendor should provide you a test environment dedicated only to your organisation, where you can create your own test data and your own data flows: if the vendor proposes you to use their own test data, don't accept, because of course their test data will work: you need to perform the tests in your real business conditions; leat point: what you want to test is the non-regression: it means you want to make sure that all the things that were working before will still be working in the new version; if not, ask to stay in the current version of the software and refuse to migrate until the findings are fixed.
  6. Possibility to audit the software provider remotely or on site: the contract should allow you to audit the software provider from time to time, either remotely or onsite with a reasonable notice time ahead. The vendor should not invoice you if the frequency and the lengths of the audits are reasonable and in line with industry's best practices. If you identify some findings, the vendor should populate a CAPA/action plan at no cost for you, and keep you informed at regular basis on the implementation of the planned actions. A typical way to manage this is to hold a monthly meeting with your vendor.
  7. Possibility to get the data back in case of contract termination or if software company dissolves: this should be clear from the start: how can you get your data back? and will it be in an easily readible format?
  8. Compliance with GxP if applicable: for example, does their software include an audit trail? did they validate the software according to GAMP5 or CFR21?


Do you plan to buy a new software and would like support


Contact Bertrand at b.p.lebourgeois ( at ) pharmarketing.net: Bertrand is a former IT Director in the industry and has extensive experience in software and IT consulting.


  1. My company plans to work with a new sub-contractor for processing patient data. I have asked this sub-contractor to answer to a privacy and GxP compliance questionnaire, but their answers are not clear and they refuse to provide evidence of their compliance: should I contract with this vendor? yes / no


Answer: No: it's not a good sign at all if a vendor is not transparent and seems to hide or retain information: so, in this situation, tell clearly the vendor that you can't go ahead with them if they don't provide the answers you asked for within a given deadline; and start searching for another vendor!

   

   2. My company decided to launch a retrospective study and I need to check that we comply with relevant         regulations/guidelines: do the Good Clinical Practicesapply?  yes / no


Answer: No; you can decide to comply with GCP if you like, but at this time the ICH E6 R3 doesn't apply to non-interventional studies; For such studies, you need to follow the Guidelines for Good Pharmacoepidemiology Practices (GPP) issued by the professional association ISPE in 1996; the last revision was issued in June 2015.