Data Privacy Services Life Sciences EU GDPR Audit Training

In the past, only organisations with a legal entity in the UK had to pay an annual fee to the ICO

Now all organisations in the world with activity in the UK must pay an annual fee to the Information Commissioner's Office ('ICO), UK's Data Protection Authority.

This applies whether you act as Data Controller or as a Data Processor, and even if your organisation has no office nor legal entity in the UK.

(there are some derogations, for example if you are a not-for-profit org etc.).

UK hospitals now ask to external organisations if they haev paid this fee; if not, you will not be able to contract with a NHS hospital.

The amount of the fee is not important, but it certainly represents an interesting new source of revenue for the UK government.

If you want to assess how much you will have to pay annually, go to this link:

https://ico.org.uk/for-organisations/data-protection-fee/data-protection-fee-self-assessment/

All organisations based Outside of Algeria, Tunisia or Turkey but processing personal data from people based in these countries must register with the DPA from such country.

This applies only for data controllers, not for data processors.

For more information on this and on how to register, please contact our senior consultant Karine at k.i.renault ( at ) pharmarketing.net

Dr. Dragutin Rafailović, MD is an experienced Drug Safety Physician with a demonstrated delivery of medical, clinical, and scientific advisory expertise in clinical research studies and post marketing programs, signal detection and aggregated reporting.

At PharMarketing, Dr Rafailović will act as Data Protection Representative ('DPR') in Serbia for a US clinical stage organisation developing In Vitro Diagnostics.

He is skilled in medical review, medical writing, signal detection, medical monitoring, literature review, clinical research, and client/staff training.

Dragutin is a strong pharmacovigilance professional with a medical degree (MD) and line management experience. He has a complete understanding of guidelines (FDA, ICH, EMA, GCP and Medical Devices Regulation (MDR) 2017/745). Experience of GDPR.

He is experienced with providing advanced pharmacovigilance services to multiple customers with medicinal products in various phases of their lifecycle including clinical development and marketed products. He also served as physician for two and a half years at the Clinic of Urology, Clinical Center of Serbia.

His therapeutic areas of experience are: oncology (lung, genitourinary, renal, lymphoma), rare diseases (endocrinology/metabolism, ophthalmology), hepatology, neurology (movement disorders), infectious disease (bacterial, viral, immunization), analgesia.

Dragutin is a devoted father to a daughter. He loves basketball, watches, and archaeology.

Contact Dragutin at d.d.rafailovic ( at ) pharmarketing.net

In its press release dated 23 June 2024, the EU Commission wrote that "All Member States should start transitioning to post-quantum cryptography ('PQC') by the end of 2026.

At the same time, the protection of critical infrastructures should be transitioned to PQC as soon as possible, no later than by the end of 2030."

The article doesn't explain what the EU commission consider as a 'critical infrastructure', but we can guess that any server containing patient healthcare data, even redacted, can be considered as critical.

PharMarketing wrote to Henna Virkkunen, Executive Vice-President for Technological Sovereignty, Security and Democracy, to get clarification on what she considers as a 'Critical Infrastructure'. We will keep you updated if and when we receive an answer.

Read the press release:
https://digital-strategy.ec.eu...

On May 27, 2025, the Private Security Regulations of Law No. 21,659 were published, understanding these as "the set of activities or measures of a preventive, supporting, and complementary nature of public security, aimed at the protection of people, property, and production processes, developed in a specific area and carried out by natural persons or legal entities under private law" (Art. 1). Among the private security activities, it indicates that there are the surveillance, protection, and security of establishments; the installation and maintenance of devices, equipment, technological components, and electronic security systems connected to alarm receiving centers, among others indicated in Article 2 of the aforementioned regulation. One of the interesting aspects of the regulation is the obligation of public or private institutions called upon to provide private security services to "respect and protect human rights and fundamental freedoms, especially in the case of persons in vulnerable situations, children or adolescents, and persons with disabilities" (Article 3, paragraph 5).

This is directly linked to an approach in which, various activities recognized by the aforementioned regulation imply personal data processing activities and therefore, may entail a risk to the rights and freedoms of personal data holders, therefore, Law No. 19,628 on the protection of privacy, modified by the recently published Law No. 21,719, which creates the Personal Data Protection Agency and which comes into force on December 1, 2026, has a direct application. In addition, the regulation reinforces the need for obligated subjects to transmit personal data and unique license plates of vehicles entering premises, upon request from the Public Prosecutor's Office or the police, even noting that when done in good faith, it is not considered a breach of confidentiality (final paragraph of article 5 of the regulation), and must be evaluated in light of the principles of the regulations on the protection of personal data. Finally, it indicates that there will be a platform managed by the Undersecretariat for Crime Prevention, which will be interconnected with the supervisory authorities and will serve as support in administrative procedures and in matters of private security (Article 115).

A detailed analysis of the regulations indicates that private security guards, "those who perform tasks of protecting people and property within a specific area or premises, carrying weapons, credentials, and uniforms" (Article 26 of the Regulation), like private guards, i.e., auxiliary personnel who support surveillance and protection functions (without carrying weapons), must have a course on privacy and personal data protection with an emphasis on adequate protection. This includes understanding their role in terms of capturing personal data in situations related to their work. They must have knowledge associated with the obligations they will have in their role as data processors, for example. It also adds that these courses will be approved by the Undersecretariat for Crime Prevention, and that the trainers of said courses must meet specific requirements, including (Article 107).

In the same vein, and by analyzing some of the activities of private security, one can at first glance identify some uses of personal data, such as:

Surveillance, protection, and security of establishments; and installation and maintenance of apparatus, equipment, devices, technological components, and electronic security systems. (Art. 2 No. 4)

Obligation to transmit personal data and license plates of vehicles entering the premises to the Public Prosecutor's Office and the police (Art. 5).

Preserve and make available to the authorities all records, instruments, effects, and evidence that allow the identification of perpetrators or accomplices of crimes (Art. 3 No. 3).

Private surveillance systems (Art. 21) for valuables transport companies, banking and financial institutions of any kind, and banking support companies that receive or maintain money in their operations. Audiovisual recording system used by private security guards, understood as "the set of technological devices for recording, processing, and/or storing images and sounds, including their real-time transmission, as well as the reconstruction of a sequence of images representing moving scenes used by private security guards in the performance of their duties" (Article 36).

Activities of electronic security companies, particularly those that manage remote surveillance and alarm services (Article 76), among others.

For all of these activities that capture personal data and, consequently, involve various uses in accordance with the processes outlined in the regulations, it is essential to consider certain principles described in the personal data regulations, such as the legality of the processing—which typically involves the execution or fulfillment of a legal obligation—, the purpose, proportionality, and data security (e.g., in access controls and cameras in establishments). Furthermore, the full exercise of the rights of personal data owners (access, rectification, deletion, or objection; portability) must be permitted, unless there is a legal limitation (e.g., Article 23 of Law No. 21,719, which amends Law No. 19,628). Likewise, in cases where there are, for example, "treatment that involves systematic observation or monitoring of a public access area" (art. 15º ter Law No. 21,719, letter b), impact assessments must be carried out, considering aspects such as the description of the treatment operations, the purpose, the assessment of the need and proportionality with respect to the purpose, and therefore, the risks and their mitigation measures.

It also indicates that banking and financial institutions of any nature, as well as companies supporting banking operations, must incorporate a filming system that can generate high-resolution records and allow the recording of clear images with the time, day, month, and year of capture, and must remain in continuous operation. These cameras must be hidden or properly protected from possible intrusions. They must be stored for a period of at least 120 days, unless the recording is likely to be part of a judicial or investigation case or administrative process, in which case it must be stored for the duration of the corresponding processing. In turn, those not requested by the Public Prosecutor's Office must be destroyed two years after their capture (Article 46, paragraph 4). Therefore, this activity must also comply with principles such as proportionality, purpose, transparency, and information, without affecting the objective of the management.

In conclusion, the Regulation enacted makes progress in including, from a personal data protection perspective, several aspects already mentioned. Special consideration is given to personal data processing activities specific to private security, where the principles of lawfulness, proportionality, and security measures, associated with transparency and information, become relevant in certain cases and, therefore, become critical aspects for compliance with the regulations, especially for those organizations that define the means and purposes of processing; and therefore, in terms of their role as data controllers, or also as providers of financial or banking institutions required to implement private security measures, acting as data processors, for example. Without a doubt, implementing a Breach Prevention Model and, consequently, a record of processing activities, such as a personal data protection officer in the organization leading the implementation of these organizational and technical measures, will be tremendous differentiators when implementing the Law.

Juan Pablo González Gutiérrez is a lawyer, Director of HD Group in the field of personal data protection and cybersecurity, and an academic.

On 27 May 2025, The Cyberspace Administration of China published answers to questions about the implementation of its Personal Information Protection Compliance Audit Management Measures, which took effect 1 May. The DPA also offered an FAQ on outbound data transfers and appropriate security measures, see below:

数据出境安全管理政策问答（2025年5月）_中央网络安全和信息化委员会办公室

Regarding the implementation of the "Measures for the Administration of Personal Information Protection Compliance Audit":

The Measures for the Administration of Personal Information Protection Compliance Audits came into force on May 1, 2025, and the relevant person in charge of the Cyberspace Administration of China answered questions from reporters on matters related to its implementation.

Question 1: Is there any operational guide for personal information protection compliance audit?

Answer: In accordance with the Measures for the Administration of Personal Information Protection Compliance Audits and the attached Guidelines for Personal Information Protection Compliance Audits, the Secretariat (www.tc260.org.cn) of the National Cybersecurity Standardization Technical Committee organized the compilation and release of the "Cybersecurity Standards Practice Guidelines - Requirements for Personal Information Protection Compliance Audits", which regulates the implementation process, compliance audit content and methods, compliance audit evidence, working paper templates, report templates, etc. Professional bodies may refer to the Practice Guide to conduct personal information protection compliance audits.

Question 2: How to apply for certification by a professional organization for personal information protection compliance audit?

Answer: Article 7 of the Measures for the Administration of Personal Information Protection Compliance Audit stipulates that "relevant professional institutions are encouraged to pass certification." The certification of professional institutions shall be carried out in accordance with the relevant provisions of the Regulations of the People's Republic of China on Certification and Accreditation". The Data and Technology Assurance Center of the Cyberspace Administration of China, the China Cybersecurity Review and Certification and Market Supervision Big Data Center, and Beijing Saixi Certification Co., Ltd. have filed the relevant certification rules with the Certification and Accreditation Administration of the People's Republic of China, and will implement the certification in accordance with the certification rules and the "Cybersecurity Standard Practice Guide - Personal Information Protection Compliance Audit Service Capability Requirements for Professional Institutions" and "Cybersecurity Standard Practice Guide - Personal Information Protection Compliance Audit Requirements". Professional bodies can apply for certification from the above three certification bodies.

Question 3: What capabilities should personal information protection compliance auditors have?

Answer: The "Cybersecurity Standard Practice Guide - Personal Information Protection Compliance Audit Service Capability Requirements for Professional Institutions" and the "Cybersecurity Standard Practice Guide - Personal Information Protection Compliance Audit Requirements" divide personal information protection compliance auditors into three levels: primary, intermediate and senior, and clarify the competency requirements of different levels of compliance auditors in terms of laws and regulations, professional knowledge, professional ability, project management, report writing and review, etc., and can be consulted in the practice guide to understand the specific content of the competency requirements.

Question 4: How to evaluate the ability of personal information protection compliance auditors?

Answer:

The Cyberspace Security Association of China has compiled the Key Points for the Evaluation of the Competence of Personal Information Protection Compliance Auditors in accordance with the "Cybersecurity Standard Practice Guide - Personal Information Protection Compliance Audit Service Capability Requirements for Professional Institutions" and the "Cybersecurity Standard Practice Guide - Personal Information Protection Compliance Audit Requirements" on the competency requirements of personal information protection compliance auditors, clarifying the objectives, methods, and key points of the competency evaluation of personal information protection compliance auditors at different levels. An evaluation of the competence of personal information protection compliance auditors will be carried out, and relevant information can be found on the official website (www.cybersac.cn) of the Cyberspace Security Association of China.

FAQ: Q&A on Security Management Policy for Cross-border Data Transfer (May 2025)

The Cyberspace Administration of China (CAC) continues to strengthen the publicity and implementation of data export security management policies, guiding and assisting data processors to carry out data export activities efficiently and compliantly. As a result of a study of the recently received consultation questions, some representative questions and responses are published below.

Question 1. What is the specific process for identifying and declaring important data?

Answer:

Article 21 of the Data Security Law stipulates that the National Data Security Work Coordination Mechanism coordinates relevant departments to formulate important data catalogs and strengthen the protection of important data. Each region and department shall follow the data classification and hierarchical protection system to designate a specific catalog of important data for that region, that department, and related industries and fields, and carry out key protections for data entered into the catalog.

Article 29 of the "Regulations on the Management of Network Data Security" stipulates that network data processors shall identify and report important data in accordance with relevant state provisions. Where data is confirmed to be important, the relevant regions and departments shall promptly inform the network data handlers or publicly release it.

To implement relevant laws and regulations, each department is formulating standards and specifications for data classification and grading in relevant industries and fields, as well as rules for identifying and reporting important data, to provide specific basis and operational guidance for data processors in that industry or field to identify and declare important data. Some industries and fields have publicly released data classification and grading standards and important data identification and declaration rules, such as the "Guidelines for the Identification of Important Data in the Industrial Field" in the industrial field, the "Guidelines for the Identification of Important Data in the Telecommunications Field" in the field of telecommunications, the "Guidelines for the Classification and Grading of Geographic Information Data in the Field of Natural Resources (Trial)", and the "Measures for the Security Management of Statistical Data" in the field of statistics, etc., and some have been notified to data processors through meetings, documents and one-to-one notices. Data handlers shall follow relevant standards and specifications, reporting rules, and the requirements of relevant regulatory departments to promptly complete efforts to identify and report important data.

The relevant industry regulatory departments are to make designations of data handlers' declarations of important data, and where it is confirmed to be important data, they will promptly notify the data handlers or publicly release it. If data handlers are informed that they have important data or that the data they have is publicly released as important data, they shall perform their responsibility for protecting the security of important data in accordance with the requirements of relevant laws and regulations.

Where data classification and grading standards and specifications for industries and fields and rules for the identification and declaration of important data have not been issued, and data handlers have not been informed by the relevant departments that they should carry out important data identification and declaration, failure to identify and declare important data, and failure to carry out key protections for relevant data, will not be found to be a violation of important data protection provisions, and will not be subject to administrative punishment for this.

Question 2. How to carry out important data export activities in compliance with regulations?

Answer:

According to Article 37 of the Cybersecurity Law, Article 31 of the Data Security Law, Article 37 of the Regulations on the Management of Network Data Security, and relevant provisions of the Measures for Security Assessment of Cross-border Data Transfer and the Provisions on Promoting and Regulating Cross-border Data Flow, if a data processor truly needs to provide important data collected and generated in the course of its operations within the territory of the People's Republic of China and needs to be provided abroad, it shall pass the security assessment of data export organized by the CAC. For the process of applying for security assessment for data export, please refer to the Guidelines for Security Assessment and Application for Data Export issued by the Cyberspace Administration of China. For important data that truly needs to be exported, it may be exported if it is found that it will not endanger national security or the societal public interest after a security assessment of the data export.

Where data handlers shall identify and declare important data in accordance with relevant provisions, and where they have not been notified by the relevant departments or regions or publicly released as important data, the data handlers do not need to apply for a security assessment of the data export as important data, and the relevant data export activities will not be found to be important data exported in violation of laws and regulations, and will not be subject to administrative punishment for doing so.

Where data handlers need to continue to carry out relevant data export activities after being informed that they have important data or that the data they have is publicly released as important data, they shall report to the national cyberspace administration for data export security assessment through the local provincial-level internet information department within 2 months of being informed or publicly released. Data handlers shall carry out data export activities in accordance with the results of the security assessment issued by the state internet information department, to truly ensure the security of important data exports.

Source texts in Chinese:

https://www.cac.gov.cn/2025-05...

数据出境安全管理政策问答（2025年5月）_中央网络安全和信息化委员会办公室

The International Trade Administration (ITA) announced on 2 June 2025 the official launch of the Global Cross-Border Privacy Rules (CBPR) and Global Privacy Recognition for Processors (PRP) Systems—international privacy certifications which provide a simple and transparent means for organizations to ensure the protection of personal information when moving across jurisdictions.

The International Trade Administration (ITA) at the U.S. Department of Commerce is the premier U.S. Government resource for American companies competing in the global marketplace.

Organizations seeking certification must undergo assessments by approved Accountability Agents (AAs). U.S. companies interested in obtaining the Global CBPR and Global PRP Systems certifications can contact any of the following Accountability Agents:

BBB National Programs
NCC Group
Schellman
TRUSTe

The Global CBPR and PRP Systems launch with approximately 100 certified companies covering over 2,000 entities (subsidiaries included within the parent company’s certification), which can be found on the Global CBPR Forum’s website.

The Global CBPR Forum administers the global privacy certifications to support the free flow of data and effective data protection and privacy globally. In 2022, the Forum was established by Australia, Canada, Japan, the Republic of Korea, Mexico, the Philippines, Singapore, Chinese Taipei (Taiwan), and the United States as jurisdictions participating in the Asia-Pacific Economic Cooperation (APEC) CBPR System at the time. In addition to these nine Members, the Forum has since welcomed the United Kingdom, Bermuda, Dubai International Financial Center, and Mauritius as Associates.

Ms. Shannon Coe, Director of Global Data Policy at ITA and Chair of the Global CBPR Forum, emphasized the importance of these certifications in supporting today’s digital economy. “The launch of the Global CBPR and Global PRP Systems empowers companies worldwide to uphold the highest standards of data privacy, fosters trust, enables trade and drives innovation in a connected future,” said Ms. Coe. “We encourage companies operating in the global market to consider becoming certified and jurisdictions to join the Forum to make this tool available to companies in their jurisdictions.”

The International Trade Administration (ITA) at the U.S. Department of Commerce is the premier U.S. Government resource for American companies competing in the global marketplace.
The launch of the Global CBPR and Global PRP privacy certifications represents a major step forward in the United States’ efforts to support trusted global data flows critically important to the modern economy, economic growth, and innovation. These certifications will benefit U.S. companies of every sector by ensuring that data privacy compliance and regulatory differences don not hinder the ability to deliver products and services worldwide.

Read ITA's press release here: I TA Announces the Official Launch of International Privacy Certifications

For the first time, a Data Protection Authority asked a big player to delete the AI Model it had trained and developed with unlawfully acquired personal data.

In Korea, Kakao Pay, a wallet provider, sent 40 million personal records to Alipay. In turn Alipay built "NSF scores" for Apple Pay without notice or consent. In addition, the PIPC (Korea's Data Protection Authority) held that the transfer of personal data outside Korea was illegal. The PIPC levied KRW8.3 billion in fines (5 322 782 euros) and ordered Alipay to erase the algorithm itself.

Takeaway: the PIPC raises the bar for data transfers and AI (à reformuler) ********

Read the press release of the PIPC (in English) here: https://www.pipc.go.kr/eng/use....

2 June 2025: Poland's data protection authority, Urząd Ochrony Danych Osobowych, ('UODO') launched public consultations on a draft GDPR Code of Conduct dedicated to innovative pharmaceutical companies. The UODO will host a series of meetings to obtain feedback from stakeholders.

A GDPR Code of Conduct (‘CC’) is a very powerful tool allowed by the GDPR. Once this CC will be approved, any pharma company can use as a guide to become compliant to GDPR.

The only EU/EEA country which has already approved a national CC for Clinical Research at this time is Spain.

The EUCROF and the the EFPIA are working with the EDPB to get approval for CC for clinical research across all EU/EEA.

The Association of Employers of Innovative Pharmaceutical Companies INFARMA is starting the process of public consultations on the draft Code in the area of personal data processing by innovative pharmaceutical companies.

As part of the consultations, consultation meetings are planned for various stakeholder groups. The first meeting took place on June 4, 2025 and was targeted to representatives of clinical trial sites and researchers. It was held online.

The content of the code and details of the consultations, including the procedure for submitting comments, will be available on the INFARMA website in the "GDPR Code" tab (https://www.infarma.pl/). urther meetings are also planned. Their date has not yet been set.

Recognising the need to unify the interpretation of the applicable law, INFARMA has taken the initiative to prepare a code of conduct, within the meaning of Article 40 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, in the area of personal data processing by innovative pharmaceutical companies that are members of our organization.

This Code applies in particular to the following areas of activity in the pharmaceutical sector:

conducting clinical trials and analyses in order to develop new innovative medicines;
processing Personal Data of Patients and third parties involved in research processes, in a manner that ensures adequate protection of their data;
support systemic solutions in the field of health care aimed at improving the quality of treatment and the availability of modern therapies in Poland.

As part of the above initiative concerning the development of the code, we invite you to consult the prepared draft document - the CODE OF CONDUCT FOR THE PHARMACEUTICAL SECTOR. The consultation is open to all stakeholders and individuals and aims to gather views, comments and suggestions to further improve the Code.

Your input is extremely valuable and will help to ensure that the rules developed are in line with best practice and applicable legal regulations.

Consultations on the draft CODE OF CONDUCT FOR THE PHARMACEUTICAL SECTOR last from 4 June to
18 August 2025.

Read the full press release from the UODO:

https://uodo.gov.pl/pl/138/372...

Read the press release from Infarma and download the draft Code of Conduct (in Polish):

https://www.infarma.pl/etyka/k...

On 5 June 2025 the European Data Protection Board (EDPB) released the final version of its guidelines on data transfers to third country authorities.

Article 48 GDPR provides that: “Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter”.

The purpose of these guidelines is to clarify the rationale and objective of this article, including its interaction with the other provisions of Chapter V of the GDPR, and to provide practical recommendations for controllers and processors in the EU that may receive requests from third country authorities to disclose or transfer personal data.

The main objective of the provision is to clarify that judgments or decisions from third country authorities cannot automatically and directly be recognised or enforced in an EU Member State, thus underlining the legal sovereignty vis-a-vis third country law. As a general rule, recognition and enforceability of foreign judgements and decisions is ensured by applicable international agreements.

Regardless of whether an applicable international agreement exists, if a controller or processor in the EU receives and answers a request from a third country authority for personal data, such data flow is a transfer under the GDPR and must comply with Article 6 and the provisions of Chapter V.

An international agreement may provide for both a legal basis (under Article 6(1)(c) or 6(1)(e)) and a ground for transfer (under Article 46(2)(a)).

In the absence of an international agreement, or if the agreement does not provide for a legal basis under Article 6(1)(c) or 6(1)(e), other legal bases could be considered. Similarly, if there is no international agreement or the agreement does not provide for appropriate safeguards under Article 46(2)(a), other grounds for transfer could apply, including the derogations in Article 49

Read the press release from the EDPB:

https://www.edpb.europa.eu/new...

Download the guidelines here: https://www.edpb.europa.eu/our...

Data Protection Authorities published several decisions related to the processing of health data in the past months.

Such decisions shed light on the key measures to implement to stay compliant with privacy (and healthcare) laws and avoid a critical finding.

For each decision, we propose key takeaways: use them as ideas and guidelines for your own organisations: check that such measures are implemented at your organisation, and if not, talk to your management (or talk to us!).

Many thanks to GDPR hub NOYB, to databreaches.net and to IAPP for all this valuable information!

Finland:

Fact:

Finland's Office of the Data Protection Ombudsman fined University Pharmacy 1.1 million euros for allegedly using cookies and tracking technologies on its online platforms. That data was later leaked to third parties. The DPA said it is looking into similar problems at other pharmacies.
Read the press release (in Finnish): https://tietosuoja.fi/-/yliopi...

Netherlands:

Fact:

In 2015, upon his request, the father received a copy of his child's medical record from the controller but claimed that several details were missing, including details about the social worker. In May 2022, the father exercised his right to access, pursuant to Article 15 GDPR, requesting information from the controller about the social worker, log data on his child's file and involved healthcare providers registration data. The controller provided limited data, arguing further records didn’t exist or weren’t covered by the request.

The Court of Appeal said that the controller (the hospital) must choose to provide the personal data in a way that does not infringe the rights or freedoms of its employees and of the mother of the child, according to Article 23(1)(i) GDPR.

As a result, the court of appeal held that Hospital Saint Antonius failed to comply with a minor patient’s father’s access request by failing to disclose the log data of the child’s medical file. But the Court of Appeal rejected the request of access to healthcare providers’ registration details as disproportionate to the privacy interests of third parties. it orders the controller to pay a penalty of €100 per day it fails to comply with the orders with a maximum of €1,000 per separate order.

To send us a RFI/RFQ, a message, or to subscribe to our free GDPR Life Sciences Newsletter