On February 2nd, the European Data Protection Board published a series of responses related to inquiries prepared by the European Commission (justice and consumer section). These consultations are aimed at the EDPB solving questions about the protection of personal data used in clinical research.
European Data Protection Board
The document is divided into six different sections that are developed in various paragraphs and contain answers to questions ranging from ethical issues, informed consent to anonymization processes, and the collection and processing of personal data obtained in medical research.
Regarding informed consent and data processing, special focus is placed on its legal basis and on the distinction between informed consent and the legal basis of consent required under the standards of the General Data Protection Regulation, both terms being, complementary to such protection; and the need to have a special consent from the patient when there is no other way out than to resort to the treatment that the research is developing, to improve the quality of life of the subject.
The same happens when data controllers conduct clinical trials in different State Members of the EU, and it is necessary to homogenize the legal basis of all of them -when conducting the project- to comply with the GDPR standards and their own localisms.
An interesting topic that the document tries to elucidate, although it will be left to a later consultation, is the possibility of extending the consent of the owner of the data – the subject of the trial – extracted in one trial, for other trials of the same nature.
Related questions about the Data Protection document
Regarding obtaining broad consent in terms of clinical trials, the EDPB refers in a certain way to recital 33 of the GDPR, in order to minimize the requirements of specific consent when the purpose of the data processing cannot be determined at an initial stage of harvest.
Finally, the document refers to relative issues such as:
1) The use of the information obtained directly from the owner of the data for other purposes than those originally reported and if necessary and in which cases -and how-, must comply with the requirement of transparency.
2) The application of processes of pseudonymization and anonymization of personal data in clinical trials.
3) The processing of specific categories of data and their treatment on a large scale during clinical trials.
For further information or professional advice regarding clinical trials, legal requirements, compliance, and data protection, you can contact our Moeller’s Legal Department Members in charge of this area through our Relationship Managers Vivien Racy and/or Vivianne Cardoso, following this link.
In view of the worldwide aspect that Protection of Personal Data has acquired, and its category of Human Right in many laws around the world, it is necessary to have an adequate protection framework, which is not only limited to the laws that regulate its treatment and safeguarding, but also must extend to the relationships that are managed between the data controllers, data processors, third companies and the owners of said data.
From the incursion of personal data in all possible areas of interaction, the Law is not foreign at all, much less in the contractual field, as one more link in the chain of measures aimed at providing all current or current information accumulation, potentially related to a specific or determinable natural person. Therefore, it is unavoidable to make a list of the contracts that are used in this type of situation both in the field of cyberspace and in the relationships that are developed between the owner of the data with the person in charge of treatment, and of the latter with the data processor.
It could be taken into consideration that the privacy policies that abound in the websites have a contractual legal nature, with a predisposed content and the possibility for the user to select the browsing preferences to determine what data is available to share or allow them to be collected and which ones not.
- What information will be collected (names, emails, phone numbers, etc.).
- How the information will be used (for statistics, to improve the shopping or browsing experience, promotions, Email Marketing, etc.).
- What will be done with the collected data.
- The possibility of modifying the policy in the future.
- Contract form (for modifications, updates, or cancellations).
- Cookies policy.
- It offers relevant information about the way in which the data is protected.
Terms and conditions
It is an unnamed, on-line, electronic contract for adhesion to pre-arranged clauses.
Terms and conditions are established between the user of a certain website and the owner of said site and is mainly intended to inform the user of issues related to the content of the page and the services offered through it, as well as information appropriate to the user about what is done with the collection and processing of their personal data, and the type of data that is transferred to the person in charge through the site.
Also, within the terms and conditions are established the duties and responsibilities of the user and the correct use of the site, intellectual property issues, legal framework, among others.
Privacy policies can be found separately from the terms and conditions, or in a single identified body.
The outsourcing contract, in general terms, is mainly intended to delegate to a company, or a specialized natural person, a portion of the business process that is the responsibility of another company, which the latter considers that it is more suited to carry out that portion of the process involved. It is the outsourcing of activities.
With regard to the field of data in general and personal data in particular, a company that develops an activity in the process of which requires or feeds on said data hires another for the management and processing of personal data. The owner of the database is the data controller and the data processor is the third party that provides the outsourcing service.
Points to consider in the data outsourcing contract
- The data controller should include in the contract a clause by which it obliges the data processor, to fulfill and respect the purpose for which the database or registry was created, not being able to carry out acts tending to undermine said purpose, taking reservation of the data obtained and applying a treatment that serves said purposes.
- As the data processor is acting on behalf and order of the owner of the database, it is necessary that he respects the instructions given by the latter, having to abide by them and the framework of the contract and its purpose and also the contract and –if applicable- criminal law that govern the matter. Especially for the responsibility that entails the person responsible for the data, the election of the person in charge of personal data processing, and the development of the work of this one in front of third parties.
- The person in charge of the processing of personal data has to abstain from transferring the data that is subject to treatment to third parties. Data Processor does not have the authorization to obtain from the owner the consent to carry out the assignment -as he is not the owner or person in charge of the database.
- Once the objective or the purpose for which the data were collected and processed has been fulfilled, Data Processor must return all that information to the Data Controller, not being able to store or keep the data in their possession, unless there are subsequent situations expressly established, which determine the maintenance of these data in the possession of the data processor.
- There must be a duty of confidentiality on the part of the person in charge of the treatment, which consists primarily of not disclosing or using for purposes contrary to the contract, the law, public order or the rights of the owners and third parties, the personal data whose treatment was entrusted. Even this duty must be maintained after the ending of the contractual relationship between both parties.
- Both Data Processor and Controller have a security duty regarding not only the treatment of the data in general but also regarding the fact that databases where these data are stored, comply with, or have a level of security appropriate to the protection of the information stored there.
Transfer of data
The transfer of personal data is a contract that is established between Data Controller and third parties or companies. It inevitably requires the consent of the owner of the personal data and the cause of the transfer must be explained, which must be related to the legitimate and legal activity carried out by the person responsible for the database, file, registry, or archive or be related to the activity of the assignee.
The object of the data transfer contract must be circumscribed to those data contained in the databases, registers, files, and which are those collected by the person responsible for the treatment.
At Moeller IP Advisors we have a specialized worldwide work team with the ability to advise on drafting contracts and certain clauses that involve personal data, both in corporate and digital environments. Contact us!Read More
1. Introduction: MERCOSUR-EU Agreement and the legislation on Data Protection
As is well known, last year, after several rounds of negotiations, the agreement between Mercosur and the European Union on economic matters emerged. Said agreement included matters related to customs duties, exchange of goods and services, sanitary measures, intellectual and industrial property rights, SMEs, dispute resolution, among other issues of relevance to both blocks.
Among these issues, although not as an integral part of the text of the agreement, discussions related to the Protection of Personal Data were also included. Currently, the States of the European Union are governed by the General Data Protection Regulation, or by its acronym, the GDPR, which is mandatory since May 25, 2018. During her visit to Argentina, in July of last year, the European Commissioner for Justice, Consumers and Gender Equality Vera Jourova, spoke about the benefits that the regulation and harmonization of data protection legislation would bring to both blocs.
For sure the EU is at the forefront in this matter, and in order to enable the advancement of this agreement for both blocs and above all, for the MERCOSUR countries, it is necessary that their laws harmonize with the provisions and principles of the GDPR, as which would bring about a quantitative and qualitative leap towards respect for the individual rights of people, the self-determination of the person regarding the processing of their data on the internet and in files, the final recognition of data protection as a fundamental human right, among other conquests.
Nowadays, in the current global situation of the coronavirus pandemic that hits the whole world, the negotiations have stalled, since there are urgent issues to address regarding the countries that make up each block. However, it is noteworthy that the will to move forward is intact.
That is why is necessary to carry out a review of the situation in which the laws of the MERCOSUR countries are in relation to the Protection of Personal Data, and why it is almost mandatory to use this time to be able to adapt them to the required standards by the EU in order to finally reach the conclusion of the negotiations carried out at the time of carrying out the revision of the Agreement between the two trade blocs.
2. Country by Country: MERCOSUR-EU Agreement and the legislation on Data Protection
The law that regulates the protection of personal data in Argentina is Law 25326, enacted on October 4, 2000, and is currently in force.
This law regulates what pertains to the treatment of personal data, its classification, the principles that should govern its treatment, international transfer of data, the rights of its owners, and the resources and actions that they have both administrative as well as judicially to obtain the deletion, rectification, modification, addition and correction of the data found in files or databases, both public and private, and the obligations of the owners of said files or databases when collecting and processing personal data.
In Argentina, the enforcement authority regarding Personal Data and Access to Public Information is the National Agency of Access to Public Information, which has a secretariat that is in charge of regulating and supervising everything related to personal data and the compliance of the Personal Data Protection law, which is the National Office of Protection of Personal Data.
In 2018 a Bill was presented to amend the Data Protection law and bring it as closely as possible to the GDPR standards, but unfortunately, the bill lost parliamentary status this year.
In 2018 it was sanctioned the new Law on Personal Data Protection – No. 13,709 LGPD-. On August 26 the Brazilian Parliament decided that the suspension of its enforceability would not be extended, so it is the law that is currently in force in Brazil to regulate everything related to the protection of the personal data of natural persons, processed both within the borders of the country, and by foreign companies that process data of persons located in Brazil.
This law has many points in common with the European General Data Protection Regulation, establishing an adequate legal framework regarding the collection, processing, and storage of personal data in general and sensitive data in particular, as well as the obligations and responsibilities of those –processors and controllers- who collect, process, select and store personal data, and may be liable –in case of non-compliance with the provisions of the law-, to be sanctioned administratively, civilly and criminally.
Likewise, it establishes the rights of the holders of personal data to grant informed consent for the collection and processing of their data and to control access, correction, rectification, updating, anonymization, and deletion of their data that are contained in databases both public and private.
For this law, it is mandatory -in certain cases- the need to have a Data Protection Delegate, and the enforcement authority is the National Data Protection Agency of Brazil.
In Paraguay, the Protection of Personal Data is regulated not only in the country’s Constitution but is also based on Laws No. 1682/2001, 1969/2002, which amends the first one and Law 5542 / 2015.
This set of laws regulate, among other issues: the processing and treatment of personal data contained in files, records, and public and private databases. The collection, processing, and treatment of personal data is only allowed for scientific, economic, statistical, or marketing purposes.
However, the current legislation establishes nothing regarding the figures of the database administrator; but it does regulate obligations pertaining to those responsible for said bases. Nor does it make a distinction between processors and controllers. Nor does it establish any obligation to report data breaches or incidents that occur with personal data.
The international transfer of data and its regulatory framework is not established in the legislation of Paraguay.
Likewise, there is no authority in Paraguay that regulates matters relating to the Protection of Personal Data and compliance with the law.
Finally, although the law does not establish anything regarding the possibility of making claims before administrative or judicial entities for violation of Personal Data, the penalties are established by other regulations, which allow those whose data have suffered any violation the right to claim before civil or criminal justice the pursue of a compensation.
There is a bill presented to the Paraguayan Parliament in 2019.
In Uruguay, personal data is ruled by Law No. 18,331, amended by Law No. 19,670, whose regulatory decree 64/020 modified certain articles of the first-mentioned law.
The law regulates the following aspects: a) it establishes a sort of glossary with definitions pertaining to personal data and the principles applicable; b) it also regulates the registration of the databases of the entities that collect and process personal data, whether they are located in Uruguay or process personal data of persons residing in Uruguay -under certain circumstances-; c) Establishes for public and private entities the need to have a Data Protection Officer and its obligations and responsibilities thereof; d) the need to have the informed consent of the owner of the data to collect, process and treat said data; e) the international transfer of data, the cases in which it proceeds and the requirements to transfer data to third parties; f) the obligations of the person in charge and the administrator of the databases; g) In the event of personal data breached or incidents that occur with them, the collectors, processors and responsible of the databases has to give notice and take the necessary measures to minimize risks; h) administrative sanctions concerning non-compliance with the rules contained in the law, ranging from warning to imposition of fines.
The application authority in the field of Data Protection in Uruguay is the Regulatory and Control Unit of Personal Data.
In February 2020, Law 19,670 was regulated, which among other issues complements Law 18,331 in terms of: 1) the adoption by the person responsible for the treatment of technical and/or organizational security measures to avoid and/or minimize incidents and breaches that may occur with personal data; 2) the promotion of national and international standards on cybersecurity; 3) the documentation of such measures and the planning and impact assessment regarding Personal Data.
3. Conclusion: MERCOSUR-EU Agreement and the legislation on Data Protection
After having made a brief reference to the Agreement between the European Union and Mercosur and the current state of the negotiations, reviewing the legislative situation of some of the countries that make up this last regional bloc, the truth is that it is essential to have an adequate level of protection of personal data, especially due to the extraterritoriality principle generated by compliance with the provisions of the GDPR and the cross-border flow of data.
Today we are witnessing a new era in human rights, where digital self-determination is no stranger. Where the right to digital existence of people cannot be overwhelmed over other issues such as those of an economic nature. That existence must be protected against any kind of violation.
Likewise, it is necessary to harmonize the laws of both economic blocs, which pushes MERCOSUR to take all the necessary steps to adapt its laws and regulate this new human right as an imperative, in order to achieve safer agreements in pursuit of a conciliatory and protective globalization of this new right that appears today.
Finally, it is worth highlighting the position that countries such as Argentina and Uruguay have in terms of recognition by the European Union regarding the adequate level of protection that these countries ensure to Personal Data, which places them at the forefront in the region.
However, it is mandatory for Argentina to update its law in order to continue maintaining that position in the face of the constant requirements of a globalized world both materially and digitally.
mHealth or “telemedicine”
One of the remarkable changes that technology has brought in recent times is mHealth. This technology gives the possibility -among others in the field of health- of being able to be assisted by a doctor without the need to physically attend any hospital, directly from the comfort of home, having only an electronic device with the possibility of internet connection. This is what is commonly known as “telemedicine”, which is developed through applications.
However, it must be taken into account that between these mobile apps and the user there is an interesting flow of personal data, and more precisely of sensitive data, as represented by access to the patient’s medical history. That is why it is necessary that these tools are accompanied by specific regulation of the State, in order to avoid the violation of user data, e.g.: encryption of information.
The implementation of these applications also involves several actors, mainly: companies that provide health services, the Ministry of Health, the agencies that regulate health issues, and those that are in charge of protecting personal data.
For example, in the United States, the FDA is the body in charge of supervising the implementation and operation of mobile applications intended to offer health services, as long as they comply with a series of pre-established requirements and standards and depending on the function that they develop -diagnosis, treatment, access to clinical information, etc-.
Lastly, it is essential to point out that, in addition to the control that the corresponding institutions must carry out regarding the data that is processed through mHealth Devices, these apps must not only comply with approval standards as such but also with regulations and standards that protect private data in general and sensitive data in particular, highlighting the following measures:
1) Risk assessment analysis;
2) Pseudonymization and encryption of personal data.
3) The ability to guarantee the permanent confidentiality, integrity, availability, and resilience of the treatment systems and services.
4) The ability to restore availability and access to personal data quickly in the event of a data breach;
5) A process of regular verification, evaluation, and assessment of the effectiveness of technical and organizational measures to guarantee the safety of the treatment.
Protection of personal data is an issue that has gained relevance in the last year in all parts of the world. An example of this phenomenon is the implementation of the General Regulation of Personal Data (GDPR) in the European Union in 2018 or the new laws, modifications to the current ones or judicial decisions on the matter, that Latin American countries began to implement to be in accordance with the community regulations.
In this respect, in a recent judicial ruling, the Supreme Court of Justice of the Nation of Mexico (SCJN) analyzed the pertinent period to keep personal data within the Law for the Protection of Personal Data in Possession of Obligated Subjects of the State of Guerrero and determined the invalidity of a portion of the regulations since it established generic terms for the preservation of personal data.
In this sense, the Court understood that this generic term was in violation of the right to the protection of these data, since the treatment of them requires individualization in each specific case, so to decide what deadlines to apply should be attended to the applicable provisions in the matter in question.
As a result of the aforementioned resolution, the Supreme Court ordered the Institute of Transparency, Access to Information and Protection of Personal Data of the state of Guerrero to issue, within 90 days, the guidelines to which the general law of the corresponding subject refers. Finally, it is important to note that this decision was applied to other states such as Jalisco, Michoacán and Sinaloa, in which the Institute of Transparency, Public Information and Protection of Personal Data was notified to adapt its regulations to this criterion, since it was improperly extended the term to one year, in the local law.
Source: www.elpuntocritico.comRead More
The Protection of Personal Data is a fundamental right of citizens of inexcusable application by any type of organization, both public and private. In this sense, companies, professionals or any type of organization collect and process data from natural persons (clients, patients, employees, etc.) and, therefore, they are responsible for the security and protection of such data. Le’ts see the Personal Data Updates in Latam.
Personal Data Updates in EU and Latin America
In this sense, after the approval of the New General Regulation of Data Protection (RGPD) – 2016 / 679- in the European Union in 2016, with its corresponding entry into force on May 25, 2018, which has repealed Directive 95/46 / EC, the rules of the game have changed not only for the EU countries and their institutions, both public and private, but the wave of updating of the national regulations on this issue has reached Latin America, specifically we refer to countries such as Argentina, Uruguay, Chile and Brazil.
In the case of Argentina, it recently submitted a bill to Congress that would replace the Personal Data Protection Law No. 25,326, which has been in force since 2000, in an attempt to align the country’s data protection standards. with the GDPR. The bill includes the requirements for notification of mandatory non-compliance, the appointment of a DPO in certain circumstances, the right to data portability and the right to be forgotten, as well as the new liability standards. Likewise, through Resolution 159/2018, published in the Official Gazette dated December 5, 2018, the modification of the authority for the protection of personal data was ordered, and so far it has been the NATIONAL DIRECTORATE FOR THE PROTECTION OF PERSONAL DATA. With the entry into force of the new Personal Data Updatesthis, the new Argentine authority will be ACCESS TO PUBLIC INFORMATION AGENCY.
In this matter of Chile, it has a law dedicated to data protection, Law No. 19.628 on Protection of Privacy, which was published in the Official Gazette on August 28, 1999 (the Law). Currently there is a bill in the Senate, which is about to be approved and would significantly modify Law No. 19,628 on Protection of Personal Data, in order to increase the protection of privacy to comply with international processing standards. of data and the guidelines of the Organization for Economic Cooperation and Development (OECD). It is important to highlight the fact that the Chilean data protection authority was created relatively recently in the year 2017.
With regard to Uruguay, in August of the year 2018, it has adopted a decree that demands that the majority of data controllers register their databases with the Protection and Supervision and Data Supervision Authority.
Finally, Brazil is the Latin-American country that has carried out the most radical change on this matter. On August 14, 2018, Brazil enacted the law “Lei Geral de Proteção de Dados Pessoais (LGPD)”, the first general privacy law in the history of the nation. The aforementioned law, which will become effective on February 16, 2020, is very similar to the GDPR, even in its expansive definition of personal data and its strong emphasis on both the rights of interested parties and the requirement of legal bases for processing. of personal data. This marks a very important milestone in this matter for Brazil, since previously it did not have an appropriate law to regulate the protection of personal data.
Conclusion of Personal Data Protection
In conclusion, and as we mentioned at the beginning of this article, this legislative activity in South America follows a wave of efforts to modernize data protection laws worldwide, which includes other latitudes such as Israel, Japan and South Africa. Therefore, it is to be expected that during the course of 2019 new countries will adhere to this data protection movement.