Are We Subject to the General Data Protection Regulation?

Posted by donna@healthlawcenterplc.com in Jan, 2019

The General Data Protection Regulation (GDPR) was adopted by the European Union and became effective last year. GDPR’s purpose is to protect individuals’ personal data as it moves throughout the international economy.  While the GDPR appears on its face not to significantly impact health care facilities and health care providers in the United States, it is important to know that in some instances a United States entity or person may fall under the GDPR’s umbrella.

The GDPR directly affects the transfer of personal data within the European Economic Area member states, which includes Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the United Kingdom.

Some examples, but by no means an exhaustive list of circumstances, that may necessitate compliance with GDPR include:

A vendor which collects personal data from individuals residing within the European Economic Area.

A health care facility, vendor,  or company which uses a mobile application to collect research data from individuals located within the European Economic Area.

Researchers based in the United States who recruit individuals to participate in clinical trials, and those individuals are located in the European Economic Area.

Personal data is stored by a cloud storage vendor located in the European Economic Area, allowing for individuals’ data to be transferred between the United States and the European Union cloud vendor.

For a more robust discussion regarding the application of GDPR, its scope and possible penalties related to any particular set of circumstances, contact Donna J. Craig, RN, JD at The Health Law Center.