The right to health data protection and the right to information, further than the right to privacy, according to the Spanish Constitution
Carolina del Valle Montoya Santiago
Métodos y Tecnologías de Sistemas y Procesos SL.
Esta dirección de correo electrónico está siendo protegida contra los robots de spam. Necesita tener JavaScript habilitado para poder verlo.
Summary
The new laws for the protection of personal data, both at European and at national level, point to a greater specification on the regulation of this category of sensitive data which, in principle, should provide greater clarity to the treatment of information concerning this type of data and, more specifically, the health message. However, if the regulatory development is exceeded, as it may have happened with the Organic Law 3/2018, the interpretation of the theoretical basis of the protected right may throw a halo of legal lack of accuracy.
The sections of this Law begin by defining the basic regulation for the exercise of the right to the protection of personal data, stating that it will be done in accordance with the provisions of both Regulation (EU) 2016/679 and the Spanish Organic Law itself; consequently, this is the legal framework by which the data relative to the health of the people are governed. In the same section, the Spanish legislator introduces, for the first time, specifically, the recognition of the protection of personal data as a fundamental right of natural persons in line with what is precisely stated in Regulation (EU) 2016/679 which should be developed by the Spanish Act.
However, a constitutional basis is added to the right that concerns us, its guarantee being placed under the protection of article 18.4 of the Spanish Constitution concerning the rights to honor and to privacy. This asset is not included in the European Regulation, and it might hapen that by inserting it in the content of the Law, the defence of the right to information that also underlies the information self-determination could vanish into thin air, thus tipping the balance against the right to receive one´s own health information as a part of the whole right to information.
Negotiating a data processing agreement: a practical perspective
Monika Kwiatkowska
Ping Identity Corporation
Esta dirección de correo electrónico está siendo protegida contra los robots de spam. Necesita tener JavaScript habilitado para poder verlo.
Summary
Putting in place a data processing agreement between a data controller and a data processor (or a data processor and a data sub-processor) is a requirement for data processed within the scope of GDPR. This document, which is a proper contract between the two parties, aims to ensure that everyone involved is handling personal data in accordance with GDPR's stipulations and in line with the rules pre-established by the parties. Most importantly, it lays down requirements for data processors to meet before they are trusted with the data provided by the data controller. Both data controller and processor are, however, often driven by divergent interests when establishing such document. Main challenges are the ones relating to: responsibility for determining the scope and types of data processed; obligations to assist and cooperate; liability for implementation of adequate security measures and for security incidents; exercising data subjects' rights; questions relating to data residency and international data transfers; use of sub-processors; timeframe for notification obligations, etc.
The paper is a practical perspective on how these different issues are addressed by the business and what arguments can be raised by each party when discussing various aspects of the data processing.