On 8 April 2016, the Council of the EU adopted the General Data Protection Regulation (Regulation (EU) No 2016/679) which will enable people to better control their personal data, including health data, in the digital age and will facilitate business by simplifying rules for companies in the Digital Single Market.
The Regulation for the first-time defines data concerning health, including the provision of health care services which reveal information about a person’s health status. Health information collected in community pharmacies about a patient’s medication data and reimbursement data will be subject to this Regulation. Member States may define the specific processing situations, including determining more precisely the conditions under which processing of personal data is lawful.
Under the General Data Protection Regulation the processing of health data is prohibited unless the following conditions are met:
(1) Explicit consent is provided, and a Union or Member State’s law does not prohibit the processing of such data; and
(2) The processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services. The processing needs to be based either in a specific law or pursuant to a contract with a health professional (i.e. pharmacist).
(3) The processing is necessary for reasons of public interest and is based in a Union or national law of a Member State. In this case, no consent is required. The Regulation considers that data processing within the context of the management of health might be done on grounds of public interest.
The Regulation will need to be implemented into national legislation by 25 May 2018. PGEU is closely monitoring the implementation of the regulation at national level and facilitates best practice exchange among members.