Pharmaceutical Group of the European Union

Members Area

Data Protection Regulation

Pharmacists manage and process medication records of patients in relation to, for instance, prescription medicines, adverse drug reactions, medicines interactions and allergies in the framework of their pharmacovigilance obligations, amongst others. In several European countries, community pharmacists utilise ‘Dossier Pharmaceutiques’(‘Pharmaceutical Records’) where medication data is safely and securely recorded and processed for multiple purposes, including identifying potential interactions, duplications, adverse drug reactions, allergies and general adherence. One of the aims of this tool is to be proactive in anticipating and minimising medicines safety issues.

On 8 April 2016, the Council of the EU adopted the General Data Protection Regulation (Regulation (EU) No 2016/679) which will enable people to better control their personal data, including health data, in the digital age and will facilitate business by simplifying rules for companies in the Digital Single Market.
The Regulation for the first-time defines data concerning health, including the provision of health care services which reveal information about a person’s health status. Health information collected in community pharmacies about a patient’s medication data and reimbursement data will be subject to this Regulation. Member States may define the specific processing situations, including determining more precisely the conditions under which processing of personal data is lawful.

Under the General Data Protection Regulation the processing of health data is prohibited unless the following conditions are met:

(1) Explicit consent is provided, and a Union or Member State’s law does not prohibit the processing of such data; and

(2) The processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services. The processing needs to be based either in a specific law or pursuant to a contract with a health professional (i.e. pharmacist).

(3) The processing is necessary for reasons of public interest and is based in a Union or national law of a Member State. In this case, no consent is required. The Regulation considers that data processing within the context of the management of health might be done on grounds of public interest.

The Regulation will need to be implemented into national legislation by 25 May 2018. PGEU is closely monitoring the implementation of the regulation at national level and facilitates best practice exchange among members.