The Netherlands: Health sector once again on the radar of DPA

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens,  “Dutch DPA“) previously stated that it shall focus its enforcement actions on the public and health sector, and seems to act upon its words. Just a few months after the Dutch DPA inspected more than 100 hospitals and health insurers on whether they comply with the obligation to appoint (and publish the details of) a Data Protection Officer, this week it announced more news and monitoring action with respect to the health sector.

First of all, the focus seems to lie on accountability, one of the core data protection principles. The GDPR (Article 24 par. 2) explicitly sets out that, where proportionate in relation to the processing activities, organisations must implement appropriate data protection policies. The Dutch DPA has requested such data protection policies from 53 organizations, including blood banks and IVF clinics, which by virtue of their processing activities are subject to the obligation to implement such policy. This is not to be confused with the requirement to have in place privacy or information notices on the basis of Articles 13 and 14 GDPR, which apply regardless of the (type of) processing activities. The Dutch DPA shall assess whether the policies meet the GDPR requirements, e.g. whether it includes information regarding the categories of personal data processed, the purposes of the processing, the security measures, the rights of data subjects and how they can exercise these rights. The Dutch DPA states that organizations that do not have a data protection policy in place which meets the requirements, violate the GDPR and may be subject to enforcement actions by the Dutch DPA.

In addition, the Dutch DPA has issued further guidance on the concept of ‘large-scale’ processing for all healthcare providers, which is relevant for the obligation to appoint a DPO. For part of the healthcare sector, namely hospitals, general practitioners and care groups, the Dutch DPA previously stated that it shall always interpret their processing of personal data as large-scale processing (regardless of the amount of patients). For all other healthcare providers, the Dutch DPA considers processing as large-scale if (i) the healthcare provider has registered or treats more than 10,000 patients per year on average, and (ii) the personal data of these patients are included in one information system.

Lastly, interesting to point out as well is that the Dutch DPA also announced that it received more than 10.000 privacy complaints from individuals since the GDPR came into force, from which 9% are aimed at health organizations. As such, it is now clear that the health sector is clearly on the radar of the Dutch DPA and organizations should be aware of their responsibilities. Not only should compliance be ensured, but also demonstrated.

Ilias Abassi