Reasons that justify the processing of health data
The processing of personal data requires special reasons justifying it. In the case of sensitive health data, additonal requirements must be met apart from the general data protection requirements. The Guidelines describe the practical reasons and possible exemptions using concrete examples (part 2 A.1 of the Guidelines (in German)) (PDF, 3 MB). They explain in particular the requirements regarding the approval by the person concerned, which is extremely important in practice, and present a best practice.
Organisational measures to protect health data
Companies that deal with sensitive health data must make organisational provisions to ensure the protection of these data. In the context of these provisions, employees must commit themselves to keep the data secret and a list of all data processing operations must be drawn up. One important requirement is the appointment of a data protection officer who advises the company concerned on data protection and keeps in contact with the competent supervisory authority (part 2 A.II of the Guidelines (in German)) (PDF, 3 MB).
A risk-based data protection impact assessment helps to identify the specific measures to be taken. The Guidelines present the necessary procedures and refer to further guidelines and practical cases (part 2 A.VI of the Guidelines (in German)) (PDF, 3 MB).
Measures to safeguard users’ rights
Persons concerned are granted various rights to protect their data. First, they must be informed by companies about the processing of their data in a data protection statement. Furthermore, persons concerned can request information about their data and/or the correction or deletion of their data. They can object to the further processing of (some of) their data or request the transfer of these data to other suppliers. When companies develop products they must therefore ensure that they can comply with these rights of persons concerned. In addition to the individual rights of persons concerned and their significance, the Guidelines contain proposals for relevant concepts for this purpose (part 2 A.III of the Guidelines (in German)) (PDF, 3 MB).
Data protection requirements
Data security is particularly important in the health sector. The persons concerned and the public react in a very sensitive way in case of data leaks. The GDPR specifies the binding required protection level. The Guidelines describe these requirements in more detail and present examples of adequate security measures as well as the procedure and the related requirements in case of data leaks. In addition, they refer to further guidelines published by data protection authorities and associations (part 2 A.IV and A.V of the Guidelines (in German)) (PDF, 3 MB).