EU General Data Protection Regulation and its impact on health data, multichannel retailers or employers

On December 2015, the institutions of the EU had published a compromise version of the new General Data Protection Regulation. It is very likely, that this version will be the new basis for data protection regulation within the EU (for more info, see dataitlaw article).

Many authors wrote about an impact of the new regulation on specific industries.


At HL Data protection, the author analyzed the use of health data. For this area, the author found important to note that:

  • further processing of data for scientific research purposes is permitted so long as the framework for safeguards around scientific research is complied with.
  • If an organisation decides to use health data for profiling activities then it must give affected individuals the right to opt out.
  • what amounts to scientific research? Though there is no definition in the GDPR, the recitals state that processing of personal data for scientific research purposes should be interpreted in a broad manner. This suggests that ‘scientific research’ could include a wide array of activities. Those representing the research interests of the charity, academic, and pharmaceutical communities have welcomed the position in the GDPR on scientific research. However, the GDPR does not expand on whether all health research, including research driven primarily for commercial gain, would be considered to be scientific research.
Not clear if under GDPR scientific research also includes research driven for commercial gain. Click To Tweet


At IT pro portal, the authors looked at an impact on multichannel retailers. They stress that:

  • GDPR will establish one single set of rules that will make it simpler and, it could be argued, cheaper for companies to do business in the EU
  • Companies suffering a breach with data protection implications will have 72 hours to report it to the local information commissioners, unless this personal data is unreadable or in an inaccessible state
  • data protection will need to be implemented by design and default in the roll-out of new services and technology. In the future, personal data will need to have a defined lifecycle and internal structures will need to be in place to assure compliance with GDPR requirements.
  • large businesses – those with more than 250 employees – and organisations whose core activities consist of processing operations will be required to appoint dedicated data protection officers.


After GDPR, a consent will no longer provide the safety net it has traditionally been for employers. Click To Tweet


Finally, at Taylor Wessing, they published an article about an impact on employers.

  • employers will need to find a new mechanism for obtaining an employee’s consent or find another ground on which to lawfully process an employee’s data (…) employers will need to give thought to each separate category of employee data and record the ground upon which they will rely in each case (…) the ‘one size fits all’ approach will disappear and consent will no longer provide the safety net it has traditionally been for employers.
  • It will also be important for employers to consider whether obtaining renewed consent from existing employees is necessary and, if so, how that is best approached.
  • data processing must be carried out for the original purpose(s) for which it was collected unless the new purpose is compatible.
  • The current fee of subject access requests chargeable by employers will disappear albeit employers will be given some discretion to charge a reasonable fee based on administrative costs in limited cases where the request is’ manifestly unfounded or excessive’. The 40 days statutory timeframe for a response will also be removed and instead be replaced with an obligation on employers to comply without ‘‘undue delay’ and within at least one month of a request.


Leave a Reply

Your email address will not be published. Required fields are marked *