The New EU General Data Protection Regulation: What It ...

1 The New EU General data Protection Regulation: What It Means For US Healthcare/Life Science CompaniesCatherine Muyl, Zick, Cavalier, Webinar March 13, 2018 1 2017 Foley Hoag AARPI. All Rights Muyl, PartnerFoley Hoag, Paris+33(0) 1 73 02 69 13 | Zick, PartnerFoley Hoag, Boston617-832-1275 | Marion Cavalier, AssociateFoley Hoag, Paris+33(0) 1 73 02 69 12 | 2017 Foley Hoag AARPI. All Rights gap between the EU and the US3 2017 Foley Hoag AARPI. All Rights Reserved. GDPRis General As of May 2018: Supervisory Authorities can impose administrative fines of up to: 20 million Euros, or 4% of total worldwide turnover of the preceding financial year, whichever is about thoserules?

2 EU data Protection Rules4 2017 Foley Hoag AARPI. All Rights Reserved. Controller has an establishment in the EU; or Controller uses equipment, automated or otherwise, situated in the EU. Controller or processor established in the EU; or Controller or processor not established in the EU where processing activities relate to:-the offering of goods or services in the EU; or-the monitoring of data subjects in the from May 2018 Whohas to comply?Scope of the EU Rules5 2017 Foley Hoag AARPI. All Rights Reserved. PersonalDataAny information relating to an identified or identifiable natural person ( data subject ); an identifiablenaturalperson is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data , an online identifieror to one or more factors specific to histhephysical, physiological, genetic, mental, economic, cultural or social identityof that natural person.

3 [operative as from May 2018] ProcessingAny operation or set of operations which is performed upononpersonal data or on sets ofpersonal data , whether or not by automaticautomatedmeans, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blockingrestriction, erasure or destruction. [operative as from May 2018]Whatkindof data iscovered?Whatkindof activityiscovered?Scope of the EU Rules6 2017 Foley Hoag AARPI. All Rights data ( specialcategoriesof personaldata ):EU Key Concepts data revealingracial or ethnic origin, political opinions, religious or philosophical beliefs, ortrade-union membership, [.]

4 ] geneticdata, biometricdata for the purpose of uniquely identifying a naturalpersondata concerning health or data concerning a natural person s sex life or sexualorientation. [operativeas from May 2018]Processor: Controller: The person or body which, alone or jointly with others, determines the purposes and means of the processing of personal data . The person or body which processes personal data on behalf of the 2017 Foley Hoag AARPI. All Rights Key PrinciplesLawfulnessof processing To belawful, the processingof personaldata (otherthansensitive data ) must bebasedon one of the followinglegalgrounds: consent / necessaryfor the performance of a contract/ necessaryfor compliance witha legaloblihation/ vitainterests/ public interest/ legitimateinterests.

5 The processing of sensitive data is prohibited except if based on the following: explicit consent / vital interests / employment / preventive or occupational medicine based on EU law or pursuant to contract with a health professional / archiving, scientific or historical research purposes or statistical 2017 Foley Hoag AARPI. All Rights Key Principles Givenby a statementor clearaffirmative action Freelygiven, specific, informedand unamabiguous Provenby the data controller Withdrawnas easilyas itisgiven Additionallyfor sensitive data (incl. healthdata) inferredfromsilence, pre-tickedboxes or inactivityMakeconsent a condition for receivinga serviceUse confusing, unclearlanguageBe bundledwithothertermsand conditionsMUST BEMUST NOTR equirementsfor a validconsent9 2017 Foley Hoag AARPI.

6 All Rights to draftmy(explicit) consent forms?EU Key Principles Consent must beinformed, thereforethe followingminimum info shouldappearin the form: the controller s identity, the purpose of each of the processing operations for which consent is sought, what (type of) data will be collected and used, the existence of the right to withdraw consent, information about the use of the data for decisions based solely on automated processing, including profiling. Consent must begivenin a granularand specificway Weadvisea tickbox for eachpurpose Is itmandatoryto have a writtenand signedform? 10 2017 Foley Hoag AARPI.

7 All Rights Key Principles Information Access Rectification Erasure ( right to be forgotten ) Restriction data portability ObjectionEU data Subjects Rights11 2017 Foley Hoag AARPI. All Rights Key Principles Scope Apply to organizations that process personal data for scientific research purposes as long as they implement appropriate safeguards which include technical and organizational measures to ensure data minimization . Exemptions to someof the data Subjects Rights Right to information and access/ right to beforgotten/right to objectExemptions for Scientific Research Broaderconsent Furtherprocessingallowed12 2017 Foley Hoag AARPI.

8 All Rights ProcessorsNew Obligations Starting May 2018 Heavierobligations and liabilitiesfor processors. Contracts between controllers and processors are now mandatory and must include: the subject matter and duration of the processing; the nature and purpose of the processing; the type of personal data and categories of data subjects; the obligations and rights of the controller; a listof mimimumterms, obligations of the processors to ensurethatboththe controllerand the processor 2017 Foley Hoag AARPI. All Rights Obligations Starting May 2018 Controllersand processors not established in the EU must appoint a representative in the beappointedby controllerand processors where: Processingis carried out by a public authority or body; or, Core activities consist of processing operations which by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or, Core activities consist of processing on a large scale of sensitive Protection Officer14 2015 Foley Hoag AARPI.

9 All Rights Obligations Starting May 2018 Required where a processinglikely to result in a high risk to the rights and freedoms of natural persons, for example: processing on a large scale of sensitive data (including health data ), systematic monitoring of a publicly accessible area on a large scale (in particular CCTV), automated processing on which decisions are based that produce legal Protection Impact Assessment Obligation to maintaina record of processingactivitiescontainingthe answersto the followingquestions: MandatoryRecord Untilwhen? Why? How? Who? Where? What?15 2017 Foley Hoag AARPI. All Rights countries whichdo not providean adequatelevelof Protection (includingthe US) : Transfer of data to non-EU Countries Currenttransfertools:-to the US : ContractualClauses (SCC) issued by the Corporate Additionaltransfer toolsas fromMay 2018: -SCC issuedby a SupervisoryAuthority.

10 -Code of Conduct approved by the Supervisory Authority with binding and enforceable commitments from data with binding and enforceable commitments from data 2017 Foley Hoag AARPI. All Rights perspectives on the expanding universe of information security & privacy issuesSecurity, Privacy and the Law 2017 Foley Hoag AARPI. All Rights or event name (optional)Cover option 2 Subtitle or Company NameMonth Day, YearProposal or event name (optional)Cover option 2 Subtitle or Company NameMonth Day, YearThank you!FOLLOW US: @FoleyHoag