This website uses data collection methods described in the Cookie Policy. To find out what types of cookies are used by our website, please review the Annex to that document. Please continue to use our website if you agree to the use of cookies. More..
GDPR personal data protection

GDPR personal data protection

Patient Associations Guide

The European Union has allowed a two-year transition period for the organisations to be able to comply. Starting 25 May 2018, any organisation failing to meet the guidelines as laid down in GDPR is liable to a fine. The new rules promoted by GDPR are much stricter and affect all entities collecting/processing personal data. Personal data regarding the patient’s health is critical information in processes such as health care, including the assistance provided as part of an e-health system or scientific research.Health information and genetic data are categorised as “sensitive data” and subject to additional protection under the GDPR.The unauthorised disclosure of health-related personal information might have a negative impact on the patient’s personal and professional life.Personal data consist of certain personal information that allows or might allow for the identification of the person.
What is personal data according to the GDPR?
The new European Regulation provides that “personal data” are construed as any information regarding an identified or identifiable natural person.
More specifically, such data refer to:
  • Name;
  • An identification number;
  • Localisation data;
  • An online identifier (IP addresses, cookie identifiers or other identifiers such as radio frequency identification tags);
  • Factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity.

Under which conditions may the patient’s personal data be processed?

  • If the patient expresses his/her clear and unequivocal consent for the use of his/her personal data - affirmative act;
  • If the patient makes his/her data public – it means he/she agrees that his/her personal data be processed by third parties;
  • When it involves the patient’s vital interest;
  • With the purpose to benefit from healthcare services;
  • In view of a general public interest;
  • For other reasons more specific to the scope of business – the foundations, associations may process the data of members, former members, or persons with whom he/she may come into contact in the course of their activity, provided it guarantees proper protection of such data;
  • Health-related data and genetic data of patients may also be processed in case of any legal claim;

What should an association do in order to be compliant?

  • To abide by the data processing principles provided by the GDPR;
  • To establish which personal data to collect;
  • To document data processing (rules, internal procedures);
  • To strengthen the security of the data processed;
  • To minimise the personal data collected;
  • To educate the key positions staff in data processing (training).
What personal data are collected?
  • Employees data;
  • Newsletter subscribers’ data;
  • Patients’ data;
  • Project data;
  • Fundraising campaign data;
  • Association members’ data;
  • Project-based collaborators’ data.
Envisaged persons’ rights
  • The right to request data rectification;
  • The right to have the data deleted;
  • The right to restrict data processing;
  • The right to data portability;
  • The right to submit a data access request (SAR);
  • The right to object;
  • The right to the automated decision-making process;
  • The right to lodge a complaint with the relevant authority;
  • The right to make any claims related to his/her personal data.
What should the confidentiality policy contain?
  • The identification data of the company processing the personal data;
  • The data are collected and processed by the company;
  • The purposes for which the data are collected and processed;
  • Consumers’ rights regarding their personal data;
  • Third parties having access to those data;
  • The type of data collected.
Security of processed data
The Regulation also requires the organisations to take mandatory technical measures in order to prove that personal data are protected.
Such measures should include:
  • Data pseudonymisation and encrypting;
  • Other technical measures ensuring confidentiality;
  • Automatic tools to detect, categorise and classify personal data across the organisation;
  • The ability to restore data availability in case of incidents (DLP)


1.Conduct an internal audit and review all the data collected in order to establish whether the collection of such data about the users is necessary for the activity of the association.
2. Prepare an internal procedure regarding the information collected, stored and processed by the association.
3. Keep a register containing the personal information database held by your ass ociation.
4. Revise and update the drafts used to obtain the user’s consent for personal data processing.
5. Prepare and implement the personal information database security breach policy. Such policy should include at least the notification by which users are notified on the incidence and the response plan (meaning the security measures taken to minimise damages).
6. Prepare and implement the policy regarding the users’ access to the information held by the ass ociation about them.
7. Provide specialised training to the personal data officer so that he/she could be able t o handle the relevant requests.
8. Amend all the agreements in place as they should contain new clauses on the personal data used.
9. Update the agreements with clauses on the processing of member personal data and obtaining the relevant consent.
10. Check whether the third parties to which personal data might be transmitted shar e the information to non-EU countries.