29 Mar Veterinarians and veterinary clinics will not avoid the application of the GDPR regulations
On 25 May 2018, the GDPR will be applied, that is Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and the repeal of Directive 95/46/EC (“GDPR”, “Regulation”). The existing European regulations regarding the protection of personal data were in force in the form of a directive and required implementation in the legal systems of the Member States through relevant laws. The ROPE was adopted in the form of a regulation, which will not have to be implemented in individual countries. This means that the provisions of the GDPR will be applied directly and will be effective without the need to pass additional laws.
The key question from the perspective of every entrepreneur, including veterinarians and owners of veterinary clinics, is whether they are subject to the GDPR and whether they have any obligations under the provisions of the GDPR. There is only one answer to the above-mentioned questions – yes, every entrepreneur conducting economic activity in the European Union is subject to the provisions of the GDPR, regardless of the form of business activity or size of the enterprise.
What are personal data and what does it mean “processing”?
Or maybe I do not process personal data at all? Let us therefore explain what personal data is in the sense of the GDPR. According to the definition provided in the Regulation, personal information is any information relating to an identified or identifiable natural person. For example, the owner of an animal whose identity we know is identified, which we can identify from among other people. However, an identifiable person is, for example, a client whose identity we do not know, but we can get to know by using the means we have. An example of obtaining personal data will be a business card with name and phone number and an e-mail containing an address enabling identification of a specific person – for example a client who has sent an inquiry to the hospital regarding treatment of his animal.
From the perspective of a veterinary surgeon who wonders if his business relies, to any extent, on the processing of personal data, it is extremely important to emphasize that the GDPR introduces a very wide definition of “processing”. The processing is any operation performed on data or personal data sets in an automated or non-automated way, such as collecting, recording, organizing, storing, adapting or modifying, downloading, browsing, using, disclosing by sending, distributing or otherwise sharing, matching or combining, limiting, removing or destroying. As indicated above, the scope of activities that are considered to be processing personal data includes so many activities that it would be difficult for any entrepreneur, including veterinarians or owners of veterinary clinics, to conclude that no personal data are processed in their case.
Sample personal data processed in veterinary medicine
In connection with the above, the question arises, which sets of personal data can be distinguished in the case of veterinary doctors who run individual practices or veterinary clinics. Certainly it will be a collection of personal data of clients, ie animal owners, but also a set of data of employees or co-workers or a set of data of contractors’ representatives – for example, sales representatives of pharmaceutical companies or people representing other entities with whom a given doctor or clinic cooperate. While conducting the audit and preparing for the implementation of the GDPR, it is also possible to find and characterize other personal data files than the one indicated above – this is an individual issue depending on the type and method of business activity.
Certainly, data processed in veterinary medicine should be distinguished from data processed in medicine. Here, first and foremost, it should be emphasized that in the case of activities carried out by veterinarians, no special categories of personal data are processed, commonly referred to as “sensitive data”. The range of sensitive data includes, among others, data on the health of patients – hence the requirements addressed to medical doctors or other medical entities are significantly different from the requirements set by veterinary doctors. This is due to the fact that data on the health status of animals are not classified by the GDPR as specific data categories, i.e. sensitive data. Therefore, legal, organizational and technical solutions regarding the protection of personal data prepared in the field of human medicine will not necessarily find application in veterinary clinics.
The basis for the processing of personal data
It should be remembered that in order to ensure the lawfulness of the processing of personal data, every veterinarian or owner of a veterinary clinic should be able to prove that the data is processed in accordance with the appropriate legal basis. In the case of customer data processed in connection with the treatment of their animals, the basis should be the consent expressed by clients already at the stage of registration in the clinic. Also at this stage an information obligation should be performed – regarding the client’s rights with regard to his personal data. In turn, another basis – contract – will be used in the case of data processing necessary to perform the contract with the data subject – it will most often concern employees or co-workers.
Penalties provided for breaching the provisions of the GDPR
The GDPR also introduces an obligation to report any breaches of the security of personal data within 72 hours of violation, directly to the competent supervisory authority. With such restrictive obligations, one can not forget about the sanctions for the lack of implementation and compliance with the new provisions on the protection of personal data provided for in the Regulation, which sanctions may affect every veterinary practitioner conducting business in the EU. Severe financial penalties range from 10 to 20 million euros or from 2% to 4% of the annual global turnover of the company, depending on which value is higher. At the same time, for calming down, it should be pointed out that penalties will be imposed proportionally depending on the scale of the violation.
What to do before May 25, 2018?
In the face of the upcoming date of application of the provisions of the GDPR, it is necessary for every veterinary officer or owner of a veterinary clinic to develop and implement procedures and measures to ensure the safety of personal data being processed, including methods of regular testing and assessment of their effectiveness. New responsibilities are a serious challenge for all entities on the market, due to the lack of ready-made solutions. This challenge does not apply only to the veterinary industry – all entrepreneurs who process personal data to any extent must measure it. The GDPR does not directly regulate which documents, procedures and policies should be implemented. In general, he mentions that the entity must exercise due diligence in securing these processes in order to avoid any irregularities during the processing of personal data.
In addition to the obligations and requirements addressed to the entities processing personal data, the GDPR increases the scope of rights of data subjects, i.e. the clients, employees or co-workers of the clinic. Individuals whose data is processed will now be able to, for example, exercise the right to be forgotten and the right to transfer data. It is the responsibility of the data processors to allow the rightholders to exercise their rights.
In conclusion, it should be emphasized that the Polish legislator is currently working on the preparation of an amendment to the Act on the protection of personal data, which will help clarify some of the issues contained in the GDPR. Recall that from May 25, 2018, Polish regulations must ensure effective application of the provisions of the Regulation, not duplicating its solutions or contradicting it. In the published by the Government Legislation Center on March 20, 2018 and approved by the Council of Ministers on March 27, 2018, the latest version of the draft law on personal data protection no longer has any exemptions for companies – whether you are a micro-enterprise or a large corporation. This means that every entrepreneur, including every veterinarian conducting business activity, will be subject to the same provisions of the GDPR.