General Data Protection Regulation

Ace your homework & exams now with Quizwiz!

What was the purpose of the EU-US privacy shield framework?

To support cross-boarder data transfers by businesses from EU member states to US The company adheres to these principles including: Notice, choir accountability , access and resource, enforcement and liability The company has certified that it adheres to this to the US department of commerce

which of the documents at the company comply with GDPR requirements

MSAs, site agreements, feasibility documents and CDA templates, ICFs

What does GDPR permit EU member states to introduce?

more specific provisions in a number of areas including employee data processing. Therefore, local data protection laws need to be considered

The GDPR applies to the processing of personal data:

1. By EU establishments where personal data is processed in the context of the activities of the establishment (regardless if processing occurs in EU) 2. By non-EU establishments where person data about EU data subjects is processed in connection with: a. Offering goods or services to Data Subjects in EU b. Monitoring the behavior of data subjects that takes place in the EU

What is GDPR

An EU regulation that is directly applicable as of 25 May 2018 Replaces and repeals the Data Protection Directive Designed to harmonize

What is Processing

Any action or set of actions performed on Personal Data including the collection, recording, storage, use erasure and destruction of personal data

Example 1: Company processes many types of personal data from clinical trial patients, which may include sensitive personal data such as health data. Who is the Data Processor and who is the Data Controller?

Company is Data Processor Sponsor/Site are Data Controllers

Example 3: Medpace processes personal data of its employees. Is the Company a Data Processor or a Data Controller?

Company is a Data Controller?

Example 2: Company processes personal data from vendors, consultants, investigators, site staff personnel, and other third parties. Is the Company a Data Processor or a Data Controller?

Company may be Data Controller or a Data Processor

Who is subject to significant administrative fines?

Data Controllers and Data Processors

Rights of Data Subjects

Data Subjects have the right to obtain confirmation from a Data Controller as to whether or not the Data Controller is processing Personal Data relating him or her Company is generally a Data Controller for its employees personal data Company is usually not a Data Controller of a study patients' personal data, instead the sponsor or site is the data controller If the data controller does process the data subjects personal data, it must provide the data subject with access to a copy of the person data and supplemental information as set forth in the GDPR

Who submits SARs ?

Data subjects

Company has committed to respecting whose privacy and rights?

Employees Clinical Trial patients Sponsor personnel Investigators Site Staff personnel Vendor personnel and other Third parties

What happens if you become aware of accidental or unlawful destruction, loss, potential loss, alteration or unauthorized disclosure of or access to any personal data

Immediately report it

What is the cost of infringement

Infringement of certain provisions of the GDPR could result in fines up to 20,000,000 euros or up to 4% worldwide annual revenue of the prior financial year, whichever is higher

What principles must be complied with when processing personal data?

Lawfulness, Fairness, Transparency Purpose Limitation Data Minimization Accuracy Storage Limitation Integrity and Confidentiality Accountability

Who does as Data controller notify if there has been a personal data breach

National supervisory authority and in certain instances the data subject. a. National supervisory: Required to contact without delay and in any event within 72 hours of becoming aware of the breach b. Data controller: without delay after becoming aware c.

Is GDPR expected to have a major impact on the company?

No

Should personal data be written down?

No

What is a Data Controller

Party that determines the purposes and means of the processing of personal data

Integrity and Confidentiality

Person Data must be processed in a way that appropriately ensures its security Personal Data must be protected from unauthorized and unlawful processing and from accidental loss, destruction and damage Appropriate technical and organizational security measures must be used to ensure this. These measures may include encryption, training and physical security

Purpose Limitation

Person data must only be collected for specified, explicit and legitimate purposes Personal data must not be further processed in any manner that is incompatible with those purposes The company processes personal data for: a. employee data related to employment b. personal data of individuals (including patients, and investigators) involved in clinical trials for purposes of conducting the clinical trial c. contact information for business communications and marketing

Accuracy

Personal data must be accurate and kept up to date (when necessary). Reasonable steps need to be taken to ensure that inaccurate person data is erased or rectified without delay

Data Minimization

Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which it was processed Only collect what you really need

Lawfulness, Fairness, and transparency

Personal data must be processed in a L,F,and T manner in relation to the data subject Data controller must only process person data on the basis of one of the legal grounds set forth in GDPR T is new element to this principal and is now an express obligation. a. more detailed info provided to data subjects when processing their personal data b. information that must be provided to data subjects is explicitly listed in GDPR and includes the relevant basis relied upon to legitimize the processing

Storage limitation

Personal data must not be kept in a form which permits data subjects to be identified for longer than is necessary for the purposes for which the person data is processed Personal data may be stored for longer periods if it will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes provided that the appropriate safeguards required by the GDPR are put in place

What is a SAR

Subject access request any request made by or on behalf of a data subject regarding his or her personal data which may have been processed by an organization They do not need to be formal requests not does it need to be in a particular form Any request regarding personal data could be a SAR Data subject who might request SARs to the company include investigator, site staff personnel, company employees, third party vendors, consultants and clinical trial patients

Who is a Data Protection officer

The individual that is primarily responsible for ensure that an organization is processing personal data in compliance with GDPR and for monitoring compliance with GDPR

How does the company comply with data protection laws?

They have policies and procedures in place to protect personal data

What are the conditions for obtaining consent

a. it must be freely given, specific, informed, and unambiguous indication of the individual data subject consent to the processing of his/her personal data b. affirmative action or a statement - it cannot be assumed by inaction. Silence, pre-ticked boxes or inactivity do not constitute valid consent c. Consent requests must be presented in a clearly distinguishable intelligible and easily accessible form using clear and plain language d. The data subject must have the right to withdraw consent at any time and it must be as easy to withdraw consent as it is to give

What is a Data Subject

any identified or identifiable natural person to whom personal data relates

What is Personal Data

any information relating to a Data Subject, such as name, address, email address, phone number, photo, education, employment details, location data and online identifiers. All information relating to an identified or identifiable natural person

How is personal data received by the company handled?

carefully and in a manner that protects the privacy of the data subject

When should SARs (subject access request) be reported

immediate If unclear, it should still be sent Corporate affairs will respond everyone is responsible

Processing sensitive categories of personal data

it's subject to more stringent conditions for processing. This includes data about: racial or ethnic origin, Political opinions, religious or philosophical beliefs, and trade union memberships, genetic data, biometric data, health data, and data concerning an individual's sex life or orientation Processing of data relating to criminal convictions, offenses, and processing of natural identification numbers are typical subject to stringing conditions under EU member state law

Accountability

the Data Controller is responsible for, and must be able to demonstrate compliance with the data protection principles of GDPR Specific measures must be in place : a. implementing appropriate data protection / information security policies b. taking measures to meet the privacy by design and by default principle c. executing data processing agreements with data processors d. maintaining internal records of processing activities e. carrying out data protection impact assessments f. appointing data protection officer g. cooperating with data protection supervisory authorities upon request (Data Processors also have an obligation to implement some of the above listed measures)

What is a Data Processor

the party that processes personal data on behalf of a data controller

Why does GDPR regulate and restrict transfers of person data outside of the EU

to ensure that there are adequate levels of protection that are essentially to those of the EU Transfers outside of the EU and subsequent transfer are only permitted if certain conditions are met

What is the purpose of DPIA?

to identify and mitigate high risk data processing Customers or sites may request DPIA forms to be completed by the company.

When is a Data Protection Impact Assessment required

when data processing is likely to result in a high tide to the rights and freedoms of natural persons ex. the archiving of personal data from research projects or clinical trials Company has submitted a DPIA

When can Personal Data be processed

when it is necessary for performing a contract or to take steps at the request of the data subject prior to entering into a contract


Related study sets

Anthem - Tools for Compliant Selling

View Set

Iggy Chapter 40: Concepts of Care for Patients With Problems of the Central Nervous System: The Spinal Cord

View Set

Chapter 3- Introduction to Contracts

View Set

Chapter 3: The Accounting Cycle: End of the Period

View Set

Adapted Physical Education Exam 1

View Set