GDPR Right to Access Personal Data

GDPR Exemptions That Provide Leeway to EU Member State Laws

Healthcare companies marketing or offering their services to EU residents that involves the collection or processing of their personal data must comply with the EU General Data Protection Regulation (GDPR).

One facet of GDPR compliance that is particularly relevant to healthcare companies is the right of data subjects to access their personal data. Any resident in the EU has the right to access all their personal information and also view any supplemental data attached to their data file. Data subjects are more likely to request access to their health data than other forms of personal data, such as that held by a retailer. Health data often needs to be shared with other healthcare providers, and errors or out of date information can have serious consequences for patients.

GDPR Article 15 details the rights of data subjects regarding subject access requests (SARs). When a data subject decides to exercise their GDPR right to access personal data, the organization must honor the request within 30 days.

The data subject is permitted to get verification concerning the collection, use and storage of his or her personal information; the types of information that are held by the data controller; the reason behind the data processing; the types of entity with whom data will be disclosed; whether or not data will be transmitted to an international organization or be transmitted outside the country; and the period of time that data will be processed and stored. This information can be provided verbally, in writing or digitally.

When the right to access has been exercised, other rights also apply, for example, the right to request modification of personal data, the right to be forgotten, the right to have data deleted, and the right to stop personal data processing. When a request is made by a data subject to be given a copy of their personal data, the organization must provide the data without charging the data subject. When such a request is made for a digital copy, personal data should be provided in a widely used electronic format.

Although companies are not allowed to demand a fee for providing access to personal data, nominal fees may be charged if multiple copies are requested. It is likewise allowable to ask for a reasonable amount if the request is considered excessive, for instance, when a SAR is is made too frequently.

It is vital for healthcare companies to implement policies that allow them to respond to SARs promptly and that they are able to easily locate all personal data stored on an individual. As opposed to HIPAA, which calls for copies of health data to be supplied as a data set, all stored personal data must be provided on request.

GDPR has been in force since May 25, 2018. Any healthcare company that fails to comply with GDPR can face substantial financial fines for noncompliance. The maximum financial penalty for violating GDPR is €20 million or 4% of global annual turnover, whichever is higher.