The General Data Protection Regulation (GDPR), the new text regarding Privacy and Data Protection matters in EU, introduced a lot of novelties in addition to the old Directive regulating these aspects. Particularly, it introduced new EU citizens' rights like the Right to Data Portability and the Right to Be Forgotten (RTBF), on which the following article will be focused.
The latter has been codified into a legal text after one of the most famous 2014 rulings by the Court of Justice of the European Union (CJEU). The RTBF consists in:
[...] "obtain from the controller the erasure of personal data concerning him or her without undue delay". (see art. 17 GDPR)
Why and when Digital Health Entrepreneurs need to care
As a digital health application developer, you need to keep this new right into consideration. When processing EU citizens' data you are acting as Data Controller, hence you have the obligation to erase personal data without undue delay if asked by the data subject. This must happen when:
- (a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- (b) the data subject withdraws the consent which he/she previously gave (on which the processing is based);
- (c) the data subject objects to the processing
- (d) the personal data have been unlawfully processed;
- (e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
- (f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
Check if you collect "sensitive" dataDownload our Decision Tree
What is difficult about RTBF
RTBF implies challenges on design and implementation phases.
On the design side you must understand what data you collect in order to identify:
- what must be deleted;
- what must not be deleted because regulated by another law;
- what can be kept once anonymized to improve your service;
On the implementation side RTBF still needs to be clarified totally defining at what level the data must be deleted. Deleting the data in the application DB could be quite simple, while deleting the data on backup copies could be much much more challenging.
And since we all use cloud computing and some IaaS providers, the second question is also relevant for them. What kind of guarantees you need to have from IaaS provider in order to guarantee that you implement RTBF correctly. Because at the end you are responsible for its implementation.
How Chino.io can help you
According to EU law, Chino.io can act as a Data Processor for app developers. We provide to application developers a service to safely store sensitive data in compliance with EU data protection laws and policies.
However, when storing these type of data, Data Subject may ask you to exercise their right to be Forgotten. Thanks to Chino.io you will be able to satisfy data subjects easily, safely and in no time.
For further information do not hesitate to contact us at firstname.lastname@example.org or download our guide on GDPR and Health App compliance.