Health Technological Innovation and EU Competencies (EPH1025)
Summary
Summary GDPR: Regulation 2016/679
35 views 12 purchases
Course
Health Technological Innovation and EU Competencies (EPH1025)
Institution
Maastricht University (UM)
This document is simply the relevant Recitals and Articles from Regulation 2016-679 (GDPR). No notes or emphasis are added. This document allows you to ignore all the irrelevant text of the Regulation and focus only on the relevant points.
Health Technological Innovation and EU Competencies (EPH1025)
All documents for this subject (8)
Seller
Follow
EPH
Reviews received
Content preview
Regulation 2016/679 (GDPR)
Recital 26: The principles of data protection should apply to any information concerning an
identified or identifiable natural person. Personal data which have undergone pseudonymisation,
which could be attributed to a natural person by the use of additional information should be
considered to be information on an identifiable natural person. To determine whether a natural
person is identifiable, account should be taken of all the means reasonably likely to be used, such as
singling out, either by the controller or by another person to identify the natural person directly or
indirectly. To ascertain whether means are reasonably likely to be used to identify the natural
person, account should be taken of all objective factors, such as the costs of and the amount of time
required for identification, taking into consideration the available technology at the time of the
processing and technological developments. The principles of data protection should therefore not
apply to anonymous information, namely information which does not relate to an identified or
identifiable natural person or to personal data rendered anonymous in such a manner that the data
subject is not or no longer identifiable. This Regulation does not therefore concern the processing of
such anonymous information, including for statistical or research purposes.
Recital 33: It is often not possible to fully identify the purpose of personal data processing for
scientific research purposes at the time of data collection. Therefore, data subjects should be
allowed to give their consent to certain areas of scientific research when in keeping with recognised
ethical standards for scientific research. Data subjects should have the opportunity to give their
consent only to certain areas of research or parts of research projects to the extent allowed by the
intended purpose.
Recital 50: The processing of personal data for purposes other than those for which the personal
data were initially collected should be allowed only where the processing is compatible with the
purposes for which the personal data were initially collected. In such a case, no legal basis separate
from that which allowed the collection of the personal data is required. If the processing is necessary
for the performance of a task carried out in the public interest or in the exercise of official authority
vested in the controller, Union or Member State law may determine and specify the tasks and
purposes for which the further processing should be regarded as compatible and lawful. Further
processing for archiving purposes in the public interest, scientific or historical research purposes or
statistical purposes should be considered to be compatible lawful processing operations. The legal
basis provided by Union or Member State law for the processing of personal data may also provide a
legal basis for further processing. In order to ascertain whether a purpose of further processing is
compatible with the purpose for which the personal data are initially collected, the controller, after
having met all the requirements for the lawfulness of the original processing, should take into
account, inter alia: any link between those purposes and the purposes of the intended further
processing; the context in which the personal data have been collected, in particular the reasonable
expectations of data subjects based on their relationship with the controller as to their further use;
the nature of the personal data; the consequences of the intended further processing for data
subjects; and the existence of appropriate safeguards in both the original and intended further
processing operations.
Recital 156: The processing of personal data for archiving purposes in the public interest, scientific
or historical research purposes or statistical purposes should be subject to appropriate safeguards
for the rights and freedoms of the data subject pursuant to this Regulation. Those safeguards should
ensure that technical and organisational measures are in place in order to ensure, in particular, the
principle of data minimisation. The further processing of personal data for archiving purposes in the
1
,public interest, scientific or historical research purposes or statistical purposes is to be carried out
when the controller has assessed the feasibility to fulfil those purposes by processing data which do
not permit or no longer permit the identification of data subjects, provided that appropriate
safeguards exist (such as, for instance, pseudonymisation of the data). Member States should
provide for appropriate safeguards for the processing of personal data for archiving purposes in the
public interest, scientific or historical research purposes or statistical purposes. Member States
should be authorised to provide, under specific conditions and subject to appropriate safeguards for
data subjects, specifications and derogations with regard to the information requirements and rights
to rectification, to erasure, to be forgotten, to restriction of processing, to data portability, and to
object when processing personal data for archiving purposes in the public interest, scientific or
historical research purposes or statistical purposes. The conditions and safeguards in question may
entail specific procedures for data subjects to exercise those rights if this is appropriate in the light
of the purposes sought by the specific processing along with technical and organisational measures
aimed at minimising the processing of personal data in pursuance of the proportionality and
necessity principles. The processing of personal data for scientific purposes should also comply with
other relevant legislation such as on clinical trials.
CHAPTER I
Article 4: “Definitions”
For the purposes of this Regulation:
(1) ‘personal data’ means any information relating to an identified or identifiable natural person
(‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in
particular by reference to an identifier such as a name, an identification number, location data, an
online identifier or to one or more factors specific to the physical, physiological, genetic, mental,
economic, cultural or social identity of that natural person;
(2) ‘processing’ means any operation or set of operations which is performed on personal data or on
sets of personal data, whether or not by automated means, such as collection, recording,
organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by
transmission, dissemination or otherwise making available, alignment or combination, restriction,
erasure or destruction;
(5) ‘pseudonymisation’ means the processing of personal data in such a manner that the personal
data can no longer be attributed to a specific data subject without the use of additional information,
provided that such additional information is kept separately and is subject to technical and
organisational measures to ensure that the personal data are not attributed to an identified or
identifiable natural person;
(7) ‘controller’ means the natural or legal person, public authority, agency or other body which,
alone or jointly with others, determines the purposes and means of the processing of personal data;
where the purposes and means of such processing are determined by Union or Member State law,
the controller or the specific criteria for its nomination may be provided for by Union or Member
State law;
(8) ‘processor’ means a natural or legal person, public authority, agency or other body which
processes personal data on behalf of the controller;
2
, (11) ‘consent’ of the data subject means any freely given, specific, informed and unambiguous
indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative
action, signifies agreement to the processing of personal data relating to him or her;
(15) ‘data concerning health’ means personal data related to the physical or mental health of a
natural person, including the provision of health care services, which reveal information about his or
her health status;
CHAPTER II
Article 5: “Principles relating to processing of personal data”
1. Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject
(‘lawfulness, fairness and transparency’);
(b) collected for specified, explicit and legitimate purposes and not further processed in a
manner that is incompatible with those purposes; further processing for archiving purposes
in the public interest, scientific or historical research purposes or statistical purposes shall, in
accordance with Article 89(1), not be considered to be incompatible with the initial purposes
(‘purpose limitation’);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which
they are processed (‘data minimisation’);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to
ensure that personal data that are inaccurate, having regard to the purposes for which they
are processed, are erased or rectified without delay (‘accuracy’);
(e) kept in a form which permits identification of data subjects for no longer than is
necessary for the purposes for which the personal data are processed; personal data may be
stored for longer periods insofar as the personal data will be processed solely for archiving
purposes in the public interest, scientific or historical research purposes or statistical
purposes in accordance with Article 89(1) subject to implementation of the appropriate
technical and organisational measures required by this Regulation in order to safeguard the
rights and freedoms of the data subject (‘storage limitation’);
(f) processed in a manner that ensures appropriate security of the personal data, including
protection against unauthorised or unlawful processing and against accidental loss,
destruction or damage, using appropriate technical or organisational measures (‘integrity
and confidentiality’).
2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1
(‘accountability’).
Article 6: “Lawfulness of processing”
1. Processing shall be lawful only if and to the extent that at least one of the following applies:
3
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller EPH. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $0.00. You're not tied to anything after your purchase.
