We currently live in a world where the rapid spread of COVID-19 has provoked the urge to initiate the search for an effective vaccine or medicines to fight against it. In this context, the EDPB has recently published its Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak with the clear objective of ensuring that patients’ and trial subjects’ privacy is not disregarded while clinical trials are carried out.
Does the GDPR really apply to my company? From a data protection standpoint, this is the first thing that comes to mind within non-EU companies. In many cases, the GDPR seems like an issue of the Old Continent, so it does not affect non-EU companies. In others, companies apply the GDPR to all their processing activities just to avoid the possibility of being addressed by EU authorities. Neither decision is per se correct.
On October 17, the Spanish data protection authority published the Guide to Privacy by Design. While Privacy by Design first became a legal requirement in the EU with implementation of the General Data Protection Regulation, it is a well-known concept among privacy professionals that dates back to the 1990s. PbD should be construed as “the need to consider privacy and the principles of data protection from the inception of any type of processing.” It is a concept focused on risk management and accountability that aims to incorporate privacy protections throughout the life cycle of systems, services, products, and processes. It involves the application of measures for privacy protection among all business processes and practices associated to personal data.