Digital Health and "Right to Be Forgotten"

As a digital health application developer, you need to keep this new right into consideration.
Digital Health and "Right to Be Forgotten"

The General Data Protection Regulation (GDPR), the new text regarding Privacy and Data Protection matters in the EU, introduced many novelties in addition to the old Directive regulating these aspects. Particularly, it introduced new EU citizens' rights like the Right to Data Portability and the Right to Be Forgotten (RTBF), on which the following article will focus.

The latter has been codified into a legal text after one of the most famous 2014 rulings by the Court of Justice of the European Union (CJEU). The RTBF consists in:

[...] "obtain from the controller the erasure of personal data concerning him or her without undue delay". (see art. 17 GDPR)

Why and when Digital Health Entrepreneurs need to care

As a digital health application developer, you need to take this new right into consideration. When processing EU citizens' data you are acting as Data Controller, hence you have the obligation to erase personal data without undue delay if asked by the data subject. This must happen when:

  • (a)  the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • (b) the data subject withdraws the consent which he/she previously gave (on which the processing is based);
  • (c) the data subject objects to the processing
  • (d) the personal data have been unlawfully processed;
  • (e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
  • (f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).

The Ultimate Guide to GDPR and HIPAA Compliance

Download our Free Ebook now

What is difficult about RTBF

RTBF implies challenges in the design and implementation phases.

On the design side, you must understand what data you collect in order to identify:

  • what must be deleted;
  • what must not be deleted because it is regulated by another law;
  • what can be kept once anonymized to improve your service;

On the implementation side, RTBF still needs to be clarified totally, defining at what level the data must be deleted. Deleting the data in the application DB could be quite simple while deleting the data on backup copies could be much more challenging.
And since we all use cloud computing and some IaaS providers, the second question is also relevant to them. What kind of guarantees do you need from an IaaS provider in order to guarantee that you implement RTBF correctly? Because, in the end, you are responsible for its implementation.

How can help you

According to EU law, can act as a Data Processor for app developers. We provide to application developers a service to safely store sensitive data in compliance with EU data protection laws and policies.

However, when storing these types of data, Data Subjects may ask you to exercise their right to be Forgotten. Thanks to, you will be able to satisfy data subjects easily, safely, and quickly.

Talk to an expert