The General Data Protection Regulation (GDPR) will go into effect on May 25, 2018. The main principles of the current Personal Data Act remain in the Data Protection Regulation, but there are also some new obligations for the controller and rights for the data subject. We have gathered a few things here that could be taken into account in the everyday life of the clinic.
The GDPR highlights the transparency of the processing of personal data. The data subject, ie the customer, needs to know what information and for what purpose you want to process their data. In practice, this can be handled conveniently with a Privacy Notice that must be easily visible to the customer, for example on a website or at a reception. The Privacy Notice structure should be as follows:
- The controller (your organisation's contact information)
- Contact details (who can give more information)
- Register name (eg Customer register)
- Purpose of processing personal data (eg billing and informing)
- The data content of the register (eg name and address)
- Regular sources of information (from where the personal data is obtained; eg from the data subject)
- Data recipients (organisations that process the personal data, eg FNS)
- Transfer of data outside the EU or EEA
- How the data is kept safe
- Data retention time
- General rights of the data subject (eg right to access information and instructions on how to use this right)
- Other rights of the data subject (eg right to transfer data)
Make sure that the data subjects in your register have given permission to process their data or that there is another legal basis for processing – if the register contains only data of your customers, such a basis is a contract or a legitimate advantage, so no separate consent is required. However, please respect the customer's wish to refuse marketing by blocking communication in Provet Cloud’s settings.
Prepare for a customer asking to see their own data or to transfer their data to another system. If they make a request electronically, the information must be provided in a commonly used electronic form (unless otherwise requested by the registrar). The information must be submitted within one month from the date of the request. If you have reason to question the identity of a person making the request, you can ask them for more information to help you verify it.
Also, prepare for a customer wanting to "be forgotten", deleting their personal data. They have that right if the data is no longer needed and there is no legitimate reason for handling it (in animal health care, there are several reasons; see, for example, the regulation on veterinary medication).
The use of email for the transfer of personal data should be avoided in the case of large amounts (eg address list), but, for example, sending invoices and receipts to the customer will continue to be OK.
As a controller, you must be able to demonstrate to the authorities that you have followed the principles of personal data processing. In practice, this requires planning, preparedness, and ability to demonstrate the measures taken, through documentation among other things. This obligation also includes staff training – a requirement may be the passing of an online training, for example.
For more information about the GDPR, see here: https://www.eugdpr.org/
If you have any further questions, do not hesitate to contact Coordinator Minna Nousiainen: firstname.lastname@example.org