The Dutch Data Protection Authority (AP) sees no reason to initiate a more detailed investigation into possible violations of the GDPR by MRDM when storing medical data on a cloud platform. This concerns personal data originating from Dutch hospitals. Public questions have been asked about how the organization works. The privacy regulator has obtained information on this from MRDM. – MDRM is a third party IT Services provider processing patient data for Dutch hospitals.
MRDM in turn uses a sub-processor (apparently Google) for the storage of that personal data. This sub-processor is a cloud platform that is located outside the EU. The storage of data is done via the cloud. The ‘exploratory investigation’ of the AP related to that last step: the processing of patient data in the cloud.
As part of an explorative inquiry the DPA lookes at the storage, by MRDM’s sub-processor, of patient data in the cloud.
Apparently, the following have been reviewed
- the standard operating procedures,
- the sub-processing agreements and
- technical and organizational security measures.
The personal data is stored in the Netherlands, the contracts with the cloud platform ensure that there is no international transfer of personal data to third countries outside the EEA. In addition, MRDM has informed the AP about how the data is protected.
The decision of the Dutch DPA not to investigate further might be seen as a sign that n that GDPR compliance can be achieved in respect of cloud-based processing of patient data.
DPA press release:
https://autoriteitpersoonsgegevens.nl/nl/nieuws/ap-stelt-geen-onderzoek-naar-opslag-medische-gegevens-cloud
Blog post by BakerMcKenzie:
https://www.bakermckenzie.com/en/insight/publications/2019/11/draft-eprivacy-regulation-rejected
Media article:
https://www.agconnect.nl/artikel/medische-data-google-cloud-krijgt-geen-avg-onderzoek