This includes important changes to DIGAV!
(See “Artikel 8”, page 44ff)

• From 1.Jan 2023 DIGA (digital health applications) would need to be able to export data into a the electronic patient file (elektronische Patientenakte)
• Also new requirements on certified information security management (from no later than 1 Jan 2022) and a BSI certificate on data security (from 1 Jan 2023). This also applies to digital health applications which are already registered.
• Also new requirements on integrating with the electronic patient card for authentication (elektronische Gesundheitskarte) – unless the DIGA is purely web-based. (31 Dec 2020)
• Also the vendor needs to ensure that the provided health information is kept up-to-date.

https://www.bundesgesundheitsministerium.de/fileadmin/Dateien/3_Downloads/Gesetze_und_Verordnungen/GuV/D/Referentenentwurf_DVPMG.pdf

https://www.netzwerk-datenschutzexpertise.de/sites/default/files/gut_2020_09_betriebsarzt_v1_0.pdf

(Medizinische Dienste)

There is a good write-up in German by Noémi Ziegler at
https://datenrecht.ch/die-dsg-revision-ist-abgeschlossen/

David Rosenthal (VISCHER) has a summary at
https://www.vischer.com/know-how/blog/neues-datenschutzgesetz-das-muessen-sie-wissen-38752/

Final text (in parliament) is here:
https://www.parlament.ch/centers/eparl/curia/2017/20170059/Schluzssabstimmungstext%203%20NS%20D.pdf

The VUD published an overview here:
http://www.vud.ch/view/data/2124/vud_rohstoff_revidiertes_dsg.pdf

These reflect early CNIL recommendations from 11-Oct-2005 on the archiving of personal data.
They aim to provide practical help to define the data retention rules and periods.
Similar to DIN-66398 (German industry standard on data retention/deletion) they don’t include guidance on specific data categories. https://din-66398.de/

However, CNIL does define data retention periods in separate dcouments (“Référentiel”). Up to now, two such Référentiels have been published for the health sector:

• Recherches dans le domaine de la santé – https://www.cnil.fr/sites/default/files/atoms/files/referentiel_-_recherches_dans_le_domaine_de_la_sante.pdf
• Traitements dans le domaine de la santé (hors recherches) – https://www.cnil.fr/sites/default/files/atoms/files/referentiel_-_traitements_dans_le_domaine_de_la_sante_hors_recherches.pdf

https://iapp.org/resources/article/gdpr-genius/

Fieldfisher has a very readable four parts blog on the California Consumer Privacy Act 2018 (CCPA)

• CCPA Blog Series, Part 1: We just got through GDPR… Here we go again?
• CCPA Blog Series, Part 2: Rethinking access and data portability rights
• CCPA Blog Series, Part 3: Confused over opt-out rights? You’re not alone.
• CCPA Blog Series, Part 4: Last but not least… Deletion and Non-discrimination

Japan adequacy decision and related documents
https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en

Full text:
http://www.europarl.europa.eu/sides/getAllAnswers.do?reference=E-2018-003163&language=EN

Sidley has an article on it here:
https://datamatters.sidley.com/new-belgian-data-protection-act-takes-effect/

“Genetic, Biometric and Health-Related Data Processing

Additional organizational and security measures must be put in place by data controllers and/or processors that process genetic, biometric or health-related data. On the basis of the Belgian Act, they must designate specific personnel authorized to access such data, and identify their capacity in relation to the data processing. A list with this information should be compiled and kept at the disposal of the competent Supervisory Authority. In addition, they must ensure that these individuals are bound by confidentiality with regard to this data on the basis of either statutory or contractual requirements.”

While it has been compared with GDPR in news articles, there are significant differences.

https://datamatters.sidley.com/california-enacts-broad-privacy-protections-modeled-on-gdpr/