![Sample our Law journals, sign in here to start your FREE access for 14 days]({"type":"image" , "src" : "/sda/5942/TOC-Subject-Sample-2021-Law.jpg"})
ABSTRACT
The following paper discusses the data protection issues of health applications on the background of the General Data Protection Regulation (GDPR). It uses as an example the technology under development in the H2020 STARR Project. The analysis focuses especially on the problems of loss of control over the data processing in a smart environment by such application users, which is related to the topics of transparency of the processing, accountability of the controller and the potential for data abuse. The article examines in how far the GDPR offers a good solution to these issues.
Acknowledgements
This article has been written with the financial support of the H2020 STARR Project under grant agreement No 689947. It reflects the view of the authors and does not represent the views of the whole STARR Consortium.
Disclosure statement
No potential conflict of interest was reported by the authors.
Notes
1 Article 9, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, May 4, 2016 (hereinafter: GDPR).
2 OECD Health Policy Studies (Citation2015).
3 For more information regarding the STARR project, see http://www.starrproject.org/.
4 See http://www.starrproject.org/.
5 An overview of the scenarios and use cases in STARR can be found in STARR Deliverable D4.1, “Description of use case scenarios and their technical requirements”, 31 October 2016 (hereinafter: STARR D4.1). http://www.starrproject.org/deliverables/D4.1-UseCaseScenarios-CEA.pdf.
6 The technical description of the STARR architecture in the paper is based on work done throughout the STARR project and includes contributions by the whole consortium as quoted per deliverable.
7 STARR Deliverable D6.1, “System architecture documentation”, 30 July 2016 (p. 5). (hereinafter: STARR D6.1).
8 STARR D6.1 (p. 9).
9 STARR D6.1 (p. 10).
10 STARR D6.1 (p. 16).
11 STARR D4.1 (p. 44).
12 STARR D4.1 (p. 20).
13 STARR D4.1 (p. 9).
14 STARR D6.1 (p. 16).
15 European Commission (Citation2012).
16 European Data Protection Supervisor, EDPS, Opinion Citation7/Citation2015 (Citation2015).
17 Article 4 (11), GDPR.
18 Recital 42, GDPR.
19 Recital 32, GDPR.
20 Hogan Lovells, Chronicle of Data Protection (Citation2016).
21 Recital 33, GDPR.
22 Chapter III, GDPR.
23 Article 17 (1), GDPR.
24 Article 17 (1), GDPR.
25 Article 20 (1) (2), GDPR; STARR Deliverable D8.1, “Privacy Implications”, 30 November 2016 (p. 49) (hereinafter: STARR D8.1).
26 Article 12 (1), GDPR.
27 European Union Agency for Fundamental Rights (Citation2014).
28 STARR D8.1 (p. 28).
29 Article 14 (5) (b), GDPR; STARR D8.1 (p. 46).
30 For the definitions of the roles of these actors, see Article 4 (7), (8), (9) and (10), GDPR. In principle, the main responsible for the data processing is the controller, who defines the means and purposes of the processing, while the processor may process data only under his responsibility.
31 Article 5 (2), GDPR.
32 In accordance with the concepts of privacy by design, the controller, both at the time of determining the means of processing and during the actual processing, implement ‘appropriate technical and organizational measures’ in order to implement data protection principles ‘in an effective manner’. In addition, the technical and organizational measures adopted by the controller should be by default. Through these measures it should be ensured that only the personal data which is necessary for a specific purpose should be processed, i.e. the principle of data minimization should be complied with; Article 25, GDPR.
33 Article 24, GDPR.
34 Article 25 GDPR on privacy by design, pursuant to which the controller should adopt appropriate technical and organizational measures, tailored to the technology in question.
35 Article 32, GDPR.
36 Article 35, GDPR.
37 Article 35 (1), GDPR.
38 Article Citation29 Working Party (Citation2010).
39 STARR D8.1 (pp. 50–51).
40 Article 5 (1) (d), GDPR.