A medical center contracted by an insurance company to provide examinations and studies to individuals covered by insurance may be a “data controller” under the EU General Data Protection Regulation (GDPR) says the Commission for the Protection of Personal Data of Bulgaria.

The CPPD determined that in the case before it, the medical center was a data controller and not a “data processor” because:

  1. The processing of personal data in connection with the carrying out of examinations and research cannot be carried out on behalf of the insurer (data controller) because such services are required, by law, to be carried out by an organization having the status of a “medical establishment” within the meaning of the Bulgarian Law on Medical Establishments.
  2. Special legislation in the field of healthcare provides for a number of obligations, measures, mechanisms, procedures and conditions for the protection of health information containing personal data which can not be delegated to a data processor.*

* summary based on an informal translation

View the original CPPD determination.

The EU General Data Protection Regulation (GDPR) applies to small businesses too, and many are not ready.

A recent poll of 1,000 small business owners revealed many are still “clueless” about GDPR – leaving the personal data of millions of employees and customers at risk.

  • “Four in 10 small businesses surveyed did not know the loss of paperwork could be a data breach, while 36 percent were not aware personal data posted, emailed or faxed to the wrong person could be a breach too”.
  • “Six in 10 had no idea the data protection authority has to be notified of data breaches where individuals’ rights are affected and around half did not know all those affected must be told as well.”
  • “Almost 45 per cent of businesses surveyed have no insurance whatsoever in place to protect them against cyber or data risks”.

The UK’s Independent has details via MSN Money.

Europe map with padlock symbolizing the General Data Protection Regulation (GDPR)With the European’s Union’s new General Data Protection Regulation (or GDPR) taking effect in less than 100 days, the interest of many U.S. Companies has been piqued as to how the GDPR may affect their overseas and internet-based businesses.  This article on CFO.com, “Why GDPR Matters,” which I co-authored with Bill Shipp from Vaxient, LLC and Jonathan Marks, CPA from Marcum, LLP, tackles this hot issue and answers why GDPR should matter to U.S. companies in a wide variety of industries.

To assist U.S.-based companies in determining how GDPR may affect their business, Fox Rothschild has also developed a GDPR mobile app called “GDPR Check” (details and download information here).  The app is designed to help companies determine which areas of their business (if any) may require GDPR compliance.

If you have any questions about how GDPR may affect your company, we encourage you to consult a knowledgeable attorney and experienced professionals.