All the answers to your questions about our services, DPO support and data protection laws compliance
What expertise does an organisation processing personal and health data need to ensure its protection?
Health data is sensitive data. It can be targeted for misuse or fraud purposes, with serious consequences for the individuals concerned: discrimination, blackmail, violation of privacy, etc…. To protect individuals, and to protect your organisation from legal consequences of any breach, illegitimate or non-compliant use of this data, you need, at the very least:
- to have skills in data protection law and law in the health sector,
- to know how to assess and manage information security and data privacy risks,
- to know how to establish appropriate internal data protection rules,
- to train your staff to apply and comply with these rules, and, finally,
- to know how to implement a continuous improvement approach.
Do I have to appoint a Data Protection Officer (DPO) in the European Union (EU)?
The answer can be found in the GDPR (Articles 37 to 39), as well as in the guidelines of the European Data Protection Board (EDPB).
If your healthcare and/or clinical research organization (1) is located in the EU, or (2) if you process participants’ personal data in your clinical studies who are located in the EU, while being outside the EU yourself: you are obliged to appoint a DPO with the competent supervisory authority (e.g. the CNIL if you are located in France), due to the nature of the healthcare data you are processing.
For healthcare professionals and pharmacists, it depends on the size of their patient base. Where a decision is made not a appoint a DPO, however, it has to be justified and documented.
In 2025, the EDPB launched an overhaul of the DPO guidelines. The CNIL and two of its European counterparts constitutes the drafting team in charge of updating them. The European doctrine may therefore be further clarified, or evolve, in the near future.
Do I have to appoint a Data Protection Officer (DPO) in Switzerland?
The new Swiss Federal Act on Data Protection (nFADP) does not require the appointment of a Data Protection Officer for private data controllers. However, federal bodies have this obligation.
A private organisation that processes health data on a large scale, being (1) either established in Switzerland, (2) or established outside Switzerland but processing data of individuals located in Switzerland, may decide to appoint a DPO to benefit from the exemption from consulting the supervisory authority (Federal Data Protection and Information Commissioner – FDPIC) in the event of data processing presenting a high risk to the personality or fundamental rights of individuals.
The contact details of the DPO, when appointed, must be communicated to the FDPIC.
Do I have to appoint an individual Accountable for the Protection of Personal Information in Canada?
The designation of an individual or individuals accountable for ensuring compliance with the ten principles set out in the Personal Information Protection and Electronic Documents Act is the cornerstone of an organisation’s compliance (in accordance with the principles set out in the National Standard of Canada entitled “Model Code for the Protection of Personal Information, CAN/CSA-Q830-96”).
The same rule applies to a private organisation located outside Canada, insofar as the organisation’s activities have a real and substantial link with Canada, which is most generally the case for the conduct of a clinical study on Canadian territory.
The communication of the contact information of the accountable individual to the Office of the Privacy Commissioner of Canada is not required by the federal law.
In addition, the province of Ontario’s Personal Health Information Protection Act (PHIPA) requires the designation of a specific contact person for health information, and publication of the contact details.
You can put your trust in us to meet your need for compliance in personal data protection and privacy in the health area:
Do you have a specific question related to data protection in the heath area? Ask us your question, and we will be happy to answer it at no cost to you.
Would you like to be put in touch with a member of our customer or partner network, to receive confidential feedback on our services?
Would you like to know more about our company: our working methods, tools and knowledge base, our ability to meet your needs and projects?
All the terms of our discussions are regulated by our personal data protection and privacy policy.
