data protection | In Principle

The EU’s Artificial Intelligence Act prohibits certain particularly harmful AI practices. These provisions will begin to apply from 2 February 2025. Non-compliance can attract an administrative fine of up to EUR 35 million or, in the case of a company, up to 7% of its total annual worldwide turnover from the previous fiscal year, whichever is higher.

In clinical trials, a standard practice is that the sponsor, i.e. the entity responsible for undertaking the clinical trial, managing it and arranging for its funding, does not have access to data directly identifying the study participants. Typically, the patients’ data reach the sponsor in pseudonymised form. Thus sometimes sponsors assume that since they are only processing pseudonymised data of clinical trial participants, they are not subject to the GDPR. Nothing could be further from the truth. Indeed, pseudonymisation poses additional challenges for sponsors as data controllers.

In recent years, the gig economy, based on a model of flexible employment using online platforms, has grown rapidly. In the EU, it is estimated that 43 million people will be employed through such platforms in 2025. A heated discussion is underway regarding the new regulations in this sector, in particular regarding the employment model for such workers, but also about making automated decisions regarding them using various types of algorithms. What should the organisers of job platforms keep in mind in light of the GDPR? We discuss this using the example of decisions on food delivery platforms issued by the Italian Data Protection Authority.

The Digital Markets Act or DMA (Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector), which entered into force on 1 November 2022, creates many new obligations for businesses operating in the digital sector, particularly so-called “gatekeepers.” The DMA will impact the functioning of the entire digital ecosystem—not only gatekeepers, but also other participants in digital markets, including business users and end users of core platform services, competing providers of core platform services, and providers of other digital services.

The proliferation of remote work, combined with the development of monitoring technologies, has led employers around the world to implement various, sometimes technologically advanced methods to check employees’ performance and commitment to their work. In this area, IT solutions and programs commonly called “bossware” are gaining popularity.

The upcoming amendment to the Labour Code on remote work is expected to comprehensively regulate a number of issues and relationships between employer and employee, significantly changing the existing legal landscape for performing work from home. The amendment also touches on issues of processing of personal data. Although work on the bill is still underway, it appears unlikely that the provisions discussed below will change significantly, so it is already worth taking a closer look at them.

Entities transferring personal data outside the European Economic Area on the basis of standard contractual clauses that are no longer in force (where the transfer began before 27 September 2021) should conclude agreements based on new clauses by 27 December 2022.

Regulating the secondary use of health data opens up research and analytical opportunities, which can drive scientific progress, new products and devices, digital innovation in the healthcare sector, and improvement of the healthcare system.

All EU citizens will have access to their electronic health records by 2030 thanks to the EU’s central eHealth platform linking national contact points to the MyHealth@EU infrastructure and efficient national digital health authorities.

True cross-border healthcare based on medical documentation accessible throughout the EU via interoperative electronic health data systems. Unleashing the potential of health data for science and  developing new drugs and treatments. These are among the benefits promised by the European Health Data Space.

A list of questions has been published on the website of the Personal Data Protection Office on compliance with the GDPR provisions on data protection officers. These issues will need to be addressed by data controllers and processers summoned by the data protection authority.

The law in Poland is quite precise about who can be given information about a family member’s health, and in what situations. But when contacted by a family member by phone, how can the healthcare provider verify the caller’s identity? And can a hospital in principle refuse to provide information by phone?