Many companies in medical tourism assume they are immune from the new EU data protection rules on EU customers, as they are outside the EU or are small companies – but they are wrong. Our advice to all medical tourism providers who target EU patients is to talk to a good lawyer who understands EU law.
All the information provided here is directly taken from the official EU site.
The EU Charter of Fundamental Rights stipulates that EU citizens have the right to protection of their personal data. Regulation (EU) 2016/6791, the European Union’s new General Data Protection Regulation (GDPR), regulates the processing by an individual, a company or an organisation of personal data relating to individuals in the EU.
EU data protection rules apply to the European Economic Area (EEA), which includes all EU countries and non-EU countries Iceland, Liechtenstein and Norway.
When personal data is transferred outside the EEA, special safeguards are foreseen to ensure that the protection travels with the data.
In today’s world, there are large amounts of cross-border transfers of personal data, which are sometimes stored on servers in different countries. The protection offered by the GDPR travels with the data, meaning that the rules protecting personal data continue to apply regardless of where the data lands. This also applies when data is transferred to a country that is not a member of the EU.
The law applies to:
• a company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed
• a company established outside the EU offering goods/services (paid or for free) or monitoring the behaviour of individuals in the EU
If a company is a small and medium-sized enterprise (SME) where the activity doesn’t create risks for individuals, then some obligations of the GDPR will not apply. But if a company is a service provider based outside the EU and provides services to customers living in EU, then it is subject to the rules of the GDPR.
The application of the data protection regulation depends not on the size of a company/organisation but on the nature of activities. Activities that present “high risks for the individuals’ rights and freedoms”, whether they are carried out by an SME or by a large corporation, trigger the application of more stringent rules. However, some of the obligations of the GDPR may not apply to all SMEs.
Companies with fewer than 250 employees don’t need to keep records of their processing activities unless it is sensitive data. But health and healthcare data is classed as sensitive data.
At the time of collecting their data, people must be informed clearly about many things, including which data is being collected, which organisations will see the data and the use it will be put to. Companies cannot get customers to sign contracts that allow them to opt out of GDPR rules.
GDPR allows individual EU states to adopt separate rules that can be tougher than the minimum standards.
Agencies must decide whether the rules are so costly to implement that the agency is better off declining to do business with EU residents. While the EU may not take against a small agency in the USA or Asia that was not itself overtly soliciting business in the EU, the possibility of demonstration cases always exist just to make the point that the EU takes the GDPR seriously. The risk of becoming an enforcement target is small, but not zero.
The best advice to all medical tourism providers who target EU patients is to talk to a good lawyer who understands EU law.
©2024 All rights reserved LaingBuisson 
