Increased interest in DP filings regarding data processing in the context of disclosure obligations under the EFPIA Code

There seems to be an increased interest in DP filings relating to data processing performed in the context of obligations of pharmaceutical companies to disclose any Transfers of Value to EU-based individual healthcare providers, for compliance purposes with the EFPIA Code, also implemented in Greece. Since a number of questions have been raised in this context, attributed, to an extent, to the interplay between the implemented EFPIA Code and other laws in place setting out relevant disclosure obligations, it is likely that specific guidance will be issued by the HDPA, with a particular focus on the adherence to the principle of proportionality.

To be considered as background information, in designing products targeting pharmaceutical industry.

Need for an update of DP filings following the CJEU Schrems decision

Following the Schrems decision and a public notice by the HDPA, the following position seems to apply -in practice- as to existing DP filings regarding notification of data transfers to third countries made on the basis of safe-harbor certificates: (a) any data transfers to non EU-based data recipients on the basis of safe-harbor certificates are deemed to be unlawful; (b) data controllers, who transferred data to non EU-based data recipients on such basis, and who, following the issuance of said court decision, wish to continue transferring data to non EU-based entities, shall update their DP filings upon compliance with the other bases for validity of data transfers provided under the law (primarily Data Transfer Agreements incorporating EU Standard Contractual Clauses) as soon as possible; (c) an update of DP filings in place by data controllers is currently in progress (whereby the replacement of the safe-harbor certificate through a copy of a signed Data Transfer Agreement incorporating EU Standard Contractual Clauses should be sufficient); and (d) the HDPA reserves its competence to conduct, at any time, compliance checks in this respect.

Organisations operating in Greece should review their current filings in Greece particularly where transfers are on the basis of safe-harbor certificates to ensure an alternative adequate measure is in place.

Data processing involving the use of cloud systems

The use of a cloud system in the context of data processing relating to a specific processing purpose should be treated autonomously from a data protection law perspective, in the sense that the cloud system and the services rendered there-under should be described and addressed separately and specifically. The adherence to the principle of proportionality is likely to be critical in any regulatory scrutiny of such arrangements.

Organisations in Greece should bear this in mind in the event of data processing, which entails the use of a cloud system.

Submitted by Alkistis Christofilou, Partner and Maria Demirakou, Senior Associate at Rokas Law Firm – Athens, Greece, in partnership with DAC Beachcroft LLP.