Article 37 of the General Data Protection Regulation ("AVG") requires various organizations to appoint a data protection officer ("FG") to oversee the application of and compliance with obligations under the AVG within the organization. Healthcare organizations that process special personal data on a large scale are also required to do so. But what about partnerships in healthcare? Should an alliance itself appoint an FG or should this be done separately for each organization involved? Finally, how should the FG be notified to the Personal Data Authority (AP)? Below you will find answers to these questions, so that your organization that is part of an alliance acts in line with the AVG.
Healthcare groups (the Personal Data Authority ("AP") means a partnership of several healthcare providers) often treat large numbers of patients per year and exchange a lot of medical information among themselves. Medical information qualifies as a special category of personal data. Under the AVG, appointment of an FG is mandatory if special categories of personal data are processed on a large scale. The AP takes as its starting point that healthcare groups process medical information (and thus: a special category of personal data) on a large scale. The appointment of an FG for healthcare groups is therefore mandatory. Parties that may be involved in a collaborative arrangement, but do not or hardly process any special personal data themselves and have no say in the matter fall outside this obligation.
Article 37 AVG shows that the appointment of the FG is an own obligation of each controller and processor. This means that each healthcare institution, as a controller or processor within the partnership, is in principle obliged to appoint its own FG. Fortunately, a more practical solution also exists.
The AP states that within a group with several organizations, one FG can be used. Although the AP does not say so in so many words, we believe that this construction also applies to healthcare partnerships. In practice, this means that one organization registers the FG with the AP (see below "Registration of FG") and indicates in the explanatory note that the FG also acts for the other organizations that process personal data within the health care partnership. Of course, with this construction, proper agreements will have to be made within the alliance about how the FG will be deployed.
For example, the joint FG should be easily accessible to the organizations within the partnership. To ensure that the FG is easily accessible, the FG's contact information should be widely available, at least on the website of all organizations involved. Both internal and external contact with the FG should be directly possible by phone or other secure communication channel. In addition, the FG should actually be able to perform the legal duties of an FG in practice. Since the FG has multiple duties, the organizations within the collaborative should ensure that a single FG, assisted by a team if necessary, can perform these duties efficiently despite being assigned to multiple organizations. It is also important to agree within the collaborative to whom the FG reports. A separate contact person can be appointed for this for each organization, or a team can be designated within the partnership to maintain contact with the FG. We recommend recording these arrangements in the cooperation agreement.
Any appointed FG must be registered with the AP through its website. This can be done via The registration and modification form FG. When deploying a single joint FG for the healthcare partnership, the explanation must state for which organizations the FG is acting.
Each organization within the health care collaborative is required to appoint an FG, unless the organization does not process special categories of personal data, if at all, and has no say in the matter. A separate FG can be appointed for each organization or one joint FG for the entire partnership. When appointing a joint FG, keep a close eye on the conditions of accessibility and practical implementation and record the agreements in the cooperation agreement.
