"GDPR" IMPACT ON HEALTH DATA EXCHANGE IN EUROPEAN DIGITAL ENVIRONMENT.

The aim of this paper is to provide practical guidance to ensure compliance of the SHiELD project with the General Data Protection Regulation (EU), 2016/679 also known as "GDPR". The SHiELD project is a H2020 project whose objective is to support the lawful exchange of clinical information across Europe and is built upon the epSOS project. GDPR remains in the path defined in 1995 and does not change the main elements of the model provided by the Directive. Notice and consent remain an important legal ground for the processing of sensitive data, this is why a two-steps-consent by the data subject to the transfer and processing of health data should be envisaged by the project. However, compared to the Directive 95/46/EC, the GDPR imposes stricter security obligations on data processors and controllers. This new Regulation simultaneously broadens the relevance of the risk - as it is explicitly based on the notion of risk/based approach - and a detailed Data Protection Impact Assessment must be undertaken and documented prior the project is implemented. In line with the new accountability principle, processors and controllers should also be able to demonstrate compliance with the GDPR. This paper, in the conclusions, also underlines that SHiELD project full compliance to the Regulation could be assessed only when all Member States have revised or adapted their legislation in order to comply with the GDPR end to exploit their discretional power, delegated to them by the EU legislator on specific subjects, like processing of genetic, biometric or health data. [ABSTRACT FROM AUTHOR]