Pharmaceutical manufacturers and others engaged in the health care industry should factor in information about transfers of value to HCPs as an element to be covered when establishing or adjusting data processing routines ensuring GDPR compliance.
The General Data Protection Regulation (“GDPR”) comes into force on 25 May 2018 and companies worldwide are currently preparing for a new personal data protection regime in the European Economic Area (EU countries plus Norway, Iceland and Liechtenstein), implying amongst other things increased requirements to companies’ processing of individuals’ personal data.

In particular, all companies will in future have an obligation to provide clear and comprehensible information to individuals about the type of personal data they process about them and how and ensure consent to such processing, if the processing is not done according to law or similar. All companies should therefore currently be analyzing and identifying their actual data processing – in order to implement any measures necessary to ensure compliance with the new regime from 25 May 2018. This will in most cases include at least all the company’s data processing about individuals such as employees, customers and suppliers.

However, for many companies data processing routines needs to be analyzed in much more detail in order for the company to obtain overview of its actual data processing and to implement any steps necessary to adjust today’s routines to comply with tomorrow’s requirements.

Pharmaceutical manufacturers, medical devices manufacturers and others engaged in the health care industry needs to be particularly aware of the fact that collection and any other processing of personal data in the context of fulfilling obligations to disclose transfers of value to individual HCPs is also encompassed by the requirements of the GDPR. Such obligations are very common within the health care industry and largely follow from ethical industry codes such as the EFPIA HCP/HCO Disclosure Code and/or similar ethical codes from other international or national industry organizations.

Consequently and in the context of preparation for GDPR compliance, companies in the health care industry should also be asking themselves at least the following questions:
• What kind of information do we collect and process in relation to disclosure of transfers of value to HCPs?

• Do we collect more information than strictly necessary for the purpose of fulfilling obligations to disclose transfers of value?

• Is the actual data processing compliant with the purpose for which the data was collected or do we use data collected about HCPs for other purposes?

• Do we need to update our agreements with HCPs to ensure that consent clauses reflect actual and lawful data processing?

• Do we need to take any measures internally to ensure that we provide timely and sufficient information notices to individuals about the processing of their data?

• Do we need to take any measures internally to ensure that HCPs can exercise rights such as for example the right to access information, the right to rectify information, the right to be forgotten and the right to withdraw consent?

• Do we use a data processor and if so, do we have sufficient data processing agreements in place?

• Do we legally transfer any data about transfers of value to HCPs outside the European Economic Area?
For companies within the health care industry who have not already full overview of the flow of personal data within their organization and how any personal data processing routines needs to be established or adjusted to ensure compliance with GDPR – now is the time.

Bull & Co advises on all aspects of health care related regulatory law, data privacy and GDPR compliance. Please feel free to reach out for a non-binding discussion about which steps your business should be taking to ensure GDPR compliance.

Kirti Mahajan Thomassen

Mobile: +47 469 48 477

Jenny Sveen Hovda

Managing Associate
Mobile: +47 936 91 555