Code of conduct under the GDPR: meaning and content

The role of codes of conduct in protecting personal data and what you need to know about compliance (and the consequences of deciding to comply but not doing so).

In this article:

• What is a code of conduct under GDPR provisions
• On the adoption of the first Polish code of conduct for small medical facilities
• Personal data of patients and surveys
• Obtaining the consent of the data subject during CCTV
• Why is a code of conduct a good idea?

As a reminder: What is the code of conduct, and why is it needed?

Codes of conduct are referred to in Article 40 of the GDPR as a way of properly applying the GDPR. The GDPR also encourages associations and other bodies representing controllers or processors to develop codes of conduct for their organisations. The code of conduct approved by the company is one of the signs that the company knows what and how it needs to do to carry out the lawful processing of personal data.

The first Polish code of conduct that meets GDPR requirements

At the end of 2022, the Polish Supervisory Authority (“UODO”) approved the “Code of Conduct concerning the Protection of Personal Data Processed in Small Medical Facilities“. As indicated in the code, the purpose is to clarify the principles of data protection contained in the GDPR and to increase personal data protection in small medical facilities.

As healthcare facilities are data controllers under the provisions of the GDPR, they are responsible for ensuring the proper processing of patients’ personal data. This code of conduct also contains practical recommendations for fulfilling specific obligations that arise due to the effect of the provisions of the GDPR, taking into account the specifics of the functioning of medical facilities.

The Polish Code of Conduct applies only to personal data processed in connection with the medical activities of small medical facilities. It does not apply to the processing of personal data of employees or candidates for employment in a medical facility.

Of course, medical facilities directly process special categories of data (sensitive data). Such categories as genetic, biometric data, and health data, as a general rule, cannot be processed, except

• with the consent of the data subject, or
• to perform duties and exercise special rights of the controller or data subject in the field of employment and the right to social security and social protection, or
• the processing is necessary to protect the vital interests of the data subject or another natural person if the data subject is physically or legally unable to consent.

All grounds for processing such data categories are contained in paragraph 2 of Article 9 of the GDPR.

According to the Code of Conduct provisions, each medical facility must place on its website (if any) a notice of the existence of the Code of Conduct in accordance with the provisions of the GDPR. In addition, information on the possibility and method of filing a complaint against a medical facility due to violating the adopted Code’s provisions should also be posted on the website.

Why can a medical facility collect consent for data processing?

The processing of patients’ personal data for purposes that are not directly related to the provision of medical care and treatment is possible only with the patient’s consent.

For what purposes can medical institutions use the personal data of individuals? First, for marketing or any other purposes to receive positive reviews, comments and attract new clients.

Another example of the possibility of using personal data is conducting scientific research. Here is an example of a request for the patient’s explicit consent given in the Polish Code:

“MPM prosi o wyraźną zgodę pacjenta na przekazanie jego dokumentacji medycznej do eksperta z biobanku, do którego MPM zwraca się o dokonanie analizy naukowej. Z uwagi na szczególny charakter tych informacji MPM prosi o podpis osobę, której dane dotyczą, w celu uzyskania ważnej wyraźnej zgody oraz aby móc później wykazać, że taką wyraźną zgodę od tego pacjenta otrzymano”.

The medical facility requests the patient’s consent to transfer his or her medical documentation (from the biobank in this case) for scientific analysis. The data subject’s signature will be deemed to be such express consent.

Is it possible to withdraw the consent?

Yes, each data subject must be informed that his consent to processing personal data is valid until the moment of its withdrawal. In practice, this means that if consent has been obtained, for example, via a website, it should also be possible to withdraw it via that website.

Can patients’ personal data be used to conduct various types of surveys?

According to the provisions of the approved Code, if the facility wants to conduct a survey, for example, regarding the quality of service provision, or the conditions of treatment, such surveys must be anonymous. In addition, using the patient’s data to send an invitation to participate in the survey or the survey itself will be unacceptable. Of course, the survey results cannot be associated with negative consequences for the patient who critically evaluated the doctor or the quality of services.

CCTV in medical facilities

As stated in the Code, a medical facility must notify people who may be in the area of such cameras before using CCTV. This video surveillance of the patient can limit the possibilities of anonymous movement and use of services.

The principles of Article 5 of the GDPR should always be carefully considered when working with CCTV. The data protection issues in each situation with video technologies may differ, as well as the legal analysis when using a particular technology.

In addition to privacy issues, there are risks related to the possible malfunctions of these devices, as the software used for facial identification or analysis works differently depending on the age, gender and ethnicity of the person.

Therefore, the medical facility must inform the data subject about the video surveillance by placing information boards on the territory, information bulletins or the official website.

When determining the terms of records storage by medical facilities, it is necessary to consider the purpose for which they are created. As stated in the Code:

“Jako maksymalny okres przechowywania nagrania wskazano 3 miesiące od daty jego sporządzenia. Nagrania można przechowywać dłużej niż 3 miesiące w szczególności w przypadku, kiedy są one dowodem w postępowaniu (np. kiedy policja poprosiła o zabezpieczenie nagrania). ”

That is, the maximum possible storage period of the video recording, in this case, is three months, except when it is evidence in court proceedings.

Why is adopting a code of conduct a good idea?

Adopting and enforcing codes of conduct demonstrates a company’s compliance with the GDPR. Therefore, the decision to adopt and not follow the code further cannot be taken lightly.

In conclusion, compliance with approved codes of conduct is necessary to take the processing of personal data of data subjects seriously and understand that the protection of personal data is an ongoing process and take into account the provisions of the GDPR regarding liability for breaches of obligations about such protection.