Pharmacies and Data Protection

Pharmacies and Data Protection

Pharmacies, although it may not seem so, are one of the establishments of daily use that we must identify as obliged subjects to the European Data Protection Regulation(RGPD) and the new LOPD.

Pharmacies are considered “private health establishments of public interest” according to Article 1 of Law 16/1997 of April 25, 1997, on the Regulation of Pharmacy Services.

Of the functions assigned to pharmacy offices, it is important to pay attention to three of them, since they are directly related to the protection of personal data:

1-. La adquisición, custodia, conservación y dispensación de los medicamentos y productos sanitarios

2-. Vigilancia, control y custodia de las recetas médicas dispensadas

3-. La información y el seguimiento de los tratamientos farmacológicos a los pacientes

Is there any processing of personal data in these activities carried out by the Pharmacies?

The answer is not the same in all cases.

If only medicines are dispensed and no personal data is collected from the person acquiring them, there is no processing of personal data.

However, if medicines are dispensed where a record of the medicine is kept, as well as the identity of the person who buys it, then we will be dealing with the processing of personal data, and therefore, such data must be treated under strict compliance with the RGPD and the LOPD.

Do Pharmacies need to obtain the consent of their customers/patients for the processing of their data?

As a general rule, the processing of health-related data is prohibited by data protection regulations, as they are considered data of special protection, according to article 9 RGPD and 9 of the LOPD.

However, in the event that the processing of health data has as its purpose the provision of health or social care or treatment, or management of health and social care systems and services (Article 9.2.h) of the GDPR) services (Article 9.2.h) RGPD) it can be stated that the processing is lawful without the consent of the data subject, since such processing is necessary for compliance with a legal obligation applicable to the data controller (Article 6.1.c) RGPD); being that legal obligation for the Pharmacy the dispensing of medicines.

This statement is also supported by Article 9.3 of the GDPR, which specifies that the processing of health data for the provision of health or social care or treatment, or the management of health and social care systems and services is valid when the processing is carried out by a professional subject to professional secrecy.

According to the Code of Ethics of the Pharmaceutical Profession, published by the approved by the General Assembly of Official Associations of Pharmacists on March 7, 2018, provides in Article 6.4 that “professional secrecy is inherent to the exercise of the pharmaceutical profession and the pharmacist is obliged to safeguard the privacy of the patient/user.”

In addition, Royal Decree 1718/2010, of December 17, 2010, on medical prescriptions and dispensing orders, article 19.2 states that the consent of the data subject shall not be required for the processing and transfer of data resulting from the implementation of information systems based on medical prescriptions in paper or electronic format; that is, if the Pharmacy does not keep such personal data in a commercial file of its own, it shall not be necessary to have the prior and express consent of the data subject to process his/her data.

Thus, if a person goes to a Pharmacy and buys his or her medications through a medical prescription (either paper or electronic), the Pharmacy is not required to have the patient’s consent because of the exception mentioned above.

But what if the pharmacy stores my personal data in its own commercial file to follow up on my medical treatment or send me offers for its products?

Then it will be necessary for the Pharmacy to obtain the consent of the data subject himself.The processing of personal data will be carried out directly by the pharmacist as the person responsible for the processing.

What should be included in the consent document?

How to treat the data of customers who place their orders through the Pharmacy’s website?

Should consent be requested for loyalty cards in Pharmacies?

What other data protection obligations do pharmacies have to their employees, processors, custodians, etc.?

To resolve these questions, contact your Business Adapter Consultant for documentation and instructions.

If you are not yet a client and you want us to help you comply with the European and Spanish data protection regulations(RGPD + LOPD) to which any company or professional and in this case also individuals are obliged, contact us by email: info@businessadapter.es, you can also call 96 131 88 04, or leave your message in this form:

[su_button url=”https://businessadapter.es/contacto” target=”blank” background=”#f6f903″ color=”#181818″ size=”7″ center=”yes” icon_color=”#000000″]Contact us, we will be pleased to help you.[/su_button]

Contact us, we will be pleased to help you.
error: Content is protected !!