The Commission for Personal Data Protection (“CPDP” / “the Commission”) ruled an opinion on three substantial public matters.
In the first place, with opinion as of May 27th, 2019, CPDP enacted that for the medical institutions as data controllers there is no legal basis for requiring a notary certification of the signature when authorizing another person to exercise data subjects’ rights under article 15-22 of Regulation (EU) 2016/679 (“the Regulation”). It is sufficient to provide an ordinary power of attorney.
With an opinion dated June 10th, 2019, CPDP gives explanations regarding the clinical trials conducted by medical institutions. In such cases they process the participants’ personal data for the purposes of the relevant trial. The Commission examines in detail the figures of a “controller” and “processor” as well as the legal relations between the participants in the commercial and civil turnover, in relation to the personal data they process. In this respect, it is stated that the medical institutions and the assignee of the clinical trial have the status of joint controllers within the meaning under article 26 of the Regulation. All actions of the assignee and the institution while conducting the trial, including the exchange of information between them, shall be treated specifically for the purpose of the clinical trial.
CPDP also interprets the “controller” and “processor” figures in respect of the companies offering payment services. Accordingly, the Commission published an opinion pursuant to which the payment service providers, exercising their activity under the strict and comprehensive regulatory arrangements shall be considered as an independent personal data controllers.