Case studies

Situation

A software company signed an important deal with strategic partners to launch a patient portal for orthopedic practices across the EU.

The in-house team needed help with:

• drafting an appropriate data agreement with the new partners
• reviewing their solution to ensure  GDPR compliance
• a better understanding of their responsibilities under the GDPR

Process

To assist, we've discussed with the in-house team the details of the project and the roles of all the parties involved, as well as requested a test environment for accessing the patient portal ourselves. 

We have also joined the company in contract negotiations with the partner organization at the client's request.

Results

• The parties reached an agreement that meets the GDPR standards, clearly outlines respective data protection responsibilities, and protects the interests of the parties (i.e. hybrid joint controller-processor agreement).

• The patient portal has been optimized and supplemented with required GDPR wording (such as privacy notices for patients and doctors, necessary opt-ins, etc.).

• The in-house team became more confident regarding their GDPR obligations and was able to independently negotiate future similar agreements with other European clients. 

Situation

A social enterprise offering an educational game planned to widen its operations and cooperate with European primary schools.

The team based outside of the EU needed support with ensuring their processes comply with the GDPR and therefore, establishing a Data Protection Management System.

Process

After a remote audit with the teams, we've gained a good understanding of internal processes, identified any pressing compliance gaps, and assessed privacy risks.

We have also reviewed the game and the process of obtaining consent from parents for their children to participate in the e-learning program. 

Results

Based on the outcomes and the organization's goals, we have created a project plan for drafting their policies and procedures, as well as training internal stakeholders on relevant GDPR topics to handle them independently. 

Situation

A pharmaceutical company works on developing new cancer treatments. Expanding its clinical trials to a first European site - in Germany - posed several new regulatory challenges, including data protection. 

The team needed to confirm whether the GDPR applies to its processing activities of mostly coded data and understand its corresponding duties, so they could conduct the planned research in compliance with local privacy laws and meet contractual obligations.

Process

We have conducted a remote audit with the internal stakeholders at the sponsor organization to understand the structure of the clinical trial and the roles of each party participating in it.

We also reviewed existing policies, procedures, and data security measures to identify possible compliance gaps. 

This has served as a foundation for outlining priorities and long-term privacy considerations to keep in mind.

Results

• Ensuring contracts with key partners (i.e. CRO and sites) meet the GDPR standards and clearly outline respective responsibilities.

• Correct GDPR wording in the Informed Consent Form for trial subjects.

• Strategic plan for defining and implementing suitable procedures to meet accountability duties.

• Registration of the data protection officer with local supervisory authorities.