Compliance with data protection requirements under the General Data Protection Regulation (GDPR)
Processing of data in accordance with the General Data Protection Regulation (GDPR)
- According to the provisions of the GDPR, the party responsible for the processing of personal data is the one who determines what the data is to be processed for (purposes) and how the processing is to be carried out (e.g. by an AI; means of processing). If two companies jointly determine the purpose and means, there is joint responsibility under data protection law in accordance with Art. 26 GDPR. Such a joint data protection responsibility exists between the client (pharmaceutical company) and ADVANCE®AI if the client’s pharma representatives use the ADVANCE@AI application (“AI” or “application”) during their visits to physicians and both the physicians’ and the pharma representatives’ data are processed in the process. The client wishes to use the AI provided by ADVANCE®AI to collect or analyse the data of its pharma representatives for the purposes of further training and quality assurance and to use the results for this purpose. ADVANCE®AI supports him in this by processing the corresponding data of the pharma representatives using the AI it provides and operates on its own responsibility. The pharma representative accesses the application via his/her mobile device / IPAD. The AI also processes physicians’ data, which is, however, made available to the client as part of the analysis without any specific personal reference.
- The AI is used to analyse the conversation between the physician and the pharma representative so that it can subsequently be analysed by the AI. According to the provisions of the GDPR, the analysing is only permitted with the prior voluntary consent of the physician. The GDPR permits verbal, electronic or written consent. In addition, in Germany, the secret (unauthorised) analysing of the non-publicly spoken word is punishable under Section 201 of the German Criminal Code (StGB); with consent, the an is not unauthorised.
- Pursuant to Art. 7 (1) in conjunction with Art. 5 GDPR the data controller must prove that the data subject (physician) has consented and for what purpose. In addition, the data controller is obliged to inform the physician about the handling of their data and their rights under data protection law in accordance with Art. 13 and 14 GDPR.
- A separate consent is required for each call analysing, regardless of whether the physician has previously consented. The physician also has the right to withdraw their consent at any time per Art. 7 para. 3 GDPR and must be informed of that right.
Obtaining Physician consent
- At the start of the discussion, the pharma representative enters the physician’s name in the application.
- The pharma representative then obtains the physician’s consent to analyse the interview and informs him/her of the kind of analysis performed.
- It is sufficient for the pharma representative to ask the physician whether the interview may be analysed and analysed using the AI for training and quality assurance purposes and whether the physician wishes to give his/her consent. To inform the physician about the handling of his/her data, it is sufficient for the representative to provide the physician with a flyer or business card with a link / show him the data regulation in the APP / or educate him/her verbally.
- The consent question should be worded as follows: “Dear Dr XY, do you agree that I may analyze the interview for training and quality assurance purposes? The physician should then answer “Yes”.
- If the physician agrees, the interview may be analysed; if the physician refuses, the interview cannot be analysed.
- To document the necessary consent of the physician, it is sufficient for the representative to press the analyse button, which implies that the consent of the HCP has been obtained. This consent is then permanently stored by the ADVANCE@AI application.
- At the end of the interview, the pharma representative stops the analyse in the application.
Right of Access to data and anonymisation
In theory, the physician has the right under Article 15 GDPR to receive information and copies of the data processed by the respective data controller. This includes information about the visit itself (e.g. making an appointment), the content of the analysing and the consent given by the physician. However, in this particular case, this right only applies to the information and copies relating to consent – not beyond. What is the reason for this?
- Per Article 15 (4) of the GDPR, the rights and freedoms of the pharma representatives are opposed to transmitting a copy of the evaluation results (analysis). This is because the evaluations relate exclusively to the personality and behavioural aspects of the pharma representatives and not to the physician.
- The evaluation/analysis does not contain any (personal) data relating to the physician and the physician’s office. In addition, the data is changed during processing by ADVANCE®AI in such a way that re-identification of the physician by ADVANCE®AI and ultimately also by the client would only be possible with a completely disproportionate effort (de facto anonymisation).
- A pseudonym also replaces the names of the pharma representatives or other identifying features so that re-identification is difficult or even impossible.
- The call recordings are permanently deleted within microseconds after the AI analysis is completed. However, anonymized snippets showcasing best practice communication techniques by representatives (excluding any parts of the doctor’s speech) may be retained.
- The collected analyses (KPIs) are aggregated to prevent access to individual analyses. Even with a possible link to the pharma representative’s diary or other characteristics, it is impossible to trace when which dialogue partners were visited and to whom the analysis relates.