1. EU Data Protection Laws and
Health Data and Apps
Jovan Stevovic
jovan@chino.io

2. PhD in Privacy and HealthTech
&
R&D at GPI Spa
Background
2010-2014 2015 to now2010
CEO and Co-founderMSc in HealthTech
MSc Computer Science PhD Computer Science
MSc Computer Science PhD Computer ScienceJovan

3. Why is Chino.io unique
Founded in 2014 by experts in health IT and compliance
Customers in 15 EU states, US, Australia
Offices in Trento and Berlin
The only ISO 13485 certified DBaaS
3 PhDs , 8 MSc, 1 LL.M, 1 patent and 10+ publications

4. Customers and partners
50+ companies in the EU and US are secure and compliant with Chino.io
PARTNERS
30+ SW DEV AGENCIES, LAWYERS, CONSULTANTS,
DIGITAL HEALTH ACCELERATORS, SW PROVIDERS
1ST PLACE IN 2014
ON CYBERSECURITY
SME INSTRUMENT
PHASE 1 AND 2
BENEFICIARY
AWARDS

5. ~1M eHealth services
COLLECTING, STORING AND SHARING HEALTH DATA
CAGR 20%

6. 85% NOT COMPLIANT
Global Privacy Sweep 2014
http://www.bbc.com/news/technology-29143107

10. 11

11. Data Economy and Surveillance Capitalism
DATA = €€
Carole Cadwalladr

12. Privacy vs Data Protection vs Security
Data
Security
Privacy
(human right)
GDPR
data portability
data encryption
gov. surveillance

13. Personal vs. Health Sensitive data
14

14. When GDPR applies?
15
‘Any information relating to an
identified or identifiable
natural person (data subject)’
Art. 4(1) GDPR

15. Identifier
16
e.g. Name, an identification number, location data,
an online identifier or to one or more factors
specific to the physical, physiological, genetic,
mental, economic, cultural or social identity of that
natural person.

16. Health data
18
‘Personal data related to the physical or mental health of a
natural person, including the provision of health care
services, which reveal information about his or her health
status’
Art. 4(15) GDPR
Check out our eBooks on our website

17. All sensitive data
19 Check out our eBooks on our website
Managing sensitive data
implies criminal
responsibility

18. Anonymous data
20
ANONYMOUS
DATA
Check out our eBooks on our website

19. Aggregate + aggregate + aggregate = identification?
21
With the development of new IT
techniques data which could have not been
able to identify a person now suddenly can,
if aggregated with other data

20. Pseudonymous data
22
ANONYMOUS
DATA
Check out our eBooks on our website
PSEUDONYMOUS
DATA

21. Pseudonymous data
23
ANONYMOUS
DATA
PSEUDONYMOUS
DATA
AOL Search Data Scandal Netflix Prize Scandal

22. Regulatory Compliance in Healthcare is complex
COSTS TIMERISKS
MDR National Laws
ISO 27001
ISO 13485HIPAA
ePrivacy Reg.
CCPA

23. Why is GDPR compliance so complex
CLOUD PROVIDER
+
YOUR SYS ADMIN
YOUR TECH TEAM
+
SECURITY EXPERTISE
Risk Impact Assessment
Terms & Conditions
DPA and BAA
Privacy Policy
Immutable audit logs
Auth & Access Control
Consent tracking
Data Encryption
TECHNICALPHYSICAL LEGAL
Encrypted Backups
Firewalls
VM Security
Facility protection
and many moreand many moreand many more
YOUR LEGAL TEAM
+
CONSULTANTS

24. CLOUD PROVIDER
Chino.io closes the compliance gap and ensures the
implementation of all technical and administrative
requirements based on your business needs
Risk Impact Assessment
Terms & Conditions
DPA and BAA
Privacy Policy
Immutable audit logs
Auth & Access Control
Consent tracking
Data Encryption
TECHNICALPHYSICAL LEGAL
Encrypted Backups
Firewalls
VM Security
Facility protection
and many moreand many moreand many more
Chino.io: a complete solution to compliance

25. How Chino.io works
• data encryption (at record level)
• pseudonymization
• consent management
• user identity and authentication
• access control policies
• legally valid immutable audit logs
• data portability
• right to be forgotten
• backups
• security updates
• security documentation
• and many more…
YOUR APPLICATION
BACKENDFRONTEND
Your Service
ALGORITHMS
OTHER DATA
USER
MANAGEMENT
HEALTH
DATA ENCRYPTION
OTHER GDPR & HIPAA
COMPLIANCE
Chino.io
ANALYTICS

26. Value of using Chino.io
Our secure-by-design and ISO 9001,13485 and 27001 certified platform allows customers to streamline
the processes and reduce documentation efforts required for:
• Obtaining CE Marking under MDR
• Certifying applications and companies under ISO normative
• Achieve the requirements for DVG (Germany), NHS (UK) and other country-specific requirements
CUT COSTS SAVE TIMEELIMINATE RISKS
Shorten time to
market by 6-9 months
Save 100K+ Euro
per year per project
STAY COMPLIANT
We keep you compliant and
streamline compliance across
your organisation.
for sensitive data
management
GDPR
HIPAA

27. EU Data Protection Laws and
Health Data and Apps
Jovan Stevovic
jovan@chino.io