Posted on by MIL OSI Publisher

Answer to a written question – Privatisation of preventive screening – E-001681/2025(ASW)

Source: European Parliament

The protection of personal data in the EU is ensured by the General Data Protection Regulation (GDPR)[1] which applies to both public and private organisations in the EU.

Genetic data fall within the special categories of personal data which can be processed only if one of the conditions in Article 9(2) GDPR is fulfilled. This provides an additional layer of protection considering the potential risks arising from the processing of this type of data.

Following the GDPR risk-based approach, controllers and processors must put in place adequate technical and organisational measures to ensure a level of security appropriate to the risk (Articles 5(1)(f) and 32 GDPR).

If the envisaged processing is likely to result in a high risk, the controller has to conduct a Data Protection Impact Assessment (DPIA), and in some situations, to consult the competent Data Protection Authority (DPA).

In line with Article 28 GDPR, the controller has to choose a processor that provides sufficient guarantees in terms of data protection.

The binding contract or other legal act governing their relationship shall stipulate, among others, that the processor must ensure that its staff authorised to process the data have committed themselves to confidentiality. The GDPR does not impose the public disclosure of the contract, nor the funding.

It follows that the Greek public authority, acting as controller, is responsible for ensuring that the data processing for the preventive screening meets the GDPR standards.

The monitoring and enforcement of the application of the GDPR falls within the competence of the national DPAs and courts, without prejudice to the Commission’s competences as guardian of the Treaties.

It is therefore for the Greek DPA to examine whether the ‘programmatic agreement’ complies with the GDPR.

  • [1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR), OJ L 119, 4.5.2016, p. 1-88.