FAQ: the "health vigilance systems" Standard

02 January 2023

Organisations whose personal data processing operations comply with the "health vigilance systems" standard are only required to make a notification of compliance prior to the commencement of the processing operations.

1. To whom is this standard addressed?


2. Does the “health vigilance systems” standard apply to the processing of personal data implemented by healthcare professionals and institutions as well as health agencies?


3. What types of health vigilance systems are covered by this standard?


4. I complied with the former AU-013 regarding the processing of personal data implemented for the purposes of pharmacovigilance management. Do I need to notify compliance with this standard?


5. What is the legal basis in the standard for the processing of personal data for health vigilance purposes?


6. Under what conditions can a company responsible for marketing a medicine, device or product collect data revealing ethnic origin?


7. How long is personal data retained in the context of health vigilance management?


8. How to inform the data subject when the notification of the adverse sanitary event is carried out by a person other than the person exposed to it?


9. In order to comply with the standard, is it necessary to use an approved or certified health data hosting service?


10. Is it necessary to conduct a privacy impact assessment prior to the implementation of personal data processing for the purposes of health vigilance management?


11. Can the National Individual Identification Number (NIR) be used to identify persons exposed to an adverse sanitary event within the standard?


12. Can genetic data be collected in the processing of personal data within the “health vigilance systems” standard?


13. Can data be transferred outside of the EU in the context of this standard?