top of page

GDPR compliance for SPSTI

SPSTIs and the GDPR: what are the issues?

The field of occupational health and safety has been undergoing constant and rapid change for several years now. Since the strengthening of the prevention aspect, one law after another has been passed to develop practices that protect workers' health.


These regulations, of which the certification requirement is the most recent layer in the jigsaw, place increasing emphasis on data protection and compliance with the GDPR, which is perfectly logical given the recent use of NIS by SPSTIs, the opening up of their access to the DMP, etc.


In this context, compliance is taking on a central role in the movements underway, and is becoming an essential condition for each SPSTI to be able to sustain its activity over the coming years.

Specific support arrangements

Our team takes a number of specific aspects into account when assisting SPSTIs with compliance, or taking on the role of outsourced DPO (including a support component):


  • The administrative teams have little time to spare, as they are busy with the workload involved in the above-mentioned changes.


  • Medical teams have little time to spare, impacted by the severe lack of medical resources felt by all the SPSTIs without exception.


  • The specific nature of the relationship between the SPSTI and its users, who are companies that are members of an association, must be taken into account in communications with the various stakeholders.


  • Support for the certification project, and for maintaining it, must be proactive.


  • Awareness-raising on the subject of data protection should be offered to both the management and the Board of Directors.

The outsourced timeshare DPO for a SPSTI

The Data Protection Officer (DPO) is responsible for managing the organisation's compliance with the GDPR and ensuring that it is maintained over time.


A timeshare DPO has the particularity of sharing his or her working time with several organisations. This flexible service allows you to call on the services of an expert DPO when you need them (from 1/2 day per month), and to pay only for the time actually worked by our teams.


This service includes :

  • Information, support and advice for the organisation.

  • Checking the compliance of data processing carried out, as well as overall compliance with the GDPR in terms of personal data protection.

  • Training and awareness-raising for employees and management teams.

  • Point of contact with the supervisory authority (CNIL).

  • Maintaining the organisation's data processing register, as well as other necessary registers (register of subcontractors, register of exercises of Data Protection Rights, etc.).

  • Organising internal procedures and responding to requests from your users and/or customers to exercise their Data Protection rights.

Why choose us?

  • For our excellent understanding of healthcare.

  • For our ease of communication with doctors.

  • This service is managed by David Rozier, a senior DPO who has worked for Grenoble Alpes University Hospital.

  • Because we already work with several SPSTIs.

  • For the close collaboration between our GDPR compliance experts and our cybersecurity experts.

Are you an SPSTI and need to work on your regulatory compliance with the GDPR?


Find out more about our GDPR compliance services for SPSTIs in this customer case study. It consists of a customer case study sheet, a business sector presentation sheet and a product sheet for the associated service!

Would you like to read this content in English? Just click here!

Capture d’écran 2024-03-26 à 13.05.06.png
Capture d’écran 2024-03-26 à 13.04.56.png
Capture d’écran 2024-03-26 à 13.04.49.png
Capture d’écran 2024-03-26 à 13.04.38.png
Capture d’écran 2024-03-26 à 13.04.17.png
Capture d’écran 2024-03-26 à 13.04.04.png


Discover the testimonies of some of our clients (all are SPSTIs) regarding our outsourced DPO service on a time-sharing basis.

Frédérique Guede, Head of operational organisation at PST38

Frédérique Guede.jpeg

"I'm not sure if the offer that is made exists with other providers [...]. It is a complete handling that I have not found elsewhere [...]. Mr Rozier knows how to put us at ease, how to listen to us in order to understand our problems, the way we work, the specificity of our service, so as to respond to us in the best possible way, and so as to enable us to continue to work efficiently."


Céline Fages, Managing Director at Présantis

"I really appreciated the high standards and seriousness shown by David and Saghar. [...] Once again, everything was concise, fast and efficient, which meant I could follow what was happening almost in real time."

Find out more about our outsourced timeshare DPO service
  • What are the main issues in health data protection?
    The main issues in terms of health data protection are : A regulatory issue with possible legal sanctions in case of personal data breach. A financial issue with fines from the CNIL. A reputational issue, when word of mouth spreads about poor data protection or when the CNIL issues a public sanction.
  • Do health care institutions have to appoint a DPO?
    Yes, all organisations, public or private, processing sensitive data (e.g. health data) or processing personal data on a massive scale are required to appoint a DPO to the CNIL.
  • What particular expertise/skills does a DPO need to have to work in the health field?
    As in any field, support linked to the data used is all the more relevant if the tasks carried out thanks to these data are known and understood. It is important to have a good knowledge and understanding of the field in order to be relevant during the support.
bottom of page