Is use of non-commercial antivirus software by a medical facility compliant with the GDPR?

ANSWER

The GDPR does not specify in any provision which technical or organisational measures a data controller must implement. Article 24(1) GDPR states only that these should be "appropriate technical and organisational measures". This is also confirmed by Article 32 GDPR. Each controller therefore decides individually which measures it considers appropriate.

As regards use of non-commercial antivirus software by a medical facility as data controller, such a solution is not impermissible or prohibited by the GDPR, because the Regulation does not regulate this. It should however be noted that this would be a very risky approach and use of such programs is not recommended, because a medical facility as data controller mainly processes special category personal data — health data. The risk associated with using non-commercial programs may mean that, in the event of an inspection by the supervisory authority, that authority finds that the technical measures in this case have not been appropriately tailored by the controller to the "weight" of the personal data processed. As a rule, use of non-commercial antivirus programs is therefore discouraged, because for a medical facility and the type of data such an entity typically processes (special category data), such conduct may be assessed by the supervisory authority as failing to meet an appropriate level of security.