The EDPB recently issued guidelines about how to use health data during the current pandemic in compliance with GDPR. Given the COVID-19 pandemic, there have been many research efforts in place to fight against the virus. The EDPB’s guidelines shed light on the special rules for processing health data for scientific research, which apply in the context of the COVID-19 pandemic:
- Legal basis for processing: The EDPB explained that the processing of health data for purposes of scientific research must be covered by one of the legal bases set out in Article 6(1) GDPR, such as consent. If consent is the legal basis that is relied on, the consent must be freely given and the data subject must be able to freely revoke consent. Member states may enact specific laws to enable the processing for scientific research purposes, as long as they are consistent with Article 5, Article 32 and Article 89 of the GDPR. Member states must also assess if a Data Processing Impact Assessment should be carried out.
- Protection of information: The guidelines also remind entities that GDPR’s protection principles are still imperative, even if data is being processed for scientific research purposes. There are several parts of this, as the guidelines discuss. These include collecting information only for specific purposes and not using the information beyond those specific purposes. Personal data also needs to be processed fairly and in a transparent manner in relation to data subjects. The guidelines also remind those using health information to keep it only for as long as is strictly necessary to process the data for scientific research purposes, and to use adequate protection safeguards.
- Transferring outside of the EU: For transfers of personal data outside the EU to countries where there is no adequacy decision or appropriate safeguards, the guidelines include reminders about the restrictions on transfers. The EDPB reminds public authorities and private entities that in those circumstances they may rely on exceptions that are set out in Article 49 of the GDPR, such as consent. These determinations should be made on a case-by-case basis.
Putting it Into practice: Those who wish to use health information during COVID-19 to foster scientific research during the COVID-19 pandemic can use these guidelines to understand GDPR requirements. As the EDPB emphasizes, these still apply when processing such data.