On 21st April 2020, the European Data Protection Board (EDPB) released new guidelines.
As a preliminary remark, the EDPB sees that “there are currently great scientific research efforts in the fight against SARS-CoV-2”, which should lead to research results as soon as possible.
At the same time, there are legal questions regarding the processing of health data within the meaning of Art. 4 No. 15 GDPR.
With its Guidelines, the European Data Protection Board aims to shed light on the most pressing issues in this context, such as legal bases, the implementation of appropriate protective measures and the exertion of rights by data subjects. More detailed guidance on the processing of health data will be published in the planned EDPB guidelines on the processing of health data for the purpose of scientific research (Guidelines, no. 5.2., para. 43). The comments are limited to the field of scientific research and in particular do not concern the field of epidemiological surveillance.
The EDPB emphasises: „Data protection rules (such as the GDPR) do not hinder measures taken in the fight against the COVID-19 pandemic.” (Guidelines, no. 5.2., para. 43)
However, the EDPB states clearly that fundamental rights must be respected when processing sensitive data in the context of the fight against the COVID-19 pandemic and it has been made clear that neither Data Protection Rules nor the Freedom of Science (Guidelines, no. 5.2., para. 43) take precedence.
Rather, these rights and freedoms must be carefully examined and balanced, as the EDPB notes, to bring out the essence of both.
The guidelines contain definitions of what constitutes health data and their processing for scientific purposes, including the explanation of “further processing”, i.e. primary use versus secondary use (no. 3, para. 6-14).
The EDPB states that any processing of health data must comply with the principles set out in Article 5 GDPR and must also comply with the other requirements listed in Articles 6 and 9 GDPR, pointing out, that the legal bases stipulated in the GDPR are of equal importance (Guidelines, no. 4, para. 16).
Consent obtained by the data subject according to Art. 6 (1) (a) and Art. 9 (2) (a) GDPR may provide a legal basis for processing personal data in the COVID-19 context.
At the same time, it is emphasized that the conditions for explicit consent, particularly those found in Art. 4 (11), Art. 6 (1) (a), Art. 7 and Art. 9 (2) (a) GDPR, must be fulfilled. It is further explained that consent – as always – must be freely given, specific, informed, and unambiguous, and requires the data subject’s statement or “clear affirmative action” (Guidelines, no. 4, para. 18).
The guidelines also contain practical examples.
However, if the data processing is based on consent, the guidelines point out, the following implications of consent must be taken into consideration:
- There must be a possibility to withdraw the consent, Art. 7 (3) GDPR.
- In case of a withdrawal, all data previous data processing that was based on consent remain lawful in accordance with the GDPR, but the controller must stop the processing activities going forward and must delete the data if there is no justification for further retention (Guidelines, no. 4, para. 22).
The EDPB explicitly points out that according to Article 6 (1) (e) or 6 (1) (f) GDPR in conjunction with the enacted derogations under Art. 9 (2) (j) or Art. 9 (2) (j) or Art. 9 (2) (i) GDPR, the national legislator of each European Member State may establish a legal basis for the processing of health data for scientific research (For the context of clinical trial this has already been clarified by the EDPB, please see the guidelines with further reference). In case national legislators adopt appropriate legal bases, their conditions and the possible scope of data processing will depend on these national laws and therefore may vary.
The guidelines contain – with reference to the GDPR – further information and notes on the interpretation of the law and other requirements to be observed.
Data Protection Principles
The EDPB further clarifies that the transparency principle of Art. 5 GDPR is closely linked to the information obligations of data subjects resulting from Art. 13 and 14 GDPR. This implies that the data subjects must be informed individually and that this information must contain the elements mentioned in Articles 13 and 14. It should be noted that scientists often process data that they have not directly obtained (using data from patient records or using data of patients from other countries), Art. 14 GDPR. The EDPB therefore also draws attention to the safeguards to be observed under Art. 89 (1) GDPR.
The guidelines also provide further information, for instance, regarding possible exceptions according to Art. 14 (5) (b) GDPR (“very few situations”) (Guidelines, no. 5 , para. 32 et seq.). Moreover, it should be assessed carefully whether there is a need to carry out a data protection impact assessment, Art. 35 GDPR.
The EDPB guidelines furthermore contain important details on purpose limitation, presumption of compatibility, data minimisation, storage limitation and Integrity and confidentiality (Guidelines, no. 6, para 42 et seq.). The sensitivity of health data requires, as Art. 89 GDPR emphasizes, strong technical and organisational measures and the observance of privacy by design and default.
Regarding the storage limitation, it is stated that deletion periods must be defined and implemented and that they also must be proportionate. The criteria for determining proportionate deletion periods, would be the length and purpose of the studies. It is said that the data has to be anonymised where it is possible to perform the scientific research. In this context, national regulations may also need to be considered.
With regard to the exertion of the data subjects’ rights, the EDPB clarifies that – in fact – they are neither suspended nor restricted. However, Art. 89 (2) GDPR allows the national legislator to restrict (some) of the data subjects’ rights as set out in Chapter 3 of the regulation (Guidelines, no. 6, para 55). If national legislators were to act in this respect, this could lead to differences in the rights of data subjects in the different legislations. The EDPB points out that any restrictions of data subjects’ rights – in the light of the jurisprudence of the ECJ – must apply only in so far as they are strictly necessary.
International Data Transfers
The EDPB is aware that in the context of the fight against the COVID-19 pandemic, the processing and exchange of health data may also become required beyond the EEA border.
In this case, the data exporter shall also comply with Chapter V of the GDPR (data transfers to third countries or international organisations).
The data subjects have to be informed that their data is being transferred outside the EEA (e.g. to a third country or an international organisation). The data subjects must therefore be informed whether an adequacy decision by the European Commission exists or whether the transfer is based on a suitable safeguard as per Art. 46 GDPR or on a derogation of Art. 49 GDPR. Here, the EDPB notes that the derogations in Art. 49 GDPR “do have exceptional character only” (Guidelines, Key findings, no.8).
A summary of the key findings can be found at the end of the guidelines.
It is to be expected and hoped that national legislators will issue regulations that provide a clear legal basis for the processing of health data in the context of the fight against the COVID-19 pandemic. We will keep you informed.