29 April 2020
Back to homepage

EDPB Addresses the Protection of Health Data

Keeping in mind that the development of new and more detailed guidance for the processing of health data is part of the annual work plan of the European Data Protection Board (“EDPB“), for now, the EDPB has adopted Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of COVID-19 outbreak (“Guidelines“) on April 21, 2020 with the aim of safeguarding everyone’s right to the protection of personal data in the midst of a global coronavirus pandemic.

Due to the pandemic, there are many scientific research efforts being conducted to fight against the SARS-CoV-2 in order to produce research results as fast as possible.  As far as the application of the General Data Protection Regulation (“GDPR”) is concerned, we have addressed the processing of health data in one of our previous articles.  However, it is important to note that the GDPR is a broad piece of legislation containing several provisions allowing for the processing of personal data for the purpose of scientific research connected to the COVID-19 pandemic in compliance with the fundamental rights to privacy and personal data protection.  The GDPR also foresees a specific derogation to the prohibition of processing certain special categories of personal data, such as health data, where it is necessary for these purposes of scientific research.  The key for keeping everyone’s rights intact is that the freedom of science as enshrined in the Charter of Fundamental Rights of the European Union, on one side, and the GDPR data protection rules, on the other, are equally weighted and provide an outcome which respects the essence of both.


What is data concerning health?

Data concerning health deserves higher protection than other non-sensitive data, as the use of such sensitive data may have significant adverse impact on data subjects.  This is why data concerning health is afforded the broadest possible interpretation.  In the Guidelines, the EDPB gives examples of what data concerning health may imply:

  • Information collected by a health care provider in a patient record (such as medical history and results of examinations and treatments).
  • Information that becomes health data by cross-referencing with other data, thus revealing the state of health or health risks (such as the assumption that a person has a higher risk of suffering heart attacks based on the high blood pressure measured over a certain period of time).
  • Information from a “self-check” survey, where data subjects answer questions related to their health (such as stating symptoms).
  • Information that becomes health data because of its usage in a specific context (such as information regarding a recent trip to or presence in a region affected with COVID-19 processed by a medical professional to make a diagnosis).

What are the possible legal basis for processing such data?

The first ground under the GDPR which may serve as a legal basis for processing data concerning health is consent.  Consent must be given freely, be specific, informed and unambiguous, and it must be made by way of a statement or clear affirmative action.

The second is national legislation.  Both the EU and the national legislator of each Member State may enact specific legislation in accordance with the GDPR, with the goal of providing a legal basis for the processing of health data for the purpose of scientific research.


What are the main principles which the data protection lies upon?

The principle of transparency and information to data subjects means that personal data shall be processed fairly and in a transparent manner in relation to data subject.  A data subject must be individually informed of the existence of the processing operation and that personal (health) data is being processed for scientific purposes.

The principle of purpose limitation and presumption of compatibility – as a general rule prescribed by the GDPR, data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

The principle of data minimization and storage limitation means that in scientific research, data minimization can be achieved through the requirement of specifying the research questions and assessing the type and amount of data necessary to properly answer these research questions.  Which data is needed depends on the purpose of the research even when the research is of an explorative nature and should always comply with the purpose limitation principle in accordance with the GDPR.  It should be noted that the data has to be anonymized where it is possible to perform scientific research with anonymized data.  Additionally, proportionate storage periods shall be set.

The principle of integrity and confidentiality implies that sensitive data such as health data merit higher protection as their processing is likelier to lead to negative impact on data subjects.  Attention must be directed towards the foreseeable re-use of health data for scientific purposes which leads to an increase in the number and type of entities processing such data.

On the whole, situations, such as the current COVID-19 outbreak, do not suspend or restrict the possibility of data subjects to exercise their rights under the GDPR.  Nevertheless, the GDPR allows the national legislator to restrict some of the subject’s data rights.  Within the context of research, and especially in the context of the COVID-19 pandemic, there will be probably a need for international cooperation that may also imply international transfers of data concerning health for the purpose of scientific research outside of the European Economic Area (“EEA”).  When personal data is transferred to a non-EEA country or an international organization, the transfer must be compliant with the rules set out in the GDPR, while the data exporter has a duty to inform data subjects about their intention to transfer personal data to a third country or an international organization.

Notably, when considering how to address such conditions for the transfer of personal data to third countries or international organizations, data exporters should assess the risks to the rights and freedoms of data subjects of each transfer, and in that regard favor solutions that guarantee data subjects protection of their fundamental rights and safeguard the processing of data, even after it has been transferred.


For more information, please contact us via covid19@geciclaw.com.