The novel coronavirus pandemic has created an immediate and immense need for scientific research. Amid this urgency, the European Data Protection Board (EDPB), during its twenty-third plenary session held on April 21, adopted guidelines to shed light on legal questions concerning the use of health data (pursuant to article 4(15) of the General Data Protection Regulation (GDPR)) for such research purposes.
The guidelines reiterate that data protection rules do not hinder measures taken to combat the coronavirus outbreak and in fact provide special rules for the processing of health data for the purpose of scientific research (for instance, in article 9(2)(j) and article 89(2)) that will be applicable in the current crisis.
Data controllers and processors must respect the data protection principles set out in article 5 of the GDPR, and all processing of health data must comply with one of the legal grounds and the specific derogations listed respectively in articles 6 and 9 of the GDPR for the lawful processing of this special category of data. The guidelines specifically address the rules concerning consent and respective national legislation. It also spells out the important aspects of the article 5 principles.
Given the present challenging times, the guidance points out that the GDPR allows for national legislators to restrict some of the data subject’s rights, and further, some restrictions of their rights can be based directly on the GDPR, for instance, the access right restriction pursuant to article 15(4). However, all restrictions of such rights must apply only insofar as it is strictly necessary.
Lastly, the guidelines also recognize the potential need for international cooperation, which may imply international transfers of health data for the purpose of scientific research outside of the European Economic Area. Mindful that urgent action in the field of scientific research may be required, when it is not possible to rely on an adequacy decision pursuant to article 45(3) or on appropriate safeguards pursuant to article 46, as a temporary measure, the guidelines allow both public and private institutions to rely upon derogations under articles 49(1)(d) (“transfer necessary for important reasons of public interest”) and 49(1)(a) (“data subject has explicitly consented”) when transferring data. However, these derogations are exemptions from the general rule – they must be interpreted restrictively, and on a case-by-case basis.
You can find these guidelines here. The development of a further and more detailed guidance for the processing of health data for the purpose of scientific research is part of EDPB’s annual work plan.