Health data processing

The European Data Protection Board (EDPB) released a document earlier this year in response to a request by the European Commission for clarifications on the application of the GDPR in the area of scientific health research, which you can read here. However, it’s important to note that the EDPB are currently preparing guidelines on the processing of personal data for scientific research purposes, which are set to be released later this year, which will include further elaborations.

Legal basis for processing of health-related data for scientific research purposes

The European Commission posed a question to the EDPB concerning the appropriate legal bases to rely on when personal data is processed for scientific research purposes. The European Commission was particularly interested in understanding two main issues: the interaction of the GDPR legal bases with the requirement to obtain consent for clinical trials, and whether, given the requirement for certain legal basis to have a foundation in Member State or EU law, whether multiple legal bases could be relied upon by one controller for a single research project conducted across several Member States.

The EDPB’s response states that ethical standards which require informed consent for participation in scientific research can and must be differentiated from explicit consent for processing special categories of personal data. It clarifies that they are different concepts and that consent to conduct the clinical trial is not the same (and should not be held to the same standard) as consent for processing special categories of personal data.

Moreover, with regards to legal bases for scientific research, the EDPB noted that when conducting a scientific research project in multiple Member States, they endorsed the use of the same legal basis across all Member States for processing personal data (including special category personal data) associated with the project. But they recognised that, due to the requirement for an underlying Member State or EU law in relation to some of the legal bases (e.g. legal obligation (art.6(1)(c)), reasons of public interest in the area of public health (art.9(2)(i)) and scientific research (art.9(2)(j)), this may not always be possible and a heterogeneous legal bases may be more appropriate.
Continue Reading EDPB clarifies the application of the GDPR for scientific research