On April 21, 2020, the European Data Protection Board (“Board”) issued guidelines on the processing of personal data for scientific research related to COVID-19.  The Board indicates that the GDPR takes into account the needs of scientific research and should not be a barrier to conduct such research, while at the same time, it helps ensure respect for the fundamental rights of patients.

That being said, the Board’s guidelines do not resolve all the issues that arise due to the complexities of this legal framework.  For example, in terms of the legal basis for processing health data for scientific research, the Board rightly points out that there are two main options available: consent or a basis in EU Member State law.  As we mentioned in a prior blog post, the problem that arises here is the divergent requirements of national laws, which often prevent a uniform application of the rules and exemptions.  Regarding the equally fundamental issue of the further use of health data, the Board repeats the favorable language of the GDPR (qualifying scientific research, by default, as a compatible further use) but refrains from expounding on it “due to its horizontal and complex nature”.

In addition, the Board’s guidelines highlight and consider derogations to certain data subject rights, such as the right of information and the possibility to retain personal data for longer periods of time if necessary for scientific research.  The guidelines stress, however, that these derogations in favor of scientific research should be used sparingly and accompanied by safeguards, such as pseudonymization, to the reduce the risk for the individuals concerned.  This heavy emphasis on the limitations to the derogations may risk undercutting the central message of the guidelines: that the GDPR should not obstruct scientific research.

Finally, the Boards accepts that the fight against COVID-19 is a recognized public interest, which, at least under the current exceptional circumstances, allows organizations to set aside normal restrictions on international transfers of personal data to enable institutions and companies outside the EU to continue their efforts to fight the disease.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.