On February 2, 2021, the European Data Protection Board (“Board”) responded to questions submitted by the European Commission (“Commission”) on the application of the General Data Protection Regulation (“GDPR”) to health research.  The Board also announced that it is currently working on guidelines on the processing of personal data for scientific research purposes, which it aims to publish in the course of 2021.

The Commission’s questions covered the following seven topics:

  1. legal basis for processing of health-related data for scientific research purposes;
  2. further processing of previously collected health data;
  3. the notion of broad consent;
  4. transparency of data processing;
  5. anonymization;
  6. processing of special categories of data on a large scale; and
  7. international cooperation.

Regarding the legal basis for scientific research, the Board acknowledges that differences between EU Member States can be expected, given the leeway the GDPR grants Member States to adopt divergent national rules for the processing of genetic, biometric and health data.  While this may be true, the reality in practice is that most of the divergences that have developed around this topic are not the result of conflicting national laws, but rather, are due to diverging interpretations by Supervisory Authorities, ethics committees and other stakeholders on how to apply the GDPR.

The Board also calls on the Commission to adopt a common legal basis and/or scientific research regime for the planned European Health Data Space, to enable the creation of a common framework for the sharing and exchange of quality health data (see our blog post here).

In some of its responses, the Board refers the Commission back to its previously published guidelines, such as those on (1) the interplay between the GDPR and the Clinical Trials Regulation (see our blog post here) and (2) consent (see our blog post here).  This is the case, for example, when the Board answers questions regarding the possible legal basis for processing clinical trial data, the concept of broad consent, and the meaning of “large scale” processing.

In other responses, however, the Board does not answer the question presented by the Commission, and instead refers to its forthcoming guidelines on the processing of personal data for scientific research purposes.  It does so, for example, when answering questions relating to the further processing of previously collected health data, anonymization of data, and international cooperation.

As discussed in another Covington blog post (available here), the UK Government is considering similar issues as part of its review of health data uses for research and analysis purposes — including balancing access to such data while preserving patient privacy.

The team at Covington will continue to monitor developments on health research and report on the Board’s forthcoming guidance on the processing of personal data for scientific research purposes, once it is released.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Photo of Anna Sophia Oberschelp de Meneses Anna Sophia Oberschelp de Meneses

I advise companies across the EU on technology laws, with a focus on data protection, cybersecurity, and current consumer protection laws. I help businesses navigate complex regulations like the GDPR, AI Act, Digital Services Act, Unfair Commercial Practices Directive, and the upcoming Digital…

I advise companies across the EU on technology laws, with a focus on data protection, cybersecurity, and current consumer protection laws. I help businesses navigate complex regulations like the GDPR, AI Act, Digital Services Act, Unfair Commercial Practices Directive, and the upcoming Digital Fairness Act, turning legal requirements into practical, business-friendly solutions.

In data protection, I support tailored GDPR compliance, international data transfers, and privacy-conscious marketing. On cybersecurity, I guide clients through risk assessments, incident response, and evolving laws such as NIS2 and the Cyber Resilience Act. Regarding consumer protection, I advise on existing laws to help businesses revise their terms and conditions for compliance and review online interfaces to ensure all mandatory consumer information is clearly provided, tackling issues like dark patterns and unfair contract clauses.

Fluent in multiple languages and experienced across borders, I’m passionate about helping clients embed compliance into their operations and thrive in the fast-changing digital landscape.