June 28, 2022

Volume XII, Number 179

Advertisement
Advertisement

June 27, 2022

Subscribe to Latest Legal News and Analysis
Advertisement

Using Health Data in Europe During COVID-19

The EDPB recently issued guidelines about how to use health data during the current pandemic in compliance with GDPR. Given the COVID-19 pandemic, there have been many research efforts in place to fight against the virus.  The EDPB’s guidelines shed light on the special rules for processing health data for scientific research, which apply in the context of the COVID-19 pandemic:

  • Legal basis for processing: The EDPB explained that the processing of health data for purposes of scientific research must be covered by one of the legal bases set out in Article 6(1) GDPR, such as consent. If consent is the legal basis that is relied on, the consent must be freely given and the data subject must be able to freely revoke consent. Member states may enact specific laws to enable the processing for scientific research purposes, as long as they are consistent with Article 5, Article 32 and Article 89 of the GDPR.  Member states must also assess if a Data Processing Impact Assessment should be carried out.

  • Protection of information: The guidelines also remind entities that GDPR’s protection principles are still imperative, even if data is being processed for scientific research purposes. There are several parts of this, as the guidelines discuss. These include collecting information only for specific purposes and not using the information beyond those specific purposes. Personal data also needs to be processed fairly and in a transparent manner in relation to data subjects. The guidelines also remind those using health information to keep it only for as long as is strictly necessary to process the data for scientific research purposes, and to use adequate protection safeguards.

  • Transferring outside of the EU: For transfers of personal data outside the EU to countries where there is no adequacy decision or appropriate safeguards, the guidelines include reminders about the restrictions on transfers. The EDPB reminds public authorities and private entities that in those circumstances they may rely on exceptions that are set out in Article 49 of the GDPR, such as consent. These determinations should be made on a case-by-case basis.

Putting it Into practice: Those who wish to use health information during COVID-19 to foster scientific research during the COVID-19 pandemic can use these guidelines to understand GDPR requirements. As the EDPB emphasizes, these still apply when processing such data.

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume X, Number 121
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Snehal Desai, attorney, Sheppard Mullin
Attorney

Snehal Desai is an associate in the Intellectual Property Practice Group in the firm's San Francisco office. She is a member of the Privacy and Cybersecurity Team, the Advertising Team and the Technology Transactions Team.

Areas of Practice

Advertising: Snehal advises clients in conducting advertising campaigns, contests and sweepstakes, and brand marketing campaigns. 

Technology and Commercial Transactions: Snehal drafts and negotiates...

415-774-2960
Advertisement
Advertisement
Advertisement