Guidelines 03/2020 on the processing of data concerning health for

Adopted 1

Guidelines 03/2020 on the processing of data concerning

health for the purpose of scientific research in the context of

the COVID-19 outbreak

Adopted on 21 April 2020

Adopted 2

Version history

Version 1.1

30 April 2020

Minor corrections

Version 1.0

21 April 2020

Adoption of the Guidelines

Adopted    3 
Table of contents 
Introduction ...................................................................................................................4 
Application of the GDPR ...................................................................................................4 
Definitions .....................................................................................................................5 
1  “Data concerning health” ..........................................................................................5 
2  “Processing for the purpose of scientific research” ........................................................5 
3  “Further processing”.................................................................................................6 
Legal basis for the processing............................................................................................6 
1  Consent ..................................................................................................................6 
2  National legislations .................................................................................................7 
Data protection principles ................................................................................................8 
1  Transparency and information to data subjects ............................................................8 
1.1  When must the data subject be informed? ...........................................................8 
1.2  Exemptions ......................................................................................................8 
2  Purpose limitation and presumption of compatibility .................................................. 10 
3  Data minimisation and storage limitation................................................................... 10 
4  Integrity and confidentiality ..................................................................................... 10 
Exercise of the rights of data subjects .............................................................................. 11 
International data transfers for scientific research purposes................................................ 12 
Summary ..................................................................................................................... 13 
 
 
 
   

Adopted 4

The European Data Protection Board

Having regard to Article 70 (1) (e) of the Regulation 2016/679/EU of the European Parliament and of

the Council of 27 April 2016 on the protection of natural persons with regard to the processing of

personal data and on the free movement of such data, and repealing Directive 95/46/EC, (hereinafter

“GDPR”),

Having regard to the EEA Agreement and in particular to Annex XI and Protocol 37 thereof, as amended

by the Decision of the EEA joint Committee No 154/2018 of 6 July 2018,

Having regard to Article 12 and Article 22 of its Rules of Procedure,

HAS ADOPTED THE FOLLOWING GUIDELINES

1 INTRODUCTION

1. Due to the COVID-19 pandemic, there are currently great scientific research efforts in the fight against

the SARS-CoV-2 in order to produce research results as fast as possible.

2. At the same time, legal questions concerning the use of health data pursuant to Article 4 (15) GDPR

for such research purposes keep arising. The present guidelines aim to shed light on the most urgent

of these questions such as the legal basis, the implementation of adequate safeguards for such

processing of health data and the exercise of the data subject rights.

3. Please note that the development of a further and more detailed guidance for the processing of health

data for the purpose of scientific research is part of the annual work plan of the EDPB. Also, please

note that the current guidelines do not revolve around the processing of personal data for

epidemiological surveillance.

2 APPLICATION OF THE GDPR

4. Data protection rules (such as the GDPR) do not hinder measures taken in the fight against the COVID-

19 pandemic.

The GDPR is a broad piece of legislation and provides for several provisions that allow

to handle the processing of personal data for the purpose of scientific research connected to the

COVID-19 pandemic in compliance with the fundamental rights to privacy and personal data

protection.

The GDPR also foresees a specific derogation to the prohibition of processing of certain

special categories of personal data, such as health data, where it is necessary for these purposes of

scientific research.

5. Fundamental Rights of the EU must be applied when processing health data for the purpose of

scientific research connected to the COVID-19 pandemic. Neither the Data Protection Rules nor the

Freedom of Science pursuant to Article 13 of the Charter of Fundamental Rights of the EU have

See the Statement of the EDPB from 19.3.2020 on the general processing of personal data in the context of the

COVID-19 outbreak, available at https://edpb.europa.eu/our-work-tools/our-documents/other/statement-

processing-personal-data-context-covid-19-outbreak_en.

See for example Article 5 (1) (b) and (e), Article 14 (5) (b) and Article 17 (3) (d) GDPR.

See for example Article 9 (2) (j) and Article 89 (2) GDPR.

Adopted 5

precedence over the other. Rather, these rights and freedoms must be carefully assessed and

balanced, resulting in an outcome which respects the essence of both.

3 DEFINITIONS

6. It is important to understand which processing operations benefit from the special regime foreseen in

the GDPR and elaborated on in the present guidelines. Therefore, the terms “data concerning health”,

“processing for the purpose of scientific research” as well as “further processing” (also referred to as

“primary and secondary usage of health data”) must be defined.

3.1 “Data concerning health”

7. According to Article 4 (15) GDPR, “data concerning health” means “personal data related to the

physical or mental health of a natural person, including the provision of health care services, which

reveal information about his or her health status”. As indicated by Recital 53, data concerning health

deserves higher protection, as the use of such sensitive data may have significant adverse impacts for

data subjects. In the light of this and the relevant jurisprudence of the European Court of Justice

(“ECJ”),

the term “data concerning health” must be given a wide interpretation.

8. Data concerning health can be derived from different sources, for example:

1. Information collected by a health care provider in a patient record (such as medical history

and results of examinations and treatments).

2. Information that becomes health data by cross referencing with other data thus revealing the

state of health or health risks (such as the assumption that a person has a higher risk of

suffering heart attacks based on the high blood pressure measured over a certain period of

time).

3. Information from a “self check” survey, where data subjects answer questions related to their

health (such as stating symptoms).

4. Information that becomes health data because of its usage in a specific context (such as

information regarding a recent trip to or presence in a region affected with COVID-19

processed by a medical professional to make a diagnosis).

3.2 “Processing for the purpose of scientific research”

9. Article 4 GDPR does not entail an explicit definition of “processing for the purpose of scientific

research”. As indicated by Recital 159, “the term processing of personal data for scientific research

purposes should be interpreted in a broad manner including for example technological development

and demonstration, fundamental research, applied research and privately funded research. In addition,

it should take into account the Union’s objective under Article 179 (1) TFEU of achieving a European

Research Area. Scientific research purposes should also include studies conducted in the public interest

in the area of public health.”

10. The former Article 29-Working-Party has already pointed out that the term may not be stretched

beyond its common meaning though and understands that “scientific research” in this context means

See for example, regarding the Directive 95/46/EC, ECJ 6.11.2003, C-101/01 (Lindqvist) paragraph 50.

Adopted 6

“a research project set up in accordance with relevant sector-related methodological and ethical

standards, in conformity with good practice”.

3.3 “Further processing”

11. Finally, when talking about “processing of health data for the purpose of scientific research”, there are

two types of data usages:

1. Research on personal (health) data which consists in the use of data directly collected for the

purpose of scientific studies (“primary use”).

2. Research on personal (health) data which consists of the further processing of data initially

collected for another purpose (“secondary use”).

12. Example 1: For conducting a clinical trial on individuals suspected to be infected with SARS-CoV-2,

health data are collected and questionnaires are used. This is a case of “primary use” of health data as

defined above.

13. Example 2: A data subject has consulted a health care provider as a patient regarding symptoms of the

SARS-CoV-2. If health data recorded by the health care provider is being used for scientific research

purposes later on, this usage is classified as further processing of health data (secondary use) that has

been collected for another initial purpose.

14. The distinction between scientific research based on primary or secondary usage of health data will

become particularly important when talking about the legal basis for the processing, the information

obligations and the purpose limitation principle pursuant to Article 5 (1) (b) GDPR as outlined below.

4 LEGAL BASIS FOR THE PROCESSING

15. All processing of personal data concerning health must comply with the principles relating to

processing set out in Article 5 GDPR and with one of the legal grounds and the specific derogations

listed respectively in Article 6 and Article 9 GDPR for the lawful processing of this special category of

personal data.

16. Legal bases and applicable derogations for processing health data for the purpose of scientific research

are provided for respectively in Article 6 and Article 9. In the following section, the rules concerning

consent and respective national legislation are addressed. It has to be noted that there is no ranking

between the legal bases stipulated in the GDPR.

4.1 Consent

17. The consent of the data subject, collected pursuant to Article 6 (1) (a) and Article 9 (2) (a) GDPR, may

provide a legal basis for the processing of data concerning health in the COVID-19 context.

18. However, it has to be noted that all the conditions for explicit consent, particularly those found in

Article 4 (11), Article 6 (1) (a), Article 7 and Article 9 (2) (a) GDPR, must be fulfilled. Notably, consent

must be freely given, specific, informed, and unambiguous, and it must be made by way of a statement

or “clear affirmative action”.

See the Guidelines on Consent under Regulation 2016/679 of the former Article 29 Working-Party from

10.04.2018, WP259 rev.01, 17EN, page 27 (endorsed by the EDPB). Available at

https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=623051.

See for example, regarding the Directive 95/46/EC ECJ 13.5.2014, C‑131/12 (Google Spain), paragraph 71.

Adopted 7

19. As stated in Recital 43, consent cannot be considered freely given if there is a clear imbalance between

the data subject and the controller. It is therefore important that a data subject is not pressured and

does not suffer from disadvantages if they decide not to give consent. The EDPB has already addressed

consent in the context of clinical trials.

Further guidance, particularly on the topic of explicit consent,

can be found in the consent guidelines of the former Article 29-Working-Party.

20. Example: A survey is conducted as part of a non-interventional study on a given population,

researching symptoms and the progress of a disease. For the processing of such health data, the

researchers may seek the consent of the data subject under the conditions as stipulated in Article 7

GDPR.

21. In the view of the EDPB, the example above is not considered a case of “clear imbalance of power” as

mentioned in Recital 43 and the data subject should be able to give the consent to the researchers.

the example, the data subjects are not in a situation of whatsoever dependency with the researchers

that could inappropriately influence the exercise of their free will and it is also clear that it will have

no adverse consequences if they refuse to give their consent.

22. However, researchers should be aware that if consent is used as the lawful basis for processing, there

must be a possibility for individuals to withdraw that consent at any time pursuant to Article 7 (3)

GDPR. If consent is withdrawn, all data processing operations that were based on consent remain

lawful in accordance with the GDPR, but the controller shall stop the processing actions concerned and

if there is no other lawful basis justifying the retention for further processing, the data should be

deleted by the controller.

4.2 National legislations

23. Article 6 (1) e or 6 (1) f GDPR in combination with the enacted derogations under Article 9 (2) (j) or

Article 9 (2) (i) GDPR can provide a legal basis for the processing of personal (health) data for scientific

research. In the context of clinical trial this has already been clarified by the Board.

24. Example: A large population based study conducted on medical charts of COVID-19 patients.

25. As outlined above, the EU as well as the national legislator of each Member State may enact specific

laws pursuant to Article 9 (2) (j) or Article 9 (2) (i) GDPR to provide a legal basis for the processing of

health data for the purpose of scientific research. Therefore, the conditions and the extent for such

processing vary depending on the enacted laws of the particular Member State.

26. As stipulated in Article 9 (2) (i) GDPR, such laws shall provide “for suitable and specific measures to

safeguard the rights and freedoms of the data subject, in particular professional secrecy”. As similarly

stipulated in Article 9 (2) (j) GDPR, such enacted laws “shall be proportionate to the aim pursued,

respect the essence of the right to data protection and provide for suitable and specific measures to

safeguard the fundamental rights and the interests of the data subject”.

See Opinion 3/2019 of the EDPB from 23.1.2019 on concerning the Questions and Answers on the interplay

between the Clinical Trials Regulation (CTR) and the General Data Protection regulation (GDPR), available at

https://edpb.europa.eu/our-work-tools/our-documents/avis-art-70/opinion-32019-concerning-questions-and-

answers-interplay_en.

Guidelines on Consent under Regulation 2016/679 of the former Article 29 Working-Party from 10.04.2018,

WP259 rev.01, 17EN, page 18 (endorsed by the EDPB).

Assuming that the data subject has not been pressured or threatened with disadvantages when not giving his

or her consent.

See Article17 (1) (b) and (3) GDPR.

See Opinion 3/2019 of the EDPB from 23.1.2019, page 7.

Adopted 8

27. Furthermore, such enacted laws must be interpreted in the light of the principles pursuant to Article 5

GDPR and in consideration of the jurisprudence of the ECJ. In particular, derogations and limitations in

relation to the protection of data provided in Article 9 (2) (j) and Article 89 GDPR must apply only in so

far as is strictly necessary.

5 DATA PROTECTION PRINCIPLES

28. The principles relating to processing of personal data pursuant to Article 5 GDPR shall be respected by

the controller and processor, especially considering that a great amount of personal data may be

processed for the purpose of scientific research. Considering the context of the present guidelines, the

most important aspects of these principles are addressed in the following.

5.1 Transparency and information to data subjects

29. The principle of transparency means that personal data shall be processed fairly and in a transparent

manner in relation to the data subject. This principle is strongly connected with the information

obligations pursuant to Article 13 or Article 14 GDPR.

30. In general, a data subject must be individually informed of the existence of the processing operation

and that personal (health) data is being processed for scientific purposes. The information delivered

should contain all the elements stated in Article 13 or Article 14 GDPR.

31. It has to be noted that researchers often process health data that they have not obtained directly from

the data subject, for instance using data from patient records or data from patients in other countries.

Therefore, Article 14 GDPR, which covers information obligations where personal data is not collected

directly from the data subject, will be the focus of this section.

5.1.1 When must the data subject be informed?

32. When personal data have not been obtained from the data subject, Article 14 (3) (a) GDPR stipulates

that the controller shall provide the information “within a reasonable period after obtaining the

personal data, but at the latest within one month, having regard to the specific circumstances in which

the personal data are processed”.

33. In the current context, it has to be particularly noted that according to Article 14 (4) GDPR, where “the

controller intends to further process the personal data for a purpose other than that for which the

personal data were obtained, the controller shall provide the data subject prior to that further

processing with information on that other purpose”.

34. In the case of the further processing of data for scientific purposes and taking into account the

sensitivity of the data processed, an appropriate safeguard according to Article 89 (1) is to deliver the

information to the data subject within a reasonable period of time before the implementation of the

new research project. This allows the data subject to become aware of the research project and

enables the possibility to exercise his/her rights beforehand.

5.1.2 Exemptions

35. However, Article (14) (5) GDPR stipulates four exemptions of the information obligation. In the current

context, the exemption pursuant to Article (14) (5) (b) (“proves impossible or would involve a

disproportionate effort”) and (c) (“obtaining or disclosure is expressly laid down by Union or Member

See for example, regarding the Directive 95/46/EC ECJ 14.2.2019, C–345/17 (Buivids) paragraph 64.

Adopted 9

State law“) GDPR are of particular relevance, especially for the information obligation pursuant to

Article 14 (4) GDPR.

5.1.2.1 Proves impossible

36. In its Guidelines regarding the principle of Transparency,

the former Article 29-Working-Party has

already pointed out that “the situation where it “proves impossible” under Article 14 (5) (b) to provide

the information is an all or nothing situation because something is either impossible or it is not; there

are no degrees of impossibility. Thus, if a data controller seeks to rely on this exemption it must

demonstrate the factors that actually prevent it from providing the information in question to data

subjects. If, after a certain period of time, the factors that caused the “impossibility” no longer exist

and it becomes possible to provide the information to data subjects then the data controller should

immediately do so. In practice, there will be very few situations in which a data controller can

demonstrate that it is actually impossible to provide the information to data subjects.”

5.1.2.2 Disproportionate effort

37. In determining what constitutes disproportionate effort, Recital 62 refers to the number of data

subjects, the age of the data and appropriate safeguards in place as possible indicative factors.

In the Transparency Guidelines mentioned above,

it is recommended that the controller should

therefore carry out a balancing exercise to assess the effort involved to provide the information to

data subjects against the impact and effects on the data subject if they are not provided with the

information.

38. Example: A large number of data subjects where there is no available contact information could be

considered as a disproportionate effort to provide the information.

5.1.2.3 Serious impairment of objectives

39. To rely on this exception, data controllers must demonstrate that the provision of the information set

out in Article 14 (1) per se would render impossible or seriously impair the achievement of the

objectives of the processing.

40. In a case where the exemption of Article (14) (5) (b) GDPR applies, “the controller shall take appropriate

measures to protect the data subject’s rights and freedoms and legitimate interests, including making

the information publicly available”.

5.1.2.4 Obtaining or disclosure is expressly laid down by Union or Member State law

41. Article 14 (5) (c) GDPR allows for a derogation of the information requirements in Articles 14 (1), (2)

and (4) insofar as the obtaining or disclosure of personal data “is expressly laid down by Union or

Member State law to which the controller is subject”. This exemption is conditional upon the law in

question providing “appropriate measures to protect the data subject’s legitimate interests”. As stated

in the above mentioned Transparency Guidelines,

such law must directly address the data controller

and the obtaining or disclosure in question should be mandatory upon the data controller. When

relying on this exemption, the EDPB recalls that the data controller must be able to demonstrate how

See the Guidelines on transparency under Regulation 2016/679 of the former Article-29 Working-Party from

11.4.2018, WP260 rev.01, 17/EN, page 29 (endorsed by the EDPB). Available at

https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=622227.

Guidelines on transparency under Regulation 2016/679 of the former Article-29 Working-Party from

11.4.2018, WP260 rev.01, 17/EN, page 31 (endorsed by the EDPB).

Guidelines on transparency under Regulation 2016/679 of the former Article-29 Working-Party from

11.4.2018, WP260 rev.01, 17/EN, page 32 (endorsed by the EDPB).

Adopted 10

the law in question applies to them and requires them to either obtain or disclose the personal data

in question.

5.2 Purpose limitation and presumption of compatibility

42. As a general rule, data shall be “collected for specified, explicit and legitimate purposes and not further

processed in a manner that is incompatible with those purposes” pursuant to Article 5 (1) (b) GDPR.

43. However the “compatibility presumption” provided by Article 5 (1) (b) GDPR states that “further

processing for […] scientific research purposes […] shall, in accordance with Article 89 (1), not be

considered to be incompatible with the initial purposes”. This topic, due to its horizontal and complex

nature, will be considered in more detail in the planned EDPB guidelines on the processing of health

data for the purpose of scientific research.

44. Article 89 (1) GDPR stipulates that the processing of data for research purposes “shall be subject to

appropriate safeguards” and that those “safeguards shall ensure that technical and organisational

measures are in place in particular in order to ensure respect for the principle of data minimisation.

Those measures may include pseudonymisation provided that those purposes can be fulfilled in that

manner”.

45. The requirements of Article 89 (1) GDPR emphasise the importance of the data minimisation principle

and the principle of integrity and confidentiality as well as the principle of data protection by design

and by default (see below).

Consequently, considering the sensitive nature of health data and the

risks when re-using health data for the purpose of scientific research, strong measures must be taken

in order to ensure an appropriate level of security as required by Article 32 (1) GDPR.

5.3 Data minimisation and storage limitation

46. In scientific research, data minimisation can be achieved through the requirement of specifying the

research questions and assessing the type and amount of data necessary to properly answer these

research questions. Which data is needed depends on the purpose of the research even when the

research has an explorative nature and should always comply with the purpose limitation principle

pursuant to Article 5 (1) (b) GDPR. It has to be noted that the data has to be anonymised where it is

possible to perform the scientific research with anonymised data.

47. In addition, proportionate storage periods shall be set. As stipulated by Article 5 (1) (e) GDPR “personal

data may be stored for longer periods insofar as the personal data will be processed solely for archiving

[…] scientific purposes […] in accordance with Article 89 (1) subject to implementation of the

appropriate technical and organisational measures required by this Regulation in order to safeguard

the rights and freedoms of the data subject”

48. In order to define storage periods (timelines), criteria such as the length and the purpose of the

research should be taken into account. It has to be noted that national provisions may stipulate rules

concerning the storage period as well.

5.4 Integrity and confidentiality

49. As mentioned above, sensitive data such as health data merit higher protection as their processing is

likelier to lead to negative impacts for data subjects. This consideration especially applies in the COVID-

Also see the Guidelines 4/2019 of the EDPB from 13.11.2019 on Data Protection by Design and by Default

(version for public consultation), available at https://edpb.europa.eu/our-work-tools/public-consultations-art-

704/2019/guidelines-42019-article-25-data-protection-design_en

Adopted 11

19 outbreak as the foreseeable re-use of health data for scientific purposes leads to an increase in the

number and type of entities processing such data.

50. It has to be noted that the principle of integrity and confidentiality must be read in conjunction with

the requirements of Article 32 (1) GDPR and Article 89 (1) GDPR. The cited provisions must be fully

complied with. Therefore, considering the high risks as outlined above, appropriate technical and

organisational up-to-date measures must be implemented to ensure a sufficient level of security.

51. Such measures should at least consist of pseudonymisation,

encryption, non-disclosure agreements

and strict access role distribution, access role restrictions as well as access logs. It has to be noted that

national provisions may stipulate concrete technical requirements or other safeguards such as

adherence to professional secrecy rules.

52. Furthermore, a data protection impact assessment pursuant to Article 35 GDPR must be carried out

when such processing is “likely to result in a high risk to the rights and freedoms of natural persons"

pursuant to Article 35 (1) GDPR. The lists pursuant to Article 35 (4) and (5) GDPR shall be taken into

account.

53. At this point, the EDPB emphasises the importance of data protection officers. Where applicable, data

protection officers should be consulted on processing of health data for the purpose of scientific

research in the context of the COVID-19 outbreak.

54. Finally, the adopted measures to protect data (including during transfers) should be properly

documented in the record of processing activities.

6 EXERCISE OF THE RIGHTS OF DATA SUBJECTS

55. In principle, situations as the current COVID-19 outbreak do not suspend or restrict the possibility of

data subjects to exercise their rights pursuant to Article 12 to 22 GDPR. However, Article 89 (2) GDPR

allows the national legislator to restrict (some) of the data subject’s rights as set in Chapter 3 of the

regulation. Because of this, the restrictions of the rights of data subjects may vary depending on the

enacted laws of the particular Member State.

56. Furthermore, some restrictions of the rights of data subjects can be based directly on the Regulation,

such as the access right restriction pursuant to Article 15 (4) GDPR and the restriction of the right to

erasure pursuant to Article 17 (3) (d) GDPR. The information obligation exemptions pursuant to Article

14 (5) GDPR have already been addressed above.

57. It has to be noted that, in the light of the jurisprudence of the ECJ, all restrictions of the rights of data

subjects must apply only in so far as it is strictly necessary.

It has to be noted that personal (health data) that has been pseudonymised is still regarded as “personal data“

pursuant to Article 4 (1) GDPR and must not be confused with “anonymised data” where it is no longer possible

for anyone to refer back to individual data subjects. See for example Recital 28.

See for example, regarding the Directive 95/46/EC ECJ 14.2.2019, C–345/17 (Buivids) paragraph 64.

Adopted 12

7 INTERNATIONAL DATA TRANSFERS FOR SCIENTIFIC RESEARCH

PURPOSES

58. Within the context of research and specifically in the context of the COVID-19 pandemic, there will

probably be a need for international cooperation that may also imply international transfers of health

data for the purpose of scientific research outside of the EEA.

59. When personal data is transferred to a non-EEA country or international organisation, in addition to

complying with the rules set out in GDPR,

especially its Articles 5 (data protection principles), Article

6 (lawfulness) and Article 9 (special categories of data),

the data exporter shall also comply with

Chapter V (data transfers).

60. In addition to the regular transparency requirement as mentioned on page 7 of the present guidelines,

a duty rests on the data exporter to inform data subjects that it intends to transfer personal data to a

third country or international organisation. This includes information about the existence or absence

of an adequacy decision by the European Commission, or whether the transfer is based on a suitable

safeguard from Article 46 or on a derogation of Article 49 (1). This duty exists irrespective of whether

the personal data was obtained directly from the data subject or not.

61. In general, when considering how to address such conditions for transfers of personal data to third

countries or international organisations, data exporters should assess the risks to the rights and the

freedoms of data subjects of each transfer

and favour solutions that guarantee data subjects the

continuous protection of their fundamental rights and safeguards as regards the processing of their

data, even after it has been transferred. This will be the case for transfers to countries having an

adequate level of protection,

or in case of use of one of the appropriate safeguards included in Article

46 GDPR,

ensuring that enforceable rights and effective legal remedies are available for data subjects.

62. In the absence of an adequacy decision pursuant to Article 45 (3) GDPR or appropriate safeguards

pursuant to Article 46 GDPR, Article 49 GDPR envisages certain specific situations under which

transfers of personal data can take place as an exception. The derogations enshrined in Article 49 GDPR

are thus exemptions from the general rule and, therefore, must be interpreted restrictively, and on a

case-by-case basis.

Applied to the current COVID-19 crisis, those addressed in Article 49 (1) (d)

(“transfer necessary for important reasons of public interest”) and (a) (“explicit consent”) may apply.

63. The COVID-19 pandemic causes an exceptional sanitary crisis of an unprecedented nature and scale.

In this context, the EDPB considers that the fight against COVID-19 has been recognised by the EU and

Article 44 GDPR.

See sections 4 to 6 of the present Guidelines.

See the Guidelines 2/018 of the EDPB from 25.5.2018 on derogations of Article 49 under Regulation 2016/679,

page 3, on the two-step test, available at https://edpb.europa.eu/our-work-tools/our-

documents/smjernice/guidelines-22018-derogations-article-49-under-regulation_en.

International Data Transfers may be a risk factor to consider when performing a DPIA as referred to in page 10

of the present guidelines.

The list of countries recognised adequate by the European Commission is available at

https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-

decisions_en

For example standard data protection clauses pursuant to Article 46 (2) (c) or (d) GDPR, ad hoc contractual

clauses pursuant to Article 46 (3) (a) GDPR) or administrative arrangements pursuant to Article 46 (3) (b) GDPR.

See Guidelines 2/2018, page 3.

Adopted 13

most of its Member States as an important public interest,

which may require urgent action in the

field of scientific research (for example to identify treatments and/or develop vaccines), and may also

involve transfers to third countries or international organisations.

64. Not only public authorities, but also private entities playing a role in pursuing such public interest (for

example, a university’s research institute cooperating on the development of a vaccine in the context

of an international partnership) could, under the current pandemic context, rely upon the derogation

mentioned above.

65. In addition, in certain situations, in particular where transfers are performed by private entities for the

purpose of medical research aiming at fighting the COVID-19 pandemic,

such transfers of personal

data could alternatively take place on the basis of the explicit consent of the data subjects.

66. Public authorities and private entities may, under the current pandemic context, when it is not possible

to rely on an adequacy decision pursuant to Article 45 (3) or on appropriate safeguards pursuant to

Article 46, rely upon the applicable derogations mentioned above, mainly as a temporary measure due

to the urgency of the medical situation globally.

67. Indeed, if the nature of the COVID-19 crisis may justify the use of the applicable derogations for initial

transfers carried out for the purpose of research in this context, repetitive transfers of data to third

countries part of a long lasting research project in this regard would need to be framed with

appropriate safeguards in accordance with Article 46 GDPR.

68. Finally, it has to be noted that any such transfers will need to take into consideration on a case-by-case

basis the respective roles (controller, processor, joint controller) and related obligations of the actors

involved (sponsor, investigator) in order to identify the appropriate measures for framing the transfer.

8 SUMMARY

69. The key findings of these guidelines are:

1. The GDPR provides special rules for the processing of health data for the purpose of scientific

research that are also applicable in the context of the COVID-19 pandemic.

2. The national legislator of each Member State may enact specific laws pursuant to Article (9)

(2) (i) and (j) GDPR to enable the processing of health data for scientific research purposes.

The processing of health data for the purpose of scientific research must also be covered by

Article 168 of the Treaty on the Functioning of the European Union recognises a high level of human health

protection as an important objective that should be ensured in the implementation of all Union policies and

activities. On this basis, Union action supports national policies to improve public health, including in combatting

against major health scourges and serious cross-border threats to health, e.g. by promoting research into their

causes, transmission and prevention. Similarly, Recitals 46 and 112 of the GDPR refer to processing carried out

in the context of the fight against epidemics as an example of processing serving important grounds of public

interest. In the context of the COVID-19 pandemic, the EU has adopted a series of measures in a broad range of

areas (e.g. funding of healthcare systems, support to cross-border patients and deployment of medical staff,

financial assistance to the most deprived, transport, medical devices etc.) premised on the understanding that

the EU is facing a major public health emergency requiring an urgent response.

The EDPB underlines that the GDPR, in its Recital 112, refers to the international data exchange between

services competent for public health purposes as an example of the application of this derogation.

In accordance with Article 49 (3) GDPR, consent cannot be used for activities carried out by public authorities

in the exercise of their public powers.

See EDPB Guidelines 2/2018, section 2.1.

See EDPB Guidelines 2/2018, page 5.

Adopted 14

one of the legal bases in Article 6 (1) GDPR. Therefore, the conditions and the extent for such

processing varies depending on the enacted laws of the particular member state.

3. All enacted laws based on Article (9) (2) (i) and (j) GDPR must be interpreted in the light of the

principles pursuant to Article 5 GDPR and in consideration of the jurisprudence of the ECJ. In

particular, derogations and limitations in relation to the protection of data provided in Article

9 (2) (j) and Article 89 (2) GDPR must apply only in so far as is strictly necessary.

4. Considering the processing risks in the context of the COVID-19 outbreak, high emphasise must

be put on compliance with Article 5 (1) (f), Article 32 (1) and Article 89 (1) GDPR. There must

be an assessment if a DPIA pursuant to Article 35 GDPR has to be carried out.

5. Storage periods (timelines) shall be set and must be proportionate. In order to define such

storage periods, criteria such as the length and the purpose of the research should be taken

into account. National provisions may stipulate rules concerning the storage period as well and

must therefore be considered.

6. In principle, situations as the current COVID-19 outbreak do not suspend or restrict the

possibility of data subjects to exercise their rights pursuant to Article 12 to 22 GDPR. However,

Article 89 (2) GDPR allows the national legislator to restrict (some) of the data subject’s rights

as set in Chapter 3 of the GDPR. Because of this, the restrictions of the rights of data subjects

may vary depending on the enacted laws of the particular Member State.

7. With respect to international transfers, in the absence of an adequacy decision pursuant to

Article 45 (3) GDPR or appropriate safeguards pursuant to Article 46 GDPR, public authorities

and private entities may rely upon the applicable derogations pursuant to Article 49 GDPR.

However, the derogations of Article 49 GDPR do have exceptional character only.

For the European Data Protection Board

The Chair

(Andrea Jelinek)