tratamiento de datos de salud

This post is also available in: Español

As a result of the COVID-19 pandemic, on April 21, the European Data Protection Board (“EDPB”) published two different guidelines: (i) Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research (“Guidelines”) and (ii) the Guidelines 04/2020 on the use of location data and contact tracing tools, discussed in this other blog post.

In the first Guidelines, the EDPB states its interest in developing additional more detailed guidelines on health data processing for scientific research as part of its annual work plan.

For the moment, the EDPB is taking the definition of the concepts in the General Data Protection Regulation 2016/679 (“GDPR”) and the distinction between “secondary use” and “primary use” of health data as a basis to conclude that:

  • The legal basis authorizing and, at the same time, exempting personal data processing on health can be (i) explicit, free, specific, informed, and unequivocal consent, or (ii) performing a task carried out in the public interest or exercising public powers or legitimate interest (Article 6.1 letters e) or f) of the GDPR) in conjunction with public interest in the area of public health, such as protecting against serious crossborder threats to health, and for the purposes of scientific research based on Union or, in our case, Spanish law (Article 9.2 letters i) and j) of the GDPR).
  • The data protection principles must be followed, particularly the principles of (i) transparency and information to data subjects upon obtaining the data or, if they have been obtained from third parties, within a maximum of one month or in a reasonable period before the new research project is executed; (ii) purpose limitation, even if there is a “presumption of compatibility” in the scope of the scientific research under certain requirements; (iii) data minimization in accordance with the purpose of the research and storage limitation, establishing proportionate storage periods in accordance with the duration of the research and its purpose; and (iv) data integrity and confidentiality, implementing the adequate technical and organizational measures (for example, at least, pseudonymization and encryption) considering the sensitivity of health data.
  • Although, in principle, situations such as the current COVID-19 outbreak do not suspend or restrict data subjects’ ability to exercise their data protection rights, the GDPR allows national legislators to limit some of the data subject’s rights.
  • Given the global context of the pandemic, the EDPB considers the need for international cooperation and therefore international transfer of personal data on health for scientific research likely. In this case, it understands that the exceptions set out in Article 49 of the GDPR on the possibility of transferring data without appropriate safeguards for important reasons of public interest or under explicit consent can apply, in line with the level of urgency and only temporarily, to both public authorities and private entities acting to ensure that public interest.

Authors: Alejandro Negro and Adaya Esteban

This post is also available in: Español



58 artículos

Alejandro Negro


69 artículos