The European Data Protection Board has adopted two sets of guidelines on the processing of health data for research purposes and guidelines on geolocation and other tracing tools in the context of the COVID-19 outbreak.
The guidelines on health data aim to shed light on the most urgent legal questions concerning the use of health data, such as the legal basis of processing, further processing of health data for the purpose of scientific research, the implementation of adequate safeguards and the exercise of data subject rights.
The guidelines highlight that the GDPR contains several provisions for the processing of health data for the purpose of scientific research, which also apply in the context of the COVID-19 pandemic, in particular relating to consent and to the respective national laws. The GDPR permits processing of certain special categories of personal data, such as health data, where it is necessary for scientific research purposes.
In addition, the guidelines address legal questions concerning international data transfers involving health data for research purposes related to the fight against COVID-19, in particular in the absence of an adequacy decision or other appropriate safeguards.
The guidelines on geolocation and other tracing tools in the context of the COVID-19 outbreak aim to clarify the conditions and principles for the proportionate use of location data and contact tracing tools, for two specific purposes:
- using location data to support the response to the pandemic by modelling the spread of the virus to assess the overall effectiveness of confinement measures;
- using contact tracing, which aims to notify individuals who may have been in close proximity to someone who is eventually confirmed as a carrier of the virus, to break the contamination chains as early as possible.
The guidelines emphasise that both the GDPR and the ePrivacy Directive contain specific provisions allowing for the use of anonymous or personal data to support public authorities and other parties at both national and EU level in their efforts to monitor and contain the spread of COVID-19. The general principles of effectiveness, necessity, and proportionality must guide any measures adopted by member states or EU institutions that involve processing of personal data to fight COVID-19.
The EDPB underlines the position that the use of contact tracing apps should be voluntary and should not rely on tracing individual movements, but rather on proximity information regarding users.
In addition, the EDPB adopted a guide for contact tracing apps as an annex to the guidelines. The purpose of the guide, which is non-exhaustive, is to provide general guidance to designers and implementers of contact tracing apps, underlining that any assessment must be carried out on a case-by-case basis.
Due to the urgent situation the guidelines will not be submitted for public consultation due to the urgency of the current situation and the necessity to have the guidelines readily available.