Using Health Data in Europe During COVID-19

Snehal Desai
Sheppard Mullin Richter & Hampton LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Sheppard Mullin Richter & Hampton LLPThe EDPB recently issued guidelines about how to use health data during the current pandemic in compliance with GDPR. Given the COVID-19 pandemic, there have been many research efforts in place to fight against the virus.  The EDPB’s guidelines shed light on the special rules for processing health data for scientific research, which apply in the context of the COVID-19 pandemic:

  • Legal basis for processing: The EDPB explained that the processing of health data for purposes of scientific research must be covered by one of the legal bases set out in Article 6(1) GDPR, such as consent. If consent is the legal basis that is relied on, the consent must be freely given and the data subject must be able to freely revoke consent. Member states may enact specific laws to enable the processing for scientific research purposes, as long as they are consistent with Article 5, Article 32 and Article 89 of the GDPR.  Member states must also assess if a Data Processing Impact Assessment should be carried out.
  • Protection of information: The guidelines also remind entities that GDPR’s protection principles are still imperative, even if data is being processed for scientific research purposes. There are several parts of this, as the guidelines discuss. These include collecting information only for specific purposes and not using the information beyond those specific purposes. Personal data also needs to be processed fairly and in a transparent manner in relation to data subjects. The guidelines also remind those using health information to keep it only for as long as is strictly necessary to process the data for scientific research purposes, and to use adequate protection safeguards.
  • Transferring outside of the EU: For transfers of personal data outside the EU to countries where there is no adequacy decision or appropriate safeguards, the guidelines include reminders about the restrictions on transfers. The EDPB reminds public authorities and private entities that in those circumstances they may rely on exceptions that are set out in Article 49 of the GDPR, such as consent. These determinations should be made on a case-by-case basis.
Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Sheppard Mullin Richter & Hampton LLP | Attorney Advertising

Written by:

Sheppard Mullin Richter & Hampton LLP
Sheppard Mullin Richter & Hampton LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Sheppard Mullin Richter & Hampton LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide