We’re committed to giving legal insights and practical guidance on the impact of COVID-19 on Romanian businesses.
COVID-19 Resources

Health Data GDRP Processing During COVID – 19 Outbreak

18 June 2020

A science principle states that one must react with an equal force to an action affecting the same. Society is trying to do the same and it is using its best resources to cooperate and prevent the spreading of COVID – 19, irrespective if medical, technological or legal. Thus, more and more countries have started considering various methods which would ease the fight against COVID – 19, which often includes the use of contact tracing application and intense health data processing. Needless to say, these methods have raised certain concerns from a data protection standpoint.

Such concerns were addressed by the European Data Protection Board (“EDPB”) which issued a guideline regarding the processing of health data for scientific purposes in the context of COVID – 19 outbreak, with a view to facilitate the observance of the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”).

Although the guidelines mainly refer to the processing of health data for scientific purposes, the recommendations and interpretations of the EPDB are equally valid during day-to-day business operation of any data controller which falls under the scope of the GDRP.

The guidelines key topics are related to (i) the legal basis for processing of health data, (ii) the implementation of appropriate safeguards and (iii) the exercise of data subjects’ rights.

Health data related concepts explained

EPDB explains certain critical concepts used by GDPR with a view to have a global understanding over processing health data.

Data concerning health

Data concerning health should be always given a wider interpretation, considering that health data is qualified as sensitive data and should benefit of higher protection since use of such data may have a significant adverse impact over data subjects.

The data processed may be collected from various sources, such as:

medical patient history reports held by health care providers;

usage of cross-referencing techniques which results in certain information becoming health data (e.g.: assumption that a given person has a disease based on certain treatments or information regarding body temperature or regarding recent trips to a region affected with COVID – 19); and

self-check surveys, where data subjects provides health information, such as COVID -19 symptoms.

Processing for scientific purposes

Although when assessing whether a processing is made for scientific purposes, a broader interpretation is allowed, one should not exceed the common meaning and thus overuse processing for scientific purposes in order to justify health data processing.

Further processing

The EDPB highlights the importance of primary use (processing of health data directly for scientific purposes) and secondary use (processing for scientific purposes of health data which was initially collected for other purposes). Depending on the category of use, different rules set forth under GDPR apply in respect of legal grounds, information obligation and purpose limitation principle. Further guidelines by EDPB will follow on the topic of further processing detailing the differential legal framework.

Exemptions from obligation to inform data subjects

The processing of health data should occur only with the observance of all GDPR principles. As a general note, the data subjects should be informed of any processing concerning their health data. However, given the current context, the following exemptions may be used:

Information proves impossible:it has to be an all or nothing situation and the data controller should be able to demonstrate the circumstances preventing him to comply with the information obligation;

Information implies a disproportionate effort: number of data subjects, age of collected data, safeguards in place should be factored in when assessing if information implies a disproportionate effort. The data controller should properly document the assessment process;

Information implies a serious impairment of objectives: in this situation, the burden of proof is incumbent to the data controller; and

Obtaining or disclosure is expressly laid down by national or European legislation: even if provided under the legislation, the data controller will be required to prove applicability of the law to its specific case.

Exercise of data subjects’ rights

COVID -19 outbreak does not entitle any data controller to suspend or restrict the exercise of the data subjects’ rights as set forth under articles 12 to 22 of the GDPR. However, the data controller may rely on the provisions of the GDPR which (i) allows him to extend its reaction time and / or (ii) regulates restrictions to the data subjects’ rights (such as refusal to erase personal data if required for performance of a task carried out in the public interest or for reasons of public interest in public health field).

With regard to appropriate safeguards, the EDPB advises using anonymisation (for data minimization compliance purposes), pseudonymisation and encryption techniques and establishing proportionate storage periods (for confidentiality compliance purposes). Non-disclosure agreements as well as setting-up strict access protocols may be also considered. It also recommends the performance of a data protection impact assessment, considering that sensitive data which merits higher protection is processed and is likely to result in a high risk to the data subjects’ rights.