On 21 April, within its Plenary Session, the European Data Protection Board (EDPB) adopted two essential guidelines on the major data processing activities performed in the context of the Covid-19 pandemic: Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak (Guidelines 04/2020) and Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak (Guidelines 03/2020).
The main aspects tackled by Guidelines 04/2020 are the use of location data and of contact tracing applications. Once again, EDPB underlines that personal data should be processed in accordance with the legal processing principles no matter the purposes aimed. More precisely, the location data collected from electronic communication providers may only be transmitted to authorities or other third parties to the extent that: (i) they have been anonymised by the provider or, (ii) with the prior consent of the users(for data indicating the geographic position of the terminal equipment of user, which are not traffic data);
Also, storing and/or gaining access to location data, collected directly from the terminal equipment of user, shall be allowed only if: (i) the user has given consent or (ii) the storage and/or access is strictly necessary for the information society service explicitly requested by the user.
Data controllers should perform a “reasonability test”, assessing the ability to link the data with an identified or identifiable natural, based both on objective aspects (time, technical means), as well as contextual elements (population density, nature and volume of data etc.). Only data passing this test shall be considered anonymised.
Concerning the use of contact tracing applications, EDPB mentions that such applications should be used based on a voluntary adoption by the users, without any negative consequences for the individuals who decide not to or cannot use such applications. The controllers for such application could mainly be national health authorities, but this is not a rule.
It is important that the processing activity is very specific, as to exclude further processing for purposes unrelated to the management of the COVID19 outbreak (e.g., commercial or law enforcement purposes). Also, as a general rule, personal data should be stored only for the duration of the COVID-19 crisis.
The legal ground for the processing of personal data will not necessarily be data subject’s consent, but rather the performance of a task in the public interest (Art. 6(1)(e) GDPR). To the extent that health data is processed, legal basis such as Art. 9(2)(i) (reasons of public interest in the area of public health), Art. 9(2)(h) (healthcare purposes), Art. 9(2)(a) (explicit consent), Art. 9(2)(j) (scientific/research purposes) may be used;
A detailed contact tracing applications analysis guide may be found in the Annex to Guidelines 04/2020.
As per Guidelines 03/2020 on rules of processing of heath data for the purpose of scientific research, EDPB emphasises, inter alia, the following rules and recommendations regarding the processing of health data for scientific research purposes, in the context of Covid-19 outbreak:
- the consent of the data subject, collected pursuant to Article 6 (1)(a) and Article 9 (2)(a) GDPR may constitute a legal ground for the processing. Other legal bases for the processing of health data for the purpose of scientific research are the national/EU legislations allowing the performance of such processing activities. A combination between Articles 6 (1)(e) or 6 (1)(f) GDPR and the enacted derogations under Articles 9 (2)(j) or Article 9 (2)(i) GDPR may be based on in order to carry out such processing;
- information on the processing must be provided to the data subjects, in accordance with Article 13 (the personal data is obtained directly from the data subjects) or Article 14 (the personal data is not obtained directly from the data subject), as the case may be. The data subject should be provided with the information within a reasonable period of time before the implementation of the new research project;
Exemptions of the information obligation:
- the provision of such information proves (i) impossible, (ii) would involve a disproportionate effort or (iii) is likely to render impossible or seriously impair the achievement of the objectives of that processing (Article 14(5) GDPR);
- obtaining or disclosure is expressly laid down by EU or Member State law to which the controller is subject (Article 14 (5)(c) GDPR);
- the data minimization principle can be achieved by assessing the type and amount of data necessary to properly answer research questions. The personal data should be anonymised if it is possible to perform the scientific research without using personal data;
- appropriate technical and organisational up-to-date measures must be implemented to ensure an adequate level of security, such as: pseudonymisation, encryption, non-disclosure agreements and strict access role distribution, restrictions and logs;
- a data protection impact assessment (DPIA) must be carried out;
- in principle, data subjects’ rights pursuant to Article 12 to 22 GDPR are not suspended nor restricted;
Exemptions: derogations from the rights referred to in Articles 15, 16, 18 and 21 may be established by the EU or Member State law (Article 89(2) GDPR);
- in the absence of an adequacy decision or appropriate safeguards, the transfer may take place to the extent that:
- the data subject has explicitly consented to the proposed transfer or
- it is necessary for important reasons of public interest.
It is considered that the fight against COVID-19 has been recognised by the EU and most of its Member States as an important public interest. Thus, public authorities, as well as private entities playing a role in pursuing such public interest may rely on this derogation, but mainly as a temporary measure due to the urgency of the actual situation.
The initial transfers carried out for the purpose of research in the Covid-19 outbreak context may be based on these derogations. However, long-lasting research projects in this regard, including repetitive transfers, need to be subject of appropriate safeguards in accordance with Article 46 GDPR.
Musat & Asociatii Privacy team assists all its clients with customized legal advice in order to support them during these difficult times. For any queries or information, do not hesitate to contact our specialized lawyers in privacy matters: