The EDPB has issued guidelines on the processing of health data for research purposes in the context of the COVID-19 outbreak. These are exceptionally not submitted for public consultation due to the urgency of the current situation and the necessity to have the guidelines readily available.

The highlights are as follows: 

Legal basis: The GDPR contains several provisions for the processing of health data for the purpose of scientific research, which also apply in the context of the COVID-19 pandemic, in particular relating to consent and to the respective national legislation. The GDPR foresees the possibility to process certain special categories of personal data, such as health data, where it is necessary for scientific research purposes.

Scientific research purposes are dependent on local legislation: Each country will have to enact specific laws pursuant to Article (9) (2) (i) and (j) GDPR to enable the processing of health data for scientific research purposes. The processing of health data for the purpose of scientific research must also be covered by one of the legal bases in Article 6 (1) GDPR.

Who can rely on "substantial public interest" to process Covid-19 sensitive data: Public authorities and private entities playing a role in pursuing such public interest can rely on substantial public interest under the current pandemic context.

Companies should carry out a DPIA: Considering the processing risks in the context of the COVID-19 outbreak, there must be an assessment if a DPIA has to be carried out. 

Define your retention periods: And make sure the criteria is clear. 

DSAR rights should not be restricted but can be restricted: Even though situations like the COVID-19 outbreak do not suspend or restrict the possibility of data subjects to exercise their rights, it is possible that local laws implement restrictions on the rights of data subjects (See Article 89 (2) GDPR). 

Exceptionally, data can be transferred under a derogation: In the absence of an adequacy decision or appropriate safeguards, public authorities and private entities may rely upon the applicable derogations pursuant to Article 49 GDPR.