On 2 February 2021, the EDPB published its document in response to the request from the European Commission for clarifications on the consistent application of the GDPR, focusing on health research. The EDPB will explain more on the issue in its guidelines on the processing of personal data for scientific research purposes later in 2021 and for now, the response document covers the following issues: 

  • the legal basis for processing health-related data for scientific research 
  • further processing of previously collected health data 
  • broad consent 
  • transparency of data processing 
  • anonymisation and pseudonymisation 
  • processing of special categories of data on a large scale and international cooperation 

1. Legal basis for processing health-related data for scientific research

The EDPB acknowledges that differences between EU Member States can be expected. This is due to the many interpretations on how to apply the GDPR and a certain level of discretion given to the states under the GDPR. States can establish derogations from data subject rights in respect of processing for scientific research or determine what is a legal obligation or a task in the public interest which can have a considerable impact on the legal basis. In general, under the GDPR controllers are required to process personal data under one of a limited set of legal bases listed under Article 6. Where processing involves special categories of personal data, which is likely to be the case with health research data, controllers must satisfy one of the exemptions provided under Article 9. Other legal bases and exemptions are only available in Union or Member State law. 

The EDPB stressed that informed consent for participating in research is not sufficient for processing data for research; the latter requires explicit consent under Article 9 (2) of the GDPR. However, such consent might be invalid if there is a clear imbalance of power between controller and data subject eg, data subject is not in a good condition and there is no available treatment outside the clinical trial. Therefore, applicability of consent as a legal basis for data processing must be assessed on a case-by-case basis. The EDPB also mentioned that researchers may need to rely on different legal bases and exemptions to process personal data in the same clinical trial across different Member States. However, it is preferable that researchers maintain consistent rights for data subjects across all Member States whenever possible.  

The EDPB calls on the Commission to adopt a common legal basis and/or scientific regime in the forthcoming legislative proposal on the European Health Data Space (EHDS), for the processing of health data in multiple member states. 

2. Further processing of previously collected health data 

Researchers who wish to process further previously collected health data must satisfy several GDPR requirements. Under Article 5(1)(b) of the GDPR, data must be processed for the same “specified, explicit and legitimate purposes” for which the data were initially collected and not further processed for incompatible purposes. Further processing for scientific research purposes, if done with adequate safeguards as per Article 89(1) of the GDPR, is not considered incompatible. The GDPR thus creates a presumption of compatibility which for example may allow controllers to use data in multiple research projects although they originally collected data only for one.  

The EDPB will provide more clarification on requirements for further processing and discuss when the health data from social media platforms, activity trackers or public databases might be used for scientific research in its yet-to-be-released guidance. 

3. Broad consent 

The concept of broad consent established in the Recital 33 of the GDPR comes into play when a researcher cannot identify the purpose of personal data processing for scientific research purposes at the time of data collection. In such case, requirements for the specificity of the consent are loosened and the purpose is defined at a more general level, for instance, in terms of research questions or fields to be explored. Researchers using a broad consent should specify the purpose as soon as reasonably possible, obtain specific consent to known stages of the research and give data subjects adequate safeguards such as opportunity to withdraw or further specify their consent. The concept of broad consent could be relied on for different research projects that fall within the scope of that broad consent and that meet certain additional safeguards that will be elaborated on in the EDPB guidelines on processing personal data for scientific research purposes, currently in the pipeline. The EDPB has however already indicated that when special categories of data are involved, broad consent is subject to stricter interpretation and higher scrutiny. 

4. Transparency of data processing 

Controllers must be clear and honest about the collection and use of personal data and meet their information obligation towards data subjects as required under Articles 13 and 14 of the GDPR. Any exception to this obligation should be interpreted in a restricted way.  

In further processing circumstances, the controller should prior to the further processing of the personal data for another purpose or under different legal basis provide the data subject with respective information. However, controllers who did not obtain data directly from the data subject, may restore to Article 14(5)(b) that exempts them from the information duties if a provision of the information proves impossible or would involve disproportionate effort for processing for scientific research. There is no such exception for controllers who collect data directly from data subjects and they should therefore respond appropriately at the time of the collection of the data to be able to reach the data subject in the future. The EDPB will further address this item in the upcoming guidance. 

5. Anonymisation and pseudonymisation 

Pseudonymisation and anonymisation must be clearly distinguished since only the latter causes the data to fall out of the scope of the GDPR. Anonymisation is however difficult to achieve, given the progress in the field of re-identification, and must be approached with caution in the context of scientific research, especially for research involving genetic data. To determine whether data is anonymous, researchers must consider all reasonable means to be used as technology may advance and satisfy themselves on an ongoing basis. This to be discussed further in the upcoming guidance as the subject matter remains unresolved. 

6. Processing of special categories of data on a large scale and international cooperation 

The EDPB notes that it is important to determine whether to conduct a data protection impact assessment (DPIA) as well as whether to appoint a representative of a controller or processor not established in the EU and/or a data protection officer (DPO) for processing health and other special categories of data on a large scale and the transfer of data to third countries for scientific research purposes. The DPIA requirement could be triggered where processing is ‘likely to result in a high risk’ to the rights and freedoms of data subjects even when the processing does not fall in the ‘large scale’ category. The EDPB has promised to elaborate on this issue in its guidelines on the processing of personal data for scientific research purposes. 

What action can be taken? 

The ongoing pandemic situation highlighted and reminded the entire world of the significance and inevitability of health research in an unprecedented manner. As shown above, the GDPR also treats scientific research with special attention, and controllers and processors are required to be fully compliant with it even if the EDPB guidelines are still under preparation. The sensitivity of data processing for health research might make compliance particularly challenging and controllers and processors should thereforecarefully reviewtheir data processes.  

As the outsourced DPO, HewardMills assists clients with setting up policies and safeguards to achieve compliance for controllers and processors in many different sectors including health research.