Tag: guideline

EDPB ratifies new Guideline on Health Data Processing during COVID-19

27. April 2020

The European Data Protection Board (EDPB) adopted a new Guideline on the processing of health data for scienon the most urgent matters and issues in relation to the processing of health data. Those matters include the tific purposes in the context of the COVID-19 pandemic on April 21, 2020. It aims at providing clarity on the most urgent matters and issues in relation to the processing of health data. Those matters include the legal basis for processing, the implementation of adequate safeguards as well as data subjects’ rights.

The Guideline states that the GDPR contains several provisions for the processing of health data in relation to scientific research. The first one would be the consent in Art. 6 (II) a GDPR in combination with Art. 9 (II) a GDPR. The EDPB emphasizes the necessity of the consent having to meet all the necessary conditions in order to be valid, notably consent must be freely given, specific, informed, and unambiguous, and it must be made by way of a statement.

Further, the EDPB clarifies that Art. 6 (I) e or f GDPR in combination with the enacted derogations under Art. 9 (II) (i) or (j) GDPR can provide a legal basis for the processing of personal (health) data for scientific research. National legislators can implement their own derogations, setting ground for national legal bases in regulation with the GDPR.

The EDPB also addresses the case of further processing of health data for scientific purposes, which means the case when health data has not been collected for the primary purpose of scientific research. In these cases, the Guideline states that the scientific research is not incompatible with the original purpose of the processing, as long as the principles of Art. 5 GDPR are being upheld.

In regards to international transfers, the Guidelines make specific emphasis on the transfer to countries with no adequacy decision by the European Commission. In such cases, it is possible for the exporter of the data to rely on the derogations of Art. 49 (I) a, explicit consent, and d, transfer necessary for important public interest, GDPR. However, these derogations do not entitle continuous or repeated transfers, and are only supposed to be used as temporary measures. The EDPB states that this is a sanitary crisis like none before, and therefore the transfer to other countries in cases of scientific research form an international emergency in which the public interest may take first priority. But the Guideline makes clear that in case of repeated transfer, safeguards according to Art. 46 GDPR have to be taken.

The Guideline further emphasizes that situations like the current pandemic outbreak do not restrict data subjects to exercise their rights. However, Art. 82 (II) GDPR gives national lawmakers the possibility to restrict data subject rights, though these restrictions should apply only as is strictly necessary.

Over all, the EDPB states that it has to be noted that any processing or transfer will need to take into consideration on a case-by-case basis the respective roles (controller, processor, joint controller) and related obligations of the actors involved in order to identify the appropriate measures in each case.

WP 29 adopts guidelines on transparency under the GDPR

21. December 2017

The Article 29 Working Party (WP 29) has adopted guidelines on transparency under the General Data Protection Regulation (GDPR). The guideline intends to bring clearance into the transparency requirement regarding the processing of personal data and gives practical advice.

Transparency as such is not defined in the GDPR. However, Recital 39 describes what the transparency obligation requires when personal data is processed. Providing information to a data subject about the processing of personal data is one major aspect of transparency.

In order to explain transparency and its requirements, the WP 29 points out “elements of transparency under the GDPR” and explains their understanding of these. The following elements are named and described:

– “Concise, transparent, intelligible and easily accessible”
– “Clear and plain language”
– “Providing information to children”
– “In writing or by other means”
– “..the information may be provided orally”
– “Free of charge”

In a schedule, the WP 29 lists which information under Art. 13 and Art. 14 GDPR shall be provided to a data subject and which information is not required.