EDPB answers questions related to COVID-19

During its 24th Plenary Session, the European Data Protection Board (EDPB) answered several interesting questions. The questions concerned, among other things, the transfer of health data and the protection under the GDPR in connection with the use of tracing tools and new technology.

Transfer of health data to third countries and international organisations

The United States Mission to the European Union inquired about the possibility of transferring health data in the context of international cooperation to develop a vaccine. The US Mission enquired into the possibility of relying on a derogation of Article 49 of the GDPR to make international data sharing easier. Article 49 lays down specific conditions for the transfer of personal data to third countries or international organisations in specific situations.

The EDPB replied that COVID-19 is recognised as an important public interest which may make it necessary to transfer personal data to third countries or international organisations for research purposes. The EDPB noted that the rules of the GDPR protect fundamental data protection rights in the EEA, but at the same time allow for cooperation between researchers from both the EEA and outside the EEA to fight COVID-19.

The protection of the data subject's fundamental rights must, therefore, be taken into account when transferring data outside the EEA. For example, Article 45 (transfers based on a decision on the adequacy of the level of protection) and Article 46 (transfers subject to appropriate safeguards) must be taken into account. However, authorities and private entities may rely on the exceptions in Article 49 if there is no decision pursuant to Article 45 or appropriate safeguards under Article 46. According to the EDPB, the rules of the GDPR, therefore, both protect the rights of the data subject, but also enable the international transfer of health data to address the situation under COVID-19.

GDPR protection using tracing and new technologies

In its response to two MEPs, the EDPB replied that data protection rules already take into account data processing activities necessary to contribute to fighting an epidemic. The EDPB referred to its previous guidelines for issues related to tracing tools, and its guidelines on the processing of health data for research purposes in the context of COVID-19. The EDPB noted that the GDPR rules are designed to be flexible so that they can both meet challenges and support during a pandemic, while at the same time protect fundamental human rights and freedoms.

The EDPB also took a position on two letters asking about the latest technologies being developed for the fight against COVID-19. In this context, the EDPB referred to its guidelines on location data and contact tracing apps, which state that these technologies should use the least amount of data possible, that these technologies should have a voluntary nature, and should not trace individual movements, but rather use proximity information of users (proximity sensors).

EDPB guidelines

In all its responses, the EDPB referred to the guidelines presented at the 23rd Plenary Session on 21 April 2020. Here, the EDPB presented guidelines for the data processing of health data for research related to COVID-19 and also guidelines on geolocation and other tracing methods related to COVID-19.

The guidelines aim to answer questions about the basis for processing health data, the possibility of further processing of health data for research purposes, the rights of the data subject, and the implementation of necessary safeguards.

The guidelines on geolocation and other tracing tools are intended, among other things, to clarify the terms and principles for the use of location data. The guidelines specify, among other things, the conditions that apply to the use of location data to monitor the spread of the virus and to assess the effectiveness of measures. The guidelines also specify which GDPR rules are relevant to contact tracing, which is used to more easily notify individuals who have been in the vicinity of confirmed virus infections. In particular, the EDPB emphasises that for data processing under COVID-19, the principles of efficiency, necessity, and proportionality must always be taken into account.