The European Data Protection Board (EDPB, the Board) recently published Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak (the Guidelines).
In our previous article, we tackled points of interest regarding processing personal data in the context of scientific research. We now take a fresh look and summarize key aspects stemming from the EDPB’s Guidelines and add-on some relevant input from the perspective of the Romanian legal regime.
As per the Guidelines, there are a few avenues controllers may contemplate with respect to the legal basis for their processing activities in the given context.
- Consent of the data subjects:
Processing data concerning health for scientific research purposes may be conducted on the basis of consent obtained pursuant to Article 6 (1) a) and Article 9 (1) a) of the GDPR. In order to be deemed valid, consent must abide by all the strict conditions prescribed under the GDPR, the EDPB particularly outlining it must be “freely given, specific, informed and unambiguous” and “made by way of statement or clear affirmative action”. In order to fulfill these requirements, data subjects should not feel pressured and should understand they will suffer no disadvantages if they decided not to provide their consent.
Data subjects must have the possibility to withdraw consent at any time. In this context, all processing activities that were previously based on consent remain lawful, but controllers must bear in mind the need to stop the processing and delete the data if they can’t rely on another lawful basis justifying the retention for further processing.
- Alternatives for consent:
Depending on their object and field of activity, controllers may rely on the performance of a task carried out in the public interest (or exercise of official authority vested in them) or legitimate interest under Article 6 (1) (e) and (f) respectively, together with derogations provided for in Article 9 (2) (i) and (j) of the GDPR when processing data concerning health for purposes of scientific research.
Member States’ enacted legislation should ensure data protection principles are complied with and suitable safeguards, such as professional secrecy are in place. In this respect, local law imposes a legal obligation to professional secrecy for physicians, also enshrining such obligation under the Deontological Code of the Romanian College of Physicians.
- National legislation specifics:
In addition to the above-mentioned grounds which may be applicable for controllers conducting scientific research processing, providers in the healthcare sector should also consider their wider legal obligations with respect to reporting data on communicable diseases. As per Government Decision 589/2007 and the COVID-19 Supervision Methodology, healthcare providers must transmit mandatory reports/communications to the public health directorate(s). These reports may contain information such as name and surname of the patient, symptoms, epidemiological connections, etc. Once the relevant information is received by the public authorities, they are forwarded to the Public Health Institute which, in turn, conducts relevant analyses reports to be disclosed to the general public and the World Health Organization. These reports will only include aggregate data.
In addition, pursuant to Order No. 807/2020, specialty units that conduct testing for determining infections with COVID-19, including, insofar applicable, private healthcare providers, must provide certain reports to the county public health authorities.
Data protection principles
The Board places particular emphasize on the following data protection principles:
Scientific research often implies processing personal data which has not been directly collected from the data subjects, thus triggering the applicability of Article 14 of the GDPR. As a general rule, data subjects should be informed with respect to the processing activities without undue delay and, at the latest, within one month after the data has been obtained.
More specifically, as regards further processing, the EDPB indicates data subjects should be provided with information “within a reasonable period of time before the implementation of the new research project”, explaining this would create awareness with respect to the project and allow the exercise of data subjects’ rights.
There are certain exemptions applicable in relation to the provision of information. Amongst others, controllers should consider Article 14 (5) c) of the GDPR, applicable if the “obtaining or disclosure is expressly laid down by Union of Member State law to which the controller is subject and which provides appropriate measures to protect the data subject’s legitimate interests”. Romanian legal provisions are not always clear as regards appropriate measures implemented to this effect and thus reliance on such exemption should be analyzed carefully, on a case by case basis.
Another potentially relevant exemption, provided under Article 14 (5) b) relates to provision of information which “would involve a disproportionate effort”. In assessing the disproportionate character, Recital 62 of the GDPR makes reference to the “number of data subjects, the age of the data and any appropriate safeguards adopted”.
- Integrity and confidentiality:
Processing personal data entails the need for adequate security measures. The Board refers to “pseudonymisation, encryption, non-disclosure agreements, strict access role distribution, restrictions as well as logs” as minimum measures and to the necessity of conducting a data protection impact assessment (DPIA) for high risk processing activities. The Romanian Supervisory Authority has specifically indicated large scale processing of health data as one of the scenarios triggering the need to prior perform a DPIA.
The Board also highlights the importance of data protection officers, insofar having been appointed, and the need to consult with them as regards processing of data concerning health in the current scientific research climate.
Romanian Law 362/2018 transposing the NIS Directive also establishes minimum security requirements for healthcare providers. Such requirements include: management of access rights, external storage drives, vulnerabilities and security alerts; incident response; testing and evaluating the security of networks and information systems; training and ensuring awareness of employees on security requirements. As certain measures of the NIS Directive are currently still being implemented under local law, it is expected that more detailed and prescriptive measures will be applicable for economic operators in certain fields, including healthcare providers.
- Purpose limitation, data minimization, storage limitation:
Unfortunately, the Board does not shed much light on the compatibility presumption between initial purposes and scientific research purposes, promising however this would be subject to more detailed guidance to be issued in the future.
As for data minimization and storage limitation, controllers must understand their research questions and needs as well as the type and amount of necessary data and the relevant storage durations. Insofar possible, data should be processed in an anonymized manner for scientific research.
Some of these matters have been also addressed in our previous article, available here.
Rights of the data subjects
Article 89 (2) of the GDPR provides the national legislator with the possibility of derogating from some data subject rights. In this respect, Law 190/2018 allows for derogations from certain rights (access, rectification, restriction, objection) for, amongst others, the purpose of scientific research, insofar such rights are likely to render impossible or to seriously impair the achievement of the specific purpose and the derogations are necessary for the fulfilment of such purpose. The Romanian legislator continues by mentioning derogations are applicable subject to the existence of adequate safeguards for data subjects’ rights and freedoms, as provided under article 89 (1) of the GDPR.
Although the above mentioned provisions are supposed to help scientific research efforts, minimal clarity is provided regarding their practical implementation. Considering the Guidelines point out to the strictly necessary character of restrictions imposed on data subjects’ rights, controllers wishing to rely on the provisions of Law No. 190/2018 should undertake a thorough analysis to ensure compliance with data protection requirements is met.
In addition to the above exemptions, controllers should also bear in mind restrictions resulting directly from the GDPR – some of these have been described here.
Transfers of data for scientific research purposes
Bodies and organizations at the international level are encouraging the exchange of information in the COVID-19 context, for example with respect to global efforts in the direction of obtaining a vaccine. Such information exchange may be implemented by way of dialogue between the public health authorities around the world, as well as with the involvement of certain private entities, bringing into play data protection requirements on data transfers.
In accordance with GDPR and the Guidelines, the data exporter must provide specific information to data subjects on the transfers of personal data to a third country or international organization. When doing so, companies should not lose sight of the Brexit impact on the qualification of the United Kingdom as a third country for the purpose of data transfers.
Importantly, as regards the lawful transfer of data, the EDPB outlines the potential reliance on the derogations under Article 49 of the GDPR, in lack of adequacy decisions or appropriate safeguards. Whilst acknowledging the current exceptional health crisis, the Board points out to transfers necessary “for important reasons of public interest” under Article 49 letter d), as well as to explicit consent under letter a). Such derogations may be justifiable for initial transfers, however repetitive transfers would still be subject to the normal transfer requirements.
 Government Decision 589/2007 on the reporting methodology and collection of data on communicable diseases (Government Decision 589/2007)
 Order No. 807/2020 for establishing attributions in the testing activity for tracking infections with the SARS-CoV-2 virus at the level of certain units subordinated to the Ministry of Health (Order No. 807/2020)
 Decision No. 174/2018 regarding the list of activities for which it is mandatory to conduct a data protection impact assessment
 Law No. 362/2018 regarding the ensuring of a general high level of security of networks and information systems (Law 362/2018)
 Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of networks and information systems across the Union (NIS Directive)
 “Healthcare provider” means any natural or legal person or any other entity legally providing healthcare on the territory of a Member State, as defined in Article 3 point (g) of Directive 2011/24/EU of the European Parliament and of the Council
 Law No. 190/2018 regarding measures for the application of Regulation (EU) 2016/679 of the European Parliament and the Council from 27 April 2016 regarding the protection of natural persons with respect to the processing of the personal data and regarding the free movement of such data and for repealing Directive 95/46/EC – General Data Protection Regulation (Law 190/2018)