On April 21, 2020, European Data Protection Board (“EDPB”) adopted two new guidelines includes the guideline on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak and the guideline on the use of location data and contact tracing tools in the context of the COVID-19 outbreak (“Guidelines 04/2020”). In this text, the content of such guidelines will be reviewed.

1.The Guideline on the Processing of Data Concerning Health for the Purpose of Scientific Research in the Context of the COVID-19 Outbreak (“Guideline 03/2020”)

The EDPB stresses that neither the right to the protection of personal data as per the Article 8 of the Charter of Fundamental Rights of the European Union (“EU”) nor the freedom of science as per the Article 13 of the Charter of Fundamental Rights of the EU have precedence over the other and such must be carefully assessed and balanced.

Data Concerning Health

In the Guideline 03/2020, the EDPB states that the data concerning health must be interpreted widely by referring to the European Court of Justice’s relevant jurisprudence in the case numbered C-101/01 and underlines that among the medical history, the assumptions made in light of medical examinations, and symptoms, the personal data normally does not considered as special categories of data such as travel history may become health data due to its specific usage in context of diagnosis activities.

Further Processing

In the Guideline 03/2020, further processing is explained in context of COVID-19 by giving the example that where a patient’s data collected through its treatment being used for scientific researches afterwards. In order to ensure that such further processing has a legal basis, the EDPB indicates options in terms of the Article 6 and Article 9 of the General Data Protection Regulation (“GDPR”) stating that consent or respective national legislation can be addressed.


Pursuant to the Article 14(4) of the GDPR where a data controller intends to further process the personal data for a purpose other than that for which the personal data were obtained, the controller shall provide the data subject with all necessary information on that further purpose prior to the aimed further processing. Accordingly, the EDPB states that the data controllers must provide the data subjects with the necessary information prior to the initiation of processing of their health data collected for other purposes. However, the EDPB also emphasizes the application of the information obligation exemptions as stipulated under the Article 14(5) of the GDPR, in particular constitution of proved impossibility, or disproportionate effort.

Legal Basis

The EDPB states that the GDPR is a broad piece of legislation and provides for several provisions that allow to handle the processing of personal data for the purpose of scientific research connected to the COVID-19 outbreak and underlines that the GDPR foresees a specific derogation to the prohibition of processing of certain special categories of personal data where it is necessary for these purposes of scientific research.

International Transfer

The EDPB acknowledges that combating COVID-19 may require data transfer on international level including transfers to the third countries and organizations that do not ensure the adequate level of data protection. The EDPB stresses that the duty to inform data subjects has to be fulfilled, and, if necessary appropriate safeguards have to be put in place as per the Article 46 of the GDPR. Moreover, the data exporters should assess the risks to the rights and the freedoms of data subjects of each transfer.

Derogations May Apply

As regard to the exceptional and fall back nature of the derogations stipulated under the Article 49 of the GDPR, the EDPB states that the necessity of urgent measures regarding the current pandemic outbreak constitutes an acceptable ground to use such derogations, in particular the necessity of important reasons of public interest, and explicit consent of the data subject.

Accordingly, the EDPB recently stated in its response letter to the United States Mission regarding possible health data transfers from the European Economic Area to the United States for research purposes, such health data transfers can be made on the basis of public interest as provided in the Article 49 of the GDPR, since the fight against COVID-19 has been recognized by the EU and its member states as an important public interest.

2.The Guideline on the Use of Location Data and Contact Tracing Tools in the Context of the COVID-19 Outbreak (“Guideline 04/2020”)

The Guideline 04/2020 focuses on the differences between the contract tracing and use of location data and offers a Contact Tracing Applications Analysis Guide as an annex for best practices.

Use of Location Data

The EDPB underlines that contract tracing application do not require to track individuals, therefore location data is not required for such contact tracing applications. On the other hand, location data of the patients can be used to model the spread of the virus or effectiveness of the measures.

In this regard, the EDPB recalls that for location data collected from electronic communication providers shall only be processed in compliance with the Article 6 and Article 9 of the ePrivacy Directive. Therefore, pursuant to mentioned legislation location data shall only be processed if the user has given its consent, or such data has been anonymized. The EDPB also implies the possibility to restrict such provisions with necessary, appropriate and proportionate measures within a democratic society as stipulated under Article 15 of the ePrivacy Directive, yet, member states have to adopt their own legislative measures to do so.

Anonymized Location Data

In regard to the role of the processing of individuals’ location data may have in combating the COVID-19, the EDPB point out virtues of the anonymization regarding data protection and the importance of the proper anonymization technics. If personal data is properly anonymized, processing of such anonymized data shall not fall into scope of the GDPR. Therefore, in order to provide appropriate data protection, processing of anonymized data should be preferred in the context of pandemic.

As defined by the EDPB, anonymization refers to the use of a set of techniques in order to remove the ability to link the data with an identified or identifiable natural person against any “reasonable” effort. The EDPB states that robustness of the anonymization has to be subjected to the reasonability test in terms of both objective aspects (time, technical means) and contextual elements that may vary case by case (rarity of a phenomenon including population density, nature and volume of data). Furthermore, the EDPB stresses that anonymization has to be made for datasets as a whole on contrary to the often mistaken pseudonymization which usually applies for a single data pattern.

Contact Tracing

The EDPB addressed several issues regarding contact tracing applications in line with the European Commission’s Guidance of April 16, 2020 on Apps supporting the fight against COVID 19 pandemic in relation to data protection in the Guideline 04/2020.

The importance of identification of the purposes is stressed by the EDPB with regards to the principle of purpose limitation and preventing any further processing. Such applications must identify their purposes and only process adequate, necessary and proportionate personal data.

The EDPB underlines that such applications must strictly be voluntary, should not trace individuals, and have to be subjected to a data impact assessment prior to their deployment. The EDPB states that these applications can be based on a centralized or a decentralized approach, yet, they must be based on an architecture relying as much as possible on users’ devices and the patient’s contact history or its identifiers should be transmitted to servers after the confirmation of the COVID-19 diagnosis.

Moreover, the applications should not store any information which may identify COVID-19 positive individuals and possibly infected ones due to epidemiologically relevant contact in their centralized servers. The EDPB also recommends some specific technical requirements to fulfil achieved data protection levels such as state-of-the-art cryptographic processes, or pseudonymous identifiers exchanging technology between users' mobile equipment.

Author: Aslı Naz Ünlü