Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak

Section 5.2  Purpose limitation and presumption of compatibility 

42. As a general rule, data shall be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes” pursuant to Article 5 (1) (b) GDPR.

43. However the “compatibility presumption” provided by Article 5 (1) (b) GDPR states that “further processing for […] scientific research purposes […] shall, in accordance with Article 89 (1), not be considered to be incompatible with the initial purposes”. This topic, due to its horizontal and complex nature, will be considered in more detail in the planned EDPB guidelines on the processing of health data for the purpose of scientific research.

44. Article 89 (1) GDPR stipulates that the processing of data for research purposes “shall be subjectto appropriate safeguards” and that those “safeguards shall ensure that technical and organisational measures are in place in particular in order to ensure respect for the principle of data minimisation. Those measures may include pseudonymisation provided that those purposes can be fulfilled in that manner”.

45. The requirements of Article 89 (1) GDPR emphasise the importance of the data minimisation principle and the principle of integrity and confidentiality as well as the principle of data protection by design and by default (see below). Consequently, considering the sensitive nature of health data and the risks when re-using health data for the purpose of scientific research, strong measures must be taken in order to ensure an appropriate level of security as required by Article 32 (1) GDPR.