Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak

Section 3.1  “Data concerning health”

7. According to Article 4 (15) GDPR, “data concerning health” means “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status”. As indicated by Recital 53, data concerning health deserves higher protection, as the use of such sensitive data may have significant adverse impacts for data subjects. In the light of this and the relevant jurisprudence of the European Court of Justice (“ECJ”), the term “data concerning health” must be given a wide interpretation.

8. Data concerning health can be derived from different sources, for example:

• 1. Information collected by a health care provider in a patient record (such as medical history and results of examinations and treatments).

• 2. Information that becomes health data by cross referencing with other data thus revealing the state of health or health risks (such as the assumption that a person has a higher risk of suffering heart attacks based on the high blood pressure measured over a certain period of time).

• 3. Information from a “self check” survey, where data subjects answer questions related to their health (such as stating symptoms).

• 4. Information that becomes health data because of its usage in a specific context (such as information regarding a recent trip to or presence in a region affected with COVID-19 processed by a medical professionalto make a diagnosis).