GDPR and processing of health related data – Case study

>> Case of health crises situation/ contagious disease:

a. Lawful grounds of the processing:

Health data is a special category of personal data which attracts a higher degree of protection. Per Article 6 of GDPR, processing of personal data is considered lawful if [1]:

(1) the data subject has given consent;

(2) it is necessary for the performance of a contract to which the data subject is a party;

(3) it is necessary for compliance with a legal obligation;

(4) it is necessary to protect the vital interest of the data subject or another natural person;

(5) it is necessary for the performance of a task carried out in the public interest;

(6) it is necessary for the purposes of the legitimate interests pursued by the controller or third party.

Inferences can be drawn from the European Data Protection Board (EDPB) statement regarding the GDPR applicability in relation to Covid-19. It was stated that GDPR rules must be adhered to even during the crisis’s times. However, national governments are permitted to act in the public interest, still, the use of data should be limited.[2] Also, the EDPB stated that all measures taken in this context should comply with the general principles of law and that an ‘emergency is a legal condition which may legitimize restrictions to the freedom provided these restrictions are proportionate and limited to the emergency period.’[3].                         

Further, refererce should also be made to Article 9 of the GDPR – Article 9(2)(i) of the GDPR explicitly permits the processing of sensitive personal data (including genetic data, biometric data, and data concerning health) where it is ‘necessary for reasons of public interest in the area of public health’. Further, Recitals 46, 52, 53, and 54 also acknowledge the need to process sometimes special categories of personal data for reasons of public interest in the area of public health[4].

Thus, one of the reason for processing data would predominantly be safeguarding the public interest in public health (i.e., only collecting as much personal data as is strictly necessary for the purposes being pursued). Even the plea to protect the vital interests of data subjects or another person can be taken. However, consent of the data subject would be required – the most appropriate would be written consent or oral consent, in which case the purpose, date and time would also have to be noted and filed (Article 5(2) GDPR). Also, data controller [5] should be transparent by informing affected individuals about the use of their data.

b. Data that can be processed:

In the present case, personal data is processed to safeguard health conditions. Personal data in reference to health data is provided in Recital 35, dealing with Health data in the GDPR[6]. Further, the mechanism for processing of personal data is provided in Article 5 of the GDPR[7]. Personal data in relation to health is categorized as generic data, biometric data or data concerning health[8]. The applicable clause here would be ‘Data concerning health’, which is defined by the GDPR as ‘personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status’.[9] However,the European Court of Justice (ECJ)[10], did state that the term ‘data concerning health’ must be widely interpreted.

c. Duration for which data can be kept in a form which permits the identification of data subjects:

Though, the storage period would vary per the category of data and the data characteristics. However, data should generally be stored for the shortest time possible. Further, storage limitation does state that personal data should be kept in a form that permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.[11]. Thus, GDPR does not provide any specific timeframe or the number of days/ months for storing personal data.

However, in case of derogation/ exception, personal data may be kept for a longer period for archiving purposes in the public interest [12][13]. (Article 5 of the GDPR  states that ‘personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to the implementation of the appropriate technical and organizational measures required by this Regulation to safeguard the rights and freedoms of the data subject’[14])

Also, additional safeguards and derogations are provided in Article 89(3) to the Union or the member states for archiving purposes of the personal data[15].


[1] Article 6 of the GDPR; available at Also refer J. Rastogi, GDPR and healthcare: Understanding health data and consent (2018); available at

[2] H. Porter, How has Covid-19 impacted the GDPR (2020); available at

[3] Data protection and coronavirus (COVID-19); available at

[4] S. McLennan et al., Covid-19: Putting the General Data Protection Regulation to the Test, JMIR Public Health Surveill (2020); available at

[5] EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR (version 2.0), 7.07.2021, §30 the definition of ‘controller’ defined in Article 4(8) of the GDPR. Also, the controller does exert a decisive influence on the purpose and means of the processing. 


        [7] Article 5 of the GDPR,

        [8]  Article 9 of the GDPR,

        [9]  J. Rastogi, GDPR and healthcare: Understanding health data and consent (2018); available at

        [10] See, for example, regarding Directive 95/46/EC, ECJ 6.11.2003, C-101/01 (Lindqvist) paragraph 50.

        [11] Storage limitation principle – How long should you keep personal data (2021); available at

        [12] Article 5(1)(e) and Recital (39) of the GDPR

        [13] For how long can data be kept, and is it necessary to update it? European Commission, available at

        [14]  GDPR Principle 5: Storage Limitation (2020), available at

        [15] Article 89 of the GDPR,


        The views in all sections are personal views of the author.