Belgian DPA Statement Regarding Health-Related Apps in the Context of COVID-19
Time 2 Minute Read
Categories: European Union, Health Privacy, International

On March 31, 2020, the Belgian Data Protection Authority (the “Belgian DPA”) published a short statement on its website (the “Statement”) regarding health-related apps. The Belgian DPA indicated that the Statement is in response to numerous questions regarding the use of personal data in the context of the COVID-19 pandemic.

The Belgian DPA noted that several health-related apps fail to comply with applicable data protection requirements (while acknowledging that public health and the fight against COVID-19 are critically important). The Belgian DPA underlined several points:

  • Anonymity. To the extent anonymous data is sufficient for the purpose(s) of the app, personal data (including identification data) should not be collected. Similarly, apps should not collect data that, in combination with other information, can indirectly identify a patient. Truly anonymous data does not allow for re-identification.
  • Patient-Doctor Relationship. It should be clear if the app is used in the context of an existing patient-doctor relationship. (Ideally, the healthcare provider should invite the patient to use the app.) In this context, personal data should only be collected to ensure the continuity and quality of care for the patient.
  • Other Scenarios. If the two scenarios above are inapplicable—in other words, the app does not use anonymous data or operates outside the patient-doctor relationship—an app processing personal data must provide, on the very first screen accessed by users and prior to any data collection, information about how data will be processed (including the data controller’s identity, the processing purposes, whether cookies are used, etc.). Personal data cannot be collected before a user may use the app. In addition, the app can use personal data only to achieve the processing purpose(s) communicated to users, and only under the direction of the identified data controller. When users stops using the app, they should be provided the option to have their personal data transmitted to another healthcare provider. If a user refuses, that individual’s personal data should be deleted and should no longer be used.
Tags: Belgium, Coronavirus/COVID-19, EU Member States, GDPR, Personal Data, Personal Health Information, Personal Information
Print Email Twitter/X Linkedin Facebook

You May Also Be Interested In

Time 3 Minute Read
Connecticut AG Clarifies AI Compliance Obligations Under CTDPA

The Connecticut Attorney General recently issued a legal memorandum regarding the application of existing Connecticut laws, such as the Connecticut Data Privacy Act, to the use of artificial intelligence.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 3 Minute Read
Oklahoma Enacts Comprehensive Consumer Privacy Law

On March 20, 2026, Oklahoma Governor Kevin Stitt signed SB 546 into law, enacting the Oklahoma Consumer Data Privacy Act, which will take effect on January 1, 2027.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 2 Minute Read
UK ICO Publishes Guidance on Recognized Legitimate Interest Basis

On March 23, 2026, the UK Information Commissioner's Office released new guidance clarifying the use of the new recognized legitimate interest lawful basis for processing personal information under UK data protection law.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 4 Minute Read
HHS Final Rule on 42 CFR Part 2 Requires Targeted Updates to HIPAA Privacy Notices

Recent changes to 42 CFR Part 2 mean many covered entities must update their HIPAA Notices of Privacy Practices by February 16, 2026.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook

Search

Subscribe Arrow

Recent Posts

Categories

Tags

Archives

Jump to Page