European data protection authorities have issued important guidance on the processing of personal data in connection with COVID-19.

At a pan-European level, on March 19, 2020, the European Data Protection Board issued a statement on the processing of personal data in the context of the COVID-19 outbreak.

The EDPB has adopted a pragmatic stance in light of the severity of the pandemic. The EDPB has recognized that the processing of special categories of personal data – specifically, information relating to individuals’ health – may be necessary to combat the outbreak, but has reminded organizations that the GDPR’s existing protections on the processing of personal data – including data minimization – remain in place.

The ECPB set out the following principles in its guidance

  • The fight against communicable diseases is a valuable goal shared by all nations and therefore should be supported in the best possible way.
  • It is in the interest of humanity to curb the spread of diseases and to use modern techniques in the fight against scourges affecting great parts of the world.
  • Data controllers and processors must ensure continued protection of the personal data of data subjects.
  • Data processing must respect the general principles of law and must not be irreversible.
  • The data processing must be proportionate and limited to the emergency period. 

Lawfulness of processing

  • No consent is required for processing necessary to combat the outbreak, provided that another valid legal basis exists.
    • The GDPR allows competent public health authorities and employers to process personal data in the context of an epidemic. There is no need for such organizations to rely on consent of individuals when processing is necessary for reasons of substantial public interest in the area of public health. More specifically:
      • Public authorities are justified in processing personal data, including special categories of personal data, when the processing falls under the legal mandate of the public authority provided by national legislation and otherwise complies with the GDPR safeguards. This processing does not require individuals’ consent.
      • Employers are justified in processing personal data, including special categories of personal data in connection with COVID-19 to the extent necessary (a) to fulfill their obligations relating to health and safety at the workplace or (b) to control diseases and other threats to health, and provided such processing otherwise complies with the GDPR safeguards. This processing does not require individuals’ consent.
      • Special categories of personal data may also be processed to control an epidemic because it is (a) necessary for reasons of substantial public interest in the area of public health, (b) provided by Union or national law and/or (c) needed to protect the vital interests of the data subject. This processing does not require individuals’ consent.

Additional considerations in the employment context

  • Can an employer require visitors or employees to provide specific health information in the context of COVID-19? 
    • Data collection must be proportionate and only to the extent permitted or not prohibited by national law. 
  • Can an employer perform medical check-ups on employees?
    • Employers should only access and process health data if their own legal obligations require it.
  • Can an employer disclose that an employee is infected with COVID-19 to his colleagues or to externals?   
    • Employers should inform staff about COVID-19 cases and take protective measures but should not communicate more information than is necessary.
    • In cases where it is necessary to reveal the name of the employee(s) who contracted the virus (e.g., in a preventive context) and national law allows it, the concerned employees must be informed in advance and their dignity and integrity must be protected.  
  • What information processed in the context of COVID-19 can be obtained by employers?  
    • Employers may obtain personal information to fulfil their duties and to organize the work in line with national legislation.
  • Notwithstanding the statements above, organizations should ensure they also consult guidance published by national supervisory authorities in the jurisdictions in which they operate. Although there are overlaps and consistency of themes, nuances do exist, and a one-size-fits-all approach may not work across jurisdictions. Links to the guidance published to-date can be found at the end of this blog post.

Processing of location data and other telecom data

  • In some member states, governments envisage using mobile location data as a possible way to monitor, contain or mitigate the spread of COVID-19. This could include, for example, geolocating individuals and/or sending public health messages to individuals in a specific area by phone or text message. Public authorities should first seek to process location data in an anonymous way. However, where it is not possible to do so, the ePrivacy Directive enables member states to introduce legislation to enable the processing of non-anonymized location data where necessary to safeguard public security. Any such legislation must be a necessary, appropriate and proportionate measure and provide adequate safeguards to data subjects concerned. In case of an emergency situation, it should also be strictly limited to the duration of the emergency at hand.
  • Location tracking of individuals may be proportionate under exceptional circumstances but would need to be subject to enhanced scrutiny and safeguards to ensure the respect of data protection principles, including proportionality of duration and scope, limited data retention and purpose limitation.

Continued respect for core privacy protections

  • Personal data may be processed only to the extent necessary to attain the stated, lawful objectives.
  • The purposes of the processing must be specified and explicit.
  • Individuals should receive transparent information on the processing activities that are being carried out and their main features, including the retention period for collected data and the purposes of the processing. The information provided should be easily accessible and provided in clear and plain language. 
  • Controllers and processors must continue to maintain adequate, documented security safeguards and protect the information from unauthorized access.
  • Measures implemented to manage the current emergency and the underlying decision-making process should be appropriately documented.

National supervisory authority guidance

As noted above, many European countries have also issued localized guidance on the processing of personal data in connection with the COVID-19 response. We have included links to that guidance below:

Please email cdp@cooley.com if you have any questions. For additional information and guidance, please refer to Cooley’s Coronavirus Resources page. To sign up to receive Cooley’s c/d/p blog updates, visit cdp.cooley.com.

Contributors

Cooley’s c/d/p team

Posted by Cooley