On 19 March, the European Data Protection Board (EDPB) adopted a formal statement on the processing of personal data in the context of the COVID-19 outbreak, which emphasizes that data protection laws do not hinder measures taken in the fight against the pandemic, and “emergency is a legal condition which may legitimize restrictions of freedoms provided these restrictions are proportionate and limited to the emergency period.” That said, the EDPB emphasises that, even in these exceptional times, controllers and processors must ensure the protection of the personal data of data subjects.
In particular, the statement includes guidance on the following in the context of the pandemic and relevant requirements under the General Data Protection Regulation (GDPR), Regulation (EU) 2016/679 and Directive 2002/58/EC (the ePrivacy Directive):
Lawfulness of Processing
The GDPR is a broad piece of legislation that allows competent public health authorities and employers to process personal data in the context of an epidemic in accordance with national law. For example, processing in the substantial public interest for public health does not require the consent of individuals.
Public Authorities / Special Categories
In such circumstances, the processing of personal data, including special categories of data by public health authorities is permitted under articles 6 and 9 GDPR enable the processing of personal data, and any legal mandate provided by national law.
In the employment context, the processing of personal data may be necessary for compliance with a legal obligation to which the employer is subject such as obligations relating to health and safety at the workplace, or to the public interest, such as the control of diseases and other threats to health. The GDPR also accepts derogations to the prohibition of processing of certain special categories of personal data, such as health data, where it is necessary for reasons of substantial public interest in the area of public health (Art. 9.2.i), on the basis of EU or national law, or where there is the need to protect the vital interests of the data subject (Art.9.2.c), as recital 46 explicitly refers to the control of an epidemic.
Location data can only be used by the operator when made anonymous or with the consent of individuals. However, Art. 15 of the ePrivacy Directive enables Member States to introduce legislative measures to safeguard public security. Such exceptional legislation is only possible if it constitutes a necessary, appropriate and proportionate measure, and respect EU Human Rights. In case of an emergency situation, it must also be strictly limited to the duration of the emergency at hand.
Core Principles Relating to the Processing of Personal Data
Personal data that is necessary to attain the objectives pursued must be processed for specified and explicit purposes. In addition, data subjects must receive transparent information on the processing activities that are being carried out and their main features, including the retention period for collected data and the purposes of the processing. The information provided must be easily accessible and provided in clear and plain language.
It is important to adopt adequate security measures and confidentiality policies ensuring that personal data are not disclosed to unauthorised parties. Measures implemented to manage the current emergency and the underlying decision-making process must be appropriately documented.
Use of Mobile Location Data
Can Member State governments use personal data related to individuals’ mobile phones in their efforts to monitor, contain or mitigate the spread of COVID-19?
In some Member States, governments envisage using mobile location data as a possible way to monitor, contain or mitigate the spread of COVID-19. For instance, geolocation of individuals or sending public health messages to individuals in a specific area by phone or text message. If so, public authorities must first seek to process location data in an anonymous way (ie. processing data aggregated in a way that individuals cannot be re-identified), which could enable generating reports on the concentration of mobile devices at a certain location (“cartography”).
Personal data protection rules do not apply to data which has been appropriately anonymised. When impossible, the ePrivacy Directive enables Member States to introduce legislative measures to safeguard public security (Art. 15).
If measures allowing for the processing of non-anonymised location data are introduced, a Member State is obliged to put in place adequate safeguards, such as providing individuals of electronic communication services the right to a judicial remedy. The proportionality principle also applies, and the least intrusive solutions must be used.
Invasive measures, such as the “tracking” of individuals (i.e. processing of historical non-anonymised location data) could be considered proportional under exceptional circumstances, and only under enhanced scrutiny and safeguards to ensure the respect of data protection principles.
Processing Personal Data of Employees: Q&A
Can an employer require visitors or employees to provide specific health information in the context of COVID-19?
The principle of proportionality and data minimisation applies and the employer must only require health information to the extent that national law allows it.
Is an employer allowed to perform medical check-ups on employees?
Employers must only access and process health data if their own legal obligations requires it under national law.
Can an employer disclose that an employee is infected with COVID-19 to his colleagues or to externals?
Employers must inform staff about COVID-19 cases and take protective measures, but must not communicate more information than necessary. In cases where it is necessary to reveal the name of the employee(s) who contracted the virus (e.g. in a preventive context) and the national law allows it, the concerned employees must be informed in advance and their dignity and integrity must be protected.
What information processed in the context of COVID-19 can be obtained by the employers?
Employers may obtain personal information to fulfil their duties and to organise work to the extent that national law allows it.