Processing of personal data during Covid-19 pandemic

On 19 March 2020, the European Data Protection Board (the EDPB) has adopted a statement on the processing of personal data in the context of the Covid-19 outbreak.  The Statement concerns the processing of different types of personal data by Governments, public and private organisations throughout Europe during their efforts to contain and mitigate Covid-19.

The EDPB stated that GDPR rules do not represent an obstacle to the measures taken to prevent and fight Covid-19 pandemic, but would like to underline that, even in these exceptional circumstances the personal data of the subjects must be protected.  The measures taken against Covid-19 must guarantee the lawful processing of personal data and respect the general principles of law and must not be irreversible.

The GDPR allows competent public health authorities and employers to process personal data in the context of epidemic, in accordance with national law, the EDPB gave as example the following situation: “when processing is necessary for reasons of substantial public interest in the area of public health, under those circumstances, there is no need to rely on consent of individuals.

The EDPB considers that articles 6 and 9 of the GDPR enable the processing of personal data (including special categories), when it falls in the legal mandate of the public authority provided by national legislation and the conditions of the GDPR.  Derogations to the prohibition of processing special categories of personal data, such as health data, are envisaged by the GDPR, where it is necessary for reasons of substantial public interest in the public health area (art. 9.2 (i)), on the basis of Union or national law, or where there is the need to protect the vital interests of the data subject (art. 9.2 (c)), referred explicitly to the control of an epidemic.

  • With regard to the employment the EDPB states that the processing of personal data may be necessary for compliance with a legal obligation to which the employer is subject such as obligations relating to health and safety at the workplace, or to the public interest, such as the control of disease and other threats to health.

If it is the case, employers should inform staff about Covid-19 cases and take protective measures, and communicate only necessary information.  Although, in cases where it is necessary to reveal the name of the employee(s) who contacted the virus, but only for preventive context, and if the national law allows it, the concerned employee(s) shall be informed in advance and their dignity and integrity shall be protected.

  • Regarding the processing of telecom data, such as location data, can only be used by the operator when made anonymous or with the consent of individuals. The Member States can only adopt exceptional legislations regarding this kind of personal data, only if it constitutes a necessary, appropriate and proportional measure within a democratic society.  

Some Member States, governments foresee the possibility to geolocate individuals or to send public health messages to individuals in a specific area by phone or text message.  The EDPB advised that the public authorities should first seek to process location data in an anonymous way (i.e. processing data aggregated in a way that individuals cannot be re-identified), which could enable generating reports on the concentration of mobile devices at a certain location.

However, when it is not possible to only process anonymous data, adequate safeguards should be put in place by Member States, such as providing individuals of electronic communication services the right to a judicial remedy.

The EDPB asserted that the proportionality principle applies, as the least intrusive solution should always be preferred taking into account the specific purpose to be achieved.  “Tracking” of individuals (i.e. processing of historical non-anonymised location data) could be considered proportional under exceptional circumstances and depending on the concrete modalities of the processing – but under enhanced scrutiny and safeguards to ensure the respect of data protection principles (proportionality of the measures in terms of duration and scope, limited data retention and purpose limitation).

 All the above mentioned measures should be processed for specified and explicit purposes, should be strictly limited to the duration of the emergency at hand and must respect the Charter of Fundamental Rights and the European Convention for the Protection of Human Rights and Fundamental Freedoms.

In addition, the EDPB stated that the data subject should receive transparent information, easily accessible and provided in clear and plain language on the processing activities, including the retention period for collected data and the purposes of the processing. Moreover the EDPB emphasized on the importance of adequate documented security measures and confidentiality policies to be taken in order to ensure that personal data are not disclosed to unauthorised parties.