How Can You Process Data During the COVID-19 Pandemic?
On 19 March 2020, the European Data Protection Board (“EDPB”) released a statement on the processing of personal data in the context of the COVID-19 outbreak. The main message of the statement is that EU data protection law (in particular, the EU General Data Protection Regulation (“GDPR”)) does not stand in the way of fighting against COVID-19. However, the measures adopted need to be necessary, proportionate and consistent with safeguards required under EU member state laws. Emergency is a legal condition which may legitimize restrictions of individual freedoms, when certain criteria is met.
The GDPR already allows competent public health authorities and employers to process personal data in the context of an epidemic. Processing can be necessary for reasons of substantial public interest in the area of public health. The other relevant legal grounds include personal data processing to protect an individual’s vital interests, or to comply with another legal obligation. In these situations, there is no need to rely on consent of individuals.
What information employers can process?
In the employment context, certain personal data processing may be necessary for an employer to comply with legal obligations, including those related to workplace health and safety or the public interest. However, these measures need to be made in accordance with national laws.
Requiring health information from visitors and employees can be made if applicable national law permits that. An employer can perform medical check-ups on employees if the applicable national employment law or relevant health and safety law allows for it.
In addition to following national laws, employers need to take steps to minimise the amount of information collected and make sure the collecting is done in a proportionate manner.
Data protection principles
The EDPB sums up that personal data processed for a particular objective should only be processed for “specific and explicit purposes”.
Individuals should receive transparent information on the processing activities that are being carried out and their main features, including the retention period for collected data and the purposes of the processing. The information should be easy to access and provided in clear and plain language.
It is important to pay attention to adequate security measures and confidentiality policies ensuring that personal data are not disclosed to unauthorised parties. These measures should be appropriately documented.
Can location data be used?
As a means to monitor, contain or mitigate the spread of COVID-19, some governments in member states may use mobile location data to geolocate or send public health messages to individuals. In these situations, the public authorities should first try to anonymise location data (e.g., by aggregation) or, alternatively, obtain the consent of individuals to process such data.
When it is not possible to process anonymous location data, Art. 15 of the ePrivacy Directive enables Member States to introduce legislative measures to safeguard public security. Such exceptional legislation is only possible if it constitutes a necessary, appropriate and proportionate measure within a democratic society. Member State is obliged to put in place adequate safeguards, such as providing individuals of electronic communication services the right to a judicial remedy.
What is proportionate?
The proportionality principle means that the least intrusive solutions should always be preferred, taking into account the specific purpose to be achieved. Invasive measures, such as the “tracking” of individuals could be considered proportional under exceptional circumstances and depending on the concrete modalities of the processing. However, it should be intensively examined and have safeguards to ensure the respect of data protection principles.