EDPB Issues Guidance on GDPR Compliance in the Age of COVID-19

March 20, 2020Alerts

After many data protection authorities (in the European Union and beyond) provided guidance and FAQ's on the relationship between COVID-19 (Coronavirus) and data protection laws (e.g. GDPR), the European Data Protection Board has weighed in with a guidance.

Key Takeaways:

GDPR Does Not Prohibit Measures to Deal With COVID-19

  • Data protection rules (such as the GDPR) do not hinder measures taken in the fight against the coronavirus pandemic.
  • The fight against communicable diseases is a valuable goal shared by all nations and therefore, should be supported in the best possible way.
  • It is in the interests of humanity to curb the spread of diseases and to use modern techniques in the fight against scourges affecting great parts of the world.
  • Even in these exceptional times, the data controller and processor must ensure the protection of the personal data of the data subjects.
  • Emergency is a legal condition which may legitimize restrictions of freedoms provided these restrictions are proportionate and limited to the emergency period.

Legal Bases

  • The GDPR allows competent public health authorities and employers to process personal data in the context of an epidemic, in accordance with national law and in circumstances such as when processing is necessary for reasons of substantial public interest in the area of public health.
  • In the employment context, the processing of personal data may be necessary for compliance with a legal obligation to which the employer is subject such as obligations relating to health and safety at the workplace, or to the public interest.
  • Location data can only be used by the operator when made anonymous or with the consent of individuals. However, Article 15 of the ePrivacy Directive enables member states to introduce legislative measures to safeguard public security. Such exceptional legislation is only possible if it constitutes a necessary, appropriate and proportionate measure within a democratic society.
  • Measures under member state laws are subject to the judicial control of the European Court of Justice and the European Court of Human Rights. In case of an emergency situation, it should also be strictly limited to the duration of the emergency at hand.

Core Principles

  • Personal data that is necessary to attain the objectives pursued should be processed for specified and explicit purposes.
  • Data subjects should receive transparent information on the processing activities that are being carried out and their main features.
  • It is important to adopt adequate security measures and confidentiality policies ensuring that personal data are not disclosed to unauthorized parties.

Location Data

  • Public authorities should first seek to process location data in an anonymous way (i.e.processing data aggregated in a way that individuals cannot be re-identified), which could enable generating reports on the concentration of mobile devices at a certain location (cartography).
  • If measures allowing for the processing of non-anonymized location data are introduced in accordance with the ePrivacy directive, a member state is obliged to put in place adequate safeguards, such as providing individuals of electronic communication services the right to a judicial remedy.
  • The proportionality principle also applies. The least intrusive solutions should always be preferred, taking into account the specific purpose to be achieved.
  • Invasive measures, such as the “tracking” of individuals (i.e. processing of historical non-anonymized location data) could be considered proportional under exceptional circumstances and depending on the concrete modalities of the processing. However, it should be subject to enhanced scrutiny and safeguards to ensure the respect of data protection principles (proportionality of the measure in terms of duration and scope, limited data retention and purpose limitation).

Employment

  • An employer should only require health information to the extent that national law allows it.
  • Employers should only access and process health data if their own legal obligations require it.
  • Employers should inform staff about COVID-19 cases and take protective measures, but should not communicate more information than necessary. In cases where it is necessary to reveal the name of the employee(s) who contracted the virus (e.g. in a preventive context) and the national law allows it, the concerned employees shall be informed in advance and their dignity and integrity shall be protected.
  • Employers may obtain personal information to fulfill their duties and to organize the work in line with national legislation.

Odia Kagan is Chair of the firm's GDPR Compliance & International Privacy Practice. She can be reached at 215.444.7313 or [email protected].