On 16 March the Chair of the European Data Protection Board (EDPB) Andrea Jelinek released a statement to help guide the data processing activities of public authorities, governments, and private organizations within the context of the COVID-19 pandemic.
Andrea Jelinek noted that “data protection rules (such as GDPR) do not hinder measures taken in the fight against the coronavirus pandemic. However, I would like to underline that, even in these exceptional times, the data controller must ensure the protection of the personal data of the data subjects. Therefore, a number of considerations should be taken into account to guarantee the lawful processing of personal data.” The EDPB furthermore pointed out that “[t]he GDPR is a broad legislation and also provides for the rules to apply to the processing of personal data in a context such as the one relating to COVID-19. Indeed, the GDPR provides for the legal grounds to enable the employers and the competent public health authorities to process personal data in the context of epidemics, without the need to obtain the consent of the data subject. This applies for instance when the processing of personal data is necessary for the employers for reasons of public interest in the area of public health or to protect vital interests (Art. 6 and 9 of the GDPR) or to comply with another legal obligation.”
Additionally, the EDPB has noted that in the context of the employment relationship, the processing may be necessary for compliance with a legal obligation to which the employer is subject, i.e., "the obligation relating to health and safety at the workplace, or to the public interest, such as the control of diseases and other threats to health".
Concerning the processing of eCommunication data (including location data), the EDPB noted that national implementing laws of the ePrivacy Directive foresee that location data can only be used when anonymous or with consent of the data subject. In this sense, “[t]he public authorities should first aim for the processing of location data in an anonymous way (i.e., processing data aggregated in a way that it cannot be reversed to personal data)". Even anonymous processing could result to the generation of reports on the concentration of mobile devices at a certain location (“cartography”).” Article 15 of the ePrivacy Directive permits EU Member States to pass legislation in the interest of national and public security and in the case of COVID-19, public health may fall under this exemption. In cases where it is not possible to only process anonymous data, these legislative measures may apply. The EDPB, however, notes that "[t]his emergency legislation is possible under the condition that it constitutes a necessary, appropriate and proportionate measure within a democratic society." If such measures are introduced, where the processing of non-anonymised location data are processed, a Member State is obliged to put in place adequate safeguards, such as granting individuals the right to judicial remedy.
Finally, a principle that must be applied is the principle of proportionality. The EDPB notes that "[t]he least intrusive solutions should always be preferred, taking into account the specific purpose to be achieved." Specifically, any invasive measures taken must be subject to enhanced scrutiny and safeguards, where proportionality of the measure must be achieved, at least, "in terms of duration and scope, limited data retention and purpose limitation".
During its 24th plenary session, the EDPB reinforced several elements from its earlier guidance on data protection in the context of fighting the COVID-19 outbreak, considering that the fight against COVID-19 has been recognised by the EU and Member States as an important public interest.
On this occasion, Andrea Jelinek, the Chair of the EDPB, said: “The EDPB confirms that the GDPR offers tools giving the best guarantees for international transfers of health data and is flexible enough to offer faster temporary solutions in the face of the urgent medical situation.”
Find additional information here.