The European Data Protection Board has underlined that the rules on data protection established through the Regulation do not hinder in any way the taking of measures for the fight against the Coronavirus SARS-CoV-2 pandemic, measures which could also include the processing of personal data. However, controllers must, even during these exceptional times, ensure the protection of the personal data of the data subjects and the general processing principles.

In this context, the lawfulness of personal data processing is guaranteed by the legitimate interest – public, one that is of extreme importance in the area of public health. Without the consent of the data subject, personal data can only be processed for determined and explicit purposes; however, the data subject must be informed about the means of the processing (including the storage period of the collected data).   

Furthermore, additional appropriate measures need to be adopted, for security and confidentiality purposes, to make sure that the collected personal data are not disclosed to unauthorized persons.

More specifically, the Board brings further clarifications regarding the processing of personal data by public authorities or by employers, in the context of the measures imposed by the competent authorities.

With regard to the processing of personal data by public authorities, such processing is considered lawful as per the provisions of article 6 and article 9 of the Regulation. In the context of an epidemic, public authorities are entitled to process the personal data of individuals, including certain special categories of personal data (such as health data), when the processing is made directly by the public authority but also when is made by a private institution (processor) upon the request of the authority. In case the processing is operated by a public authority, it should have duties related to the public interest in the health area, such as the public health authority.               

With regard to the processing of personal data in the employment context, the Board has brought separate clarifications in relation to the capacity of the data subject. Employers are entitled to process the personal data of their employees in the context of an epidemic, subject to a public legitimate interest (such as the control of diseases or other threats to health) or for compliance with a legal obligation (such as health and safety at the workplace). Health data can also be included in this category of data processed by employers, in accordance with Recital 46 of the Regulation for the control and spread of an epidemic.

Employers must respect the confidentiality of all COVID-19 cases within the company and should inform staff about these cases, but should not communicate more information than necessary and should at all times protect the dignity and integrity of the data subjects. In case it is necessary to disclose the name of an employee who contracted the virus (for protective measure purposes) and the national laws allow such disclosure, the employee in question shall be informed in advance.

The Board also explained that an employer could request, pursuant to the legitimate public interest in the area of public health, that visitors (third parties) provide specific health information in the context of COVID-19 but only in compliance with the proportionality principle and by reducing the data to a minimum and only if the national legislation allows it.