The COVID-19 pandemic has led to a number of European governments, public organisations and private organisations to process various types of personal data in efforts to contain and mitigate the transmission of this virus. Clarifying the GDPR standpoint in this regard, the European Data Protection Board (EDPB) stressed that while the data protection rules do not hinder measures taken to fight this disease, the data controller must in all circumstances ensure the protection of personal data of the data subjects.
Being broad in nature, GDPR legislation also caters for the process of data in such scenarios. In fact, given the status of epidemic, both employers and the competent public health authorities are permitted to process data without the need of the data subject's consent. For instance, this applies where the personal data is necessary for employers with regard to issues relating to public health.
With regard to electronic communication data, including mobile location data amongst others, the e-Privacy Directive (the "Directive") states that an operator may only use location data when they are made anonymous or after obtaining the individual's consent. However, when the processing of anonymous data is not possible, the Directive provides the possibility for emergency legislation such that Member States are allowed to introduce legislative measures to safeguard national and public security, such as safeguarding public health provided that they are proportionate and limited to the emergency period. Upon the introduction of such measures, the Member State must in turn provide adequate safeguards, such as granting individuals the possibility of judicial remedy.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
