Insights & news

Data Protection Authorities Provide Guidance on Processing of Personal Data in Context of COVID-19 Outbreak

  • 31/03/2020
  • Articles

The outbreak of the new Corona virus COVID-19 has caused various emergencies with novel challenges for many organisations collecting and processing personal data, such as:


  • Employers monitor employees working from home; request employees and visitors to report risk factors such as travelling or exposure to people with flu-like symptoms; may need to report that an employee is infected with COVID-19 to other employees;
  • physicians and pharmaceutical companies may wish to use data to investigate new treatments;
  • authorities enforce lockdown measures by video cameras and tracking phones; and
  • health authorities need detailed test results and other health data to map virus spreads and keep detailed statistics.

European and Belgian data protection authorities have provided guidance on the application of data protection rules to these novel challenges. “Data protection rules (such as the GDPR) do not hinder measures taken in the fight against the coronavirus pandemic”, writes the European Data Protection Board (EDPB).

While the urgency of the situation may justify measures that go further than would be normally allowed, the EDPB warns that these measures should be proportionate and limited to what is necessary: an “[e]mergency is a legal condition which may legitimise restrictions of freedoms provided these restrictions are proportionate and limited to the emergency period”.

In addition, the Belgian data protection authority (Gegevensbeschermingsautoriteit / autorité de protection des données – the DPA) has published a Q&A on COVID-19 and the processing of personal data in the workplace. The DPA is of the opinion that employers should only process health data if required by public authorities. In other cases, health data of employees should always be processed by the occupational physician.

The DPA sets out a short Q&A in which it explains, among other matters, that measuring body temperature does not constitute a processing of personal data as long as it is not recorded. Nevertheless, the DPA reiterates that such measures should be implemented in accordance with applicable employment rules.

The full statement of the EDPB can be consulted here.

The Q&A of the Belgian DPA is available in Dutch and in French.  

Key contacts

Related practice areas

Related insights

Sign up for updates
    • 23/07/2020
    • Articles

    Court of Justice of European Union Invalidates EU-US Privacy Shield

    On 16 July 2020, the Court of Justice of the European Union (CJEU) delivered its judgment in the Facebook Ireland and Schrems case (C-311/18, Schrems II case). The CJEU invalidated Decision 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield. The CJEU ruled that the EU-US Privacy Shield does not provide adequate protection and can therefore no longer serve as a legal instrument permitting the transfer of personal data from the EU to the US. As a result, transfers of personal data between the EU and the US that rely on the EU-US Privacy Shield are now illegal. However, the CJEU considered that Commission Decision 2010/87 on standard contractual clauses (SCCs) for the transfer of personal data to processors established in third countries is valid and can be relied upon, provided that the applicable legislation does not prevent the recipient from complying with its contractual obligations under the SCCs. Please click below to read a note summarizing the CJEU's judgment.

    Read more
    • 20/07/2020
    • Newsletters

    VBB on Belgian Business Law, Volume 2020, No. 6

    The June 2020 issue of our Belgian Business Law newsletter reporting on the latest developments in a range of areas, including competition, data protection, intellectual property and labour law.

    Read more
    • 07/07/2020
    • Articles

    European Commission Reviews First Two Years of GDPR: A Success Story with Room for Improvement

    On 24 June 2020, the European Commission has published its first report on the General Data Protection Regulation (the GDPR) which has applied in the EU since May 2018. Overall, the Commission considers the GDPR to be a success story, but, at the same time, it identifies certain areas where there is room for improvement and the challenges that lie ahead. In particular, the Commission notes that the efficient and coordinated enforcement of the GDPR among all Member States is of paramount importance. Moreover, the application of the GDPR to new technologies, such as artificial intelligence and blockchain, requires continuous monitoring. According to the Commission, the Covid-19 crisis has proved that the use of new technologies and data protection go hand in hand. Please click below for a note summarising the Commission’s report.

    Read more

Subscribe to our updates

Please select the practice areas you are interested in: *