Data Protection Authorities Provide Guidance on Processing of Personal Data in Context of COVID-19 Outbreak
The outbreak of the new Corona virus COVID-19 has caused various emergencies with novel challenges for many organisations collecting and processing personal data, such as:
- Employers monitor employees working from home; request employees and visitors to report risk factors such as travelling or exposure to people with flu-like symptoms; may need to report that an employee is infected with COVID-19 to other employees;
- physicians and pharmaceutical companies may wish to use data to investigate new treatments;
- authorities enforce lockdown measures by video cameras and tracking phones; and
- health authorities need detailed test results and other health data to map virus spreads and keep detailed statistics.
European and Belgian data protection authorities have provided guidance on the application of data protection rules to these novel challenges. “Data protection rules (such as the GDPR) do not hinder measures taken in the fight against the coronavirus pandemic”, writes the European Data Protection Board (EDPB).
While the urgency of the situation may justify measures that go further than would be normally allowed, the EDPB warns that these measures should be proportionate and limited to what is necessary: an “[e]mergency is a legal condition which may legitimise restrictions of freedoms provided these restrictions are proportionate and limited to the emergency period”.
In addition, the Belgian data protection authority (Gegevensbeschermingsautoriteit / autorité de protection des données – the DPA) has published a Q&A on COVID-19 and the processing of personal data in the workplace. The DPA is of the opinion that employers should only process health data if required by public authorities. In other cases, health data of employees should always be processed by the occupational physician.
The DPA sets out a short Q&A in which it explains, among other matters, that measuring body temperature does not constitute a processing of personal data as long as it is not recorded. Nevertheless, the DPA reiterates that such measures should be implemented in accordance with applicable employment rules.
The full statement of the EDPB can be consulted here.
The Q&A of the Belgian DPA is available in Dutch and in French.