Insights & news

Data Protection Authorities Provide Guidance on Processing of Personal Data in Context of COVID-19 Outbreak

  • 31/03/2020
  • Articles

The outbreak of the new Corona virus COVID-19 has caused various emergencies with novel challenges for many organisations collecting and processing personal data, such as:

 

  • Employers monitor employees working from home; request employees and visitors to report risk factors such as travelling or exposure to people with flu-like symptoms; may need to report that an employee is infected with COVID-19 to other employees;
  • physicians and pharmaceutical companies may wish to use data to investigate new treatments;
  • authorities enforce lockdown measures by video cameras and tracking phones; and
  • health authorities need detailed test results and other health data to map virus spreads and keep detailed statistics.

European and Belgian data protection authorities have provided guidance on the application of data protection rules to these novel challenges. “Data protection rules (such as the GDPR) do not hinder measures taken in the fight against the coronavirus pandemic”, writes the European Data Protection Board (EDPB).

While the urgency of the situation may justify measures that go further than would be normally allowed, the EDPB warns that these measures should be proportionate and limited to what is necessary: an “[e]mergency is a legal condition which may legitimise restrictions of freedoms provided these restrictions are proportionate and limited to the emergency period”.

In addition, the Belgian data protection authority (Gegevensbeschermingsautoriteit / autorité de protection des données – the DPA) has published a Q&A on COVID-19 and the processing of personal data in the workplace. The DPA is of the opinion that employers should only process health data if required by public authorities. In other cases, health data of employees should always be processed by the occupational physician.

The DPA sets out a short Q&A in which it explains, among other matters, that measuring body temperature does not constitute a processing of personal data as long as it is not recorded. Nevertheless, the DPA reiterates that such measures should be implemented in accordance with applicable employment rules.

The full statement of the EDPB can be consulted here.

The Q&A of the Belgian DPA is available in Dutch and in French.  

Key contacts

Related practice areas

Related insights

Sign up for updates
    • 22/05/2020
    • Newsletters

    VBB on Belgian Business Law, Volume 2020, No. 4

    The April 2020 issue of our Belgian Business Law newsletter reporting on the latest developments in a range of areas, including competition, data protection, intellectual property and labour law.

    Read more
    • 30/04/2020
    • Articles

    Covid-19 | EDPB Guidelines on Location Data and Tracing Tools

    On 21 April 2020, the European Data Protection Board (the EDPB) published guidelines on the use of location data and contact tracing tools in the context of the Covid-19 outbreak (the Guidelines). The Guidelines discuss how to use location data and build contact tracing apps in compliance with EU data protection and ePrivacy rules. In addition, the EDPB provides a guide setting out an itemised list for developing contact tracing tools in the fight against Covid-19.

    Read more
    • 27/04/2020
    • Articles

    European Data Protection Board Guidelines on Processing Health Data for Scientific Research in the Covid-19 Outbreak

    On 21 April 2020, the European Data Protection Board (EDPB) adopted guidelines for the processing of personal data concerning health for the purposes of scientific research in the fight against Covid-19. One of a myriad of guidance documents published by the EDPB in relation to the ongoing Covid-19 crisis, these guidelines provide guidance to public and private organisations on how to reconcile scientific research with data protection requirements. In particular, the guidelines discuss the legal basis for such activity, the implementation of adequate safeguards, and the exercise of data subjects’ rights.

    Read more

Subscribe to our updates

Please select the practice areas you are interested in: *