Series on Data Protection and Corona – Part 2: Data processing in connection with the coronavirus

In the course of the coronavirus, the employer is in a field of tension between, on the one hand, the protection of his own employees, the safeguarding of the operational procedures and the containment of the pandemic, and, on the other hand, the requirements that are placed on him in regard to data processing, in particular the processing of health data.

Some may not consider compliance with data protection requirements to be of paramount importance in the current situation.

Nevertheless, the data processing, especially the processing of sensitive data, should comply with the data protection requirements of the DSGVO and national data protection implementation law.

In Part 1 of the series we gave you a short overview on statements of the European Data Protection Authorities (DPA), which have been published by now. With this blog post we want to inform you on data processing in connection with the coronavirus.

Measures required by data protection law

The necessary measures to be observed and carried out in case of data processing relating to coronavirus do not differ fundamentally from those which must also be taken in any other data processing. The statements of the DPAs also do not indicate any relaxation with regard to data protection regulations.

These required measures include, among others:

• the comprehensive information of the concerned data subjects according to Art. 13 (in this context, reference is already made to tomorrow’s article, which deals with this topic in detail),
• the secure storage of personal data – further information on this will follow in the course of this article,
• the maintenance of a records of processing activities pursuant to Art. 30 para. 1 GDPR.

Secure storage of personal data

If the data processing is based on a legal basis from Art. 9 para. 2 DSGVO several data security measures must be taken into account to ensure the security of the data processing.

Without claiming to be exhaustive, the following measures will be discussed here, with examples given:

• Sensitisation of those involved in processing operations;
  • data protection training of the employees involved in data processing,
  • raising awareness of the particular importance of sensitive data, such as health data,
  • Reference to compliance with data protection standards, even in times of the Corona crisis.
• Designation of a data protection officer;
  • if you are unsure whether and how you process personal data, appoint a data protection officer,
  • o If you have already appointed a data protection officer, please contact him or her and ask for support.
• Restriction of access to personal data within the responsible body and by contract processors;
  for example, through:
  • Introduction of an access concept and adherence to the ‘need-to-know principle’ – make sure that the circle of people with access rights is as small as possible,
  • Locked storage of paper-bound documents, e.g. in a safe or at least a lockable cabinet (the power of the keys should of course also be limited),
  • Password-protected digital documents (restrictive passing on of the password under consideration of the ‘need-to-know principle’).

The series on Data Protection and Corona will be continued tomorrow with a blogpost on “Tips for Information Notices”.

For up-to-date information (in German) you are welcome to follow us on Twitter.

We wish you all the best, stay healthy and protect yourself and others.

Series on Data Protection and Corona – Part 1: Statements of the European Data Protection Authorities

The Coronavirus is omnipresent at the moment and affects each and every one of us.

Even if it is not obvious at first, data protection and the Coronavirus certainly have points of contact, namely when personal data is processed in relation to the virus. This can be the case both in the employment context and also in relation to visitors and suppliers to a company. For example, in order to protect their own employees, one company may conduct access controls at the entrance to the company’s premises, while another company may ask their own employees about symptoms of the virus.

We would like to discuss these and other topics related to “Data Protection and Corona” with you in the next few days.

Today we would like to start this series by summarising the statements made so far by various European data protection authorities.

Legal basis for processing

The legal basis for the respective collection or processing of personal data within ann EU context can be found in the EU General Data Protection Regulation (GDPR) in conjunction with the respective national/state data protection laws and technical laws.

The legal basis for processing personal data follows from Art. 6 GDPR and for processing sensitive personal data, like health data, from Art. 9 GDPR.

Consent, pursuant to Art. 6 para. 1 s. 1 lit. a) GDPR and Art. 9 para. 2 lit. a) GDPR, should only be used as a legal basis if the data subjects have been fully informed about the data processing and have given their voluntary consent to a measure.

For the processing of personal employee data by public employers, the legal basis will be Art. 6 para. 1 s. 1 lit. e) GDPR. In this case, the data protection authorities recognise a measure in the public interest. Non-public employers act within the scope of their obligations arising from the employment relationship, Art. 6 para. 1 s. 1 lit. f) GDPR. In this context, special regulations from a member state’s collective bargaining law, labour law and social law may also need to be consulted. In the case of sensitive data processing the escape clause of Art. 9 para. 2 lit. b) GDPR in conjuction with the respective member state law must be observed.

In relation to processing the personal data of third parties, e.g. guests or visitors, measures taken by public authorities must be based on Art. 6 para. 1 s. 1 lit. c) and e) GDPR, and if necessary, in conjunction with the respective member state laws. For measures taken in the non-public sector, Art. 6 para. 1 s. 1 lit. f) may serve as a legal basis. When processing sensitive data of third parties, Art. 9 para. 2 lit. i) in conjunction with member state laws may be applicable.

List of Statements

In the following, we provide you a comprehensive list of statements made by various European data protection authorities on the processing of personal data in light of the Coronavirus up to this point:

• Germany Part 1, Part 2
• France
• Italy
• Spain Part 1, Part 2
• UK Part 1, Part 2 (formerly EU)
• Ireland Part 1, Part 2
• Belgium
• Luxemburg
• Austria
• Poland
• Denmark
• Sweden
• Finland
• Greece
• Czech Republic
• Hungary
• Slovakia
• Slovenia Part 1, Part 2
• Estonia
• Latvia
• Lithuania
• Romania
• Croatia
• Gibraltar (UK)
• Switzerland (not EU)
• Norway (not EU)
• Iceland (not EU)

The series on Data Protection and Corona will be continued tomorrow with a blogpost on “Data Protection in connection with the coronavirus”.

For up-to-date information (in German) you are welcome to follow us on Twitter.

We wish you all the best, stay healthy and protect yourself and others.