Series on Data Protection and Corona – Part 1: Statements of the European Data Protection Authorities

19. March 2020

The Coronavirus is omnipresent at the moment and affects each and every one of us.

Even if it is not obvious at first, data protection and the Coronavirus certainly have points of contact, namely when personal data is processed in relation to the virus. This can be the case both in the employment context and also in relation to visitors and suppliers to a company. For example, in order to protect their own employees, one company may conduct access controls at the entrance to the company’s premises, while another company may ask their own employees about symptoms of the virus.

We would like to discuss these and other topics related to “Data Protection and Corona” with you in the next few days.

Today we would like to start this series by summarising the statements made so far by various European data protection authorities.

Legal basis for processing

The legal basis for the respective collection or processing of personal data within ann EU context can be found in the EU General Data Protection Regulation (GDPR) in conjunction with the respective national/state data protection laws and technical laws.

The legal basis for processing personal data follows from Art. 6 GDPR and for processing sensitive personal data, like health data, from Art. 9 GDPR.

Consent, pursuant to Art. 6 para. 1 s. 1 lit. a) GDPR and Art. 9 para. 2 lit. a) GDPR, should only be used as a legal basis if the data subjects have been fully informed about the data processing and have given their voluntary consent to a measure.

For the processing of personal employee data by public employers, the legal basis will be Art. 6 para. 1 s. 1 lit. e) GDPR. In this case, the data protection authorities recognise a measure in the public interest. Non-public employers act within the scope of their obligations arising from the employment relationship, Art. 6 para. 1 s. 1 lit. f) GDPR. In this context, special regulations from a member state’s collective bargaining law, labour law and social law may also need to be consulted. In the case of sensitive data processing the escape clause of Art. 9 para. 2 lit. b) GDPR in conjuction with the respective member state law must be observed.

In relation to processing the personal data of third parties, e.g. guests or visitors, measures taken by public authorities must be based on Art. 6 para. 1 s. 1 lit. c) and e) GDPR, and if necessary, in conjunction with the respective member state laws. For measures taken in the non-public sector, Art. 6 para. 1 s. 1 lit. f) may serve as a legal basis. When processing sensitive data of third parties, Art. 9 para. 2 lit. i) in conjunction with member state laws may be applicable.

List of Statements

In the following, we provide you a comprehensive list of statements made by various European data protection authorities on the processing of personal data in light of the Coronavirus up to this point:

The series on Data Protection and Corona will be continued tomorrow with a blogpost on “Data Protection in connection with the coronavirus”.

For up-to-date information (in German) you are welcome to follow us on Twitter.

We wish you all the best, stay healthy and protect yourself and others.