Series on Data Protection and Corona – Part 2: Data processing in connection with the coronavirus

20. March 2020

In the course of the coronavirus, the employer is in a field of tension between, on the one hand, the protection of his own employees, the safeguarding of the operational procedures and the containment of the pandemic, and, on the other hand, the requirements that are placed on him in regard to data processing, in particular the processing of health data.

Some may not consider compliance with data protection requirements to be of paramount importance in the current situation.

Nevertheless, the data processing, especially the processing of sensitive data, should comply with the data protection requirements of the DSGVO and national data protection implementation law.

In Part 1 of the series we gave you a short overview on statements of the European Data Protection Authorities (DPA), which have been published by now. With this blog post we want to inform you on data processing in connection with the coronavirus.

Measures required by data protection law

The necessary measures to be observed and carried out in case of data processing relating to coronavirus do not differ fundamentally from those which must also be taken in any other data processing. The statements of the DPAs also do not indicate any relaxation with regard to data protection regulations.

These required measures include, among others:

  • the comprehensive information of the concerned data subjects according to Art. 13 (in this context, reference is already made to tomorrow’s article, which deals with this topic in detail),
  • the secure storage of personal data – further information on this will follow in the course of this article,
  • the maintenance of a records of processing activities pursuant to Art. 30 para. 1 GDPR.

Secure storage of personal data

If the data processing is based on a legal basis from Art. 9 para. 2 DSGVO several data security measures must be taken into account to ensure the security of the data processing.

Without claiming to be exhaustive, the following measures will be discussed here, with examples given:

  • Sensitisation of those involved in processing operations;
    • data protection training of the employees involved in data processing,
    • raising awareness of the particular importance of sensitive data, such as health data,
    • Reference to compliance with data protection standards, even in times of the Corona crisis.
  • Designation of a data protection officer;
    • if you are unsure whether and how you process personal data, appoint a data protection officer,
    • o If you have already appointed a data protection officer, please contact him or her and ask for support.
  • Restriction of access to personal data within the responsible body and by contract processors;
    for example, through:

    • Introduction of an access concept and adherence to the ‘need-to-know principle’ – make sure that the circle of people with access rights is as small as possible,
    • Locked storage of paper-bound documents, e.g. in a safe or at least a lockable cabinet (the power of the keys should of course also be limited),
    • Password-protected digital documents (restrictive passing on of the password under consideration of the ‘need-to-know principle’).

The series on Data Protection and Corona will be continued tomorrow with a blogpost on “Tips for Information Notices”.

For up-to-date information (in German) you are welcome to follow us on Twitter.

We wish you all the best, stay healthy and protect yourself and others.