On 19 March 2020, The European Data Protection Board adopted a statement on how employers and public authorities may process personal data in the context of the Covid-19 outbreak.
Indeed, employers and public authorities are playing a role in the containment of COVID-19 and have envisaged various kinds of data processing activity to monitor and contain the outbreak (e.g. use of mobile location data etc.). In this context, the EDPB proposed an analysis of the overall lawfulness of the envisaged processing activities.
1. GDPR core principles still apply to the processing of personal data in the context of epidemics
An emergency may legitimise restrictions of freedoms provided these restrictions are proportionate and limited to the emergency period.
In this regard, Controller should still comply with the data protection principles and in particular, they should:
- Process these data for specific and explicit purposes;
- Provide individuals with an information notice including the main feature of the processing such as the retention period and the purposes of the processing;
- Implement security measures and confidentiality policies to prevent any unauthorised access;
- Document the measures implemented to manage the current emergency and the underlying decision-making process.
2. Employers’ processing activities in the context of the COVID-19 outbreak
2.1. Employers must refer to specific national laws
The EDPB reminds employers to only process personal data to the extent permitted by specific national laws.
Indeed, the legal bases for processing personal data in the context of the COVID-19 is the compliance with a legal obligation such as obligations relating to health and safety at the workplace, or to the public interest, such as the control of diseases and other threats to health.
Furthermore, if health data are necessary, they may rely on:
- article 9.2.i, which allows for the processing of special categories of data for reasons of substantial public interest in the area of public health based on Union or national law; or
- article 9.2.c. where there is a need to protect the vital interest of the data subject.
2.2. Employers’ authorised processing activities in the COVID-19 context
There is no uniform answer applicable across the European Union. Reference to national laws is, therefore, necessary to understand what an employer can do in the context of the COVID-19.
However, where required or permitted by national laws on employment or health and safety, the employer may envisage to:
- Require health information of employees or visitor;
- Carry out medical checks (e.g. temperature check etc.);
- Collect health information;
- Communicate the name of infected employees to the other employees. However, the EDPB points out to the obligation for employers to inform the concerned employee beforehand and protect their dignity and integrity;
- Obtain personal information processed in the context of COVID-19 to fulfil their duties and to organise the work.
3. Public authorities and the monitoring of the COVID-19 outbreak
3.1. GDPR allows Public authorities to process personal data in the COVID-19 context
The GDPR allows competent public health authorities to process personal data in the context of an epidemic.
Public authorities can rely on articles 6 and 9 GDPR to process personal data in this context (e.g. public interest, the vital interest of data subject etc.).
However, additional conditions apply when public authorities envisage using mobile location data as the e-privacy directive also applies.
3.2. Can the public authorities use mobile location data to monitor and contain the COVID-19 outbreak?
In some Member States, governments envisage using mobile location data to monitor, contain or mitigate the spread of COVID-19 (e.g. for geolocating individuals or sending public health messages to individuals in a specific area by phone or text message).
EDPB encourages Public authorities to first seek to process location data anonymously as it may be sufficient to generate cartography and GDPR would not apply in this case.
However, there are cases where anonymous data are not sufficient to achieve the envisaged purposes.
Specific national law is necessary to process location data without individuals’ consent
Under the e-privacy directive, location data can only be used by the operator when made anonymous or with the individuals’ consent.
Where anonymous data are not sufficient to achieve the envisaged purposes of the processing activities, Member States may introduce legislative measures to safeguard public security (see article 15 e-privacy directive).
Such exceptional legislation is only possible if the envisaged measures:
- Constitute a necessary, appropriate and proportionate measure within a democratic society;
- Comply with the Charter of Fundamental Rights and the European Convention for the Protection of Human Rights and Fundamental Freedoms;
- Are implemented for no longer than the duration of the emergency at hand;
- Are subject to adequate safeguards (e.g. individuals are provided with a right to judicial remedy).
Besides, these measures are subject to the judicial control of the European Court of Justice and the European Court of Human Rights.
Tracking of individuals remains subject to strict conditions
The EDPB encourages public authorities to prefer the least intrusive solutions.
Where more invasive measures are envisaged, such as the “tracking” of individuals (i.e. processing of historical non-anonymised location data), it could be allowed under exceptional circumstances and depending on the concrete modalities of the processing.
The EDPB recommends this activity be subject to enhanced scrutiny and that public authorities implement safeguards to ensure the respect of the data protection principles (proportionality of the measure in terms of duration and scope, limited data retention and purpose limitation).