Many clients have questions about the processing of (sensitive) personal data in light of the current COVID-19 coronavirus outbreak. In this document, we will inform you about the statement issued by the European Data Protection Board (“EPDB”) in that regard.
The EDPB is of the opinion that data protection laws as such do not hinder measures taken to mitigate the COVID-19 outbreak. However, as it is possible that more or different (categories of) personal data are processed due to the outbreak and the measures taken to that end, it is of importance that, according to the EDPB, “even in these exceptional times, the data controller must ensure the protection of the personal data of data subjects. Therefore, a number of considerations should be taken into account to guarantee the lawful processing of personal data.”.
The EDPB confirms that the GDPR provides for the legal grounds to enable the employers and the competent public health authorities to process personal data in the context of epidemics, without the need to obtain the consent of the data subject. According to the statement, such processing of personal data is possible for employers:
- for reasons of public interest in the area of public health (art. 9(2)(i) GDPR
- to protect vital interests (art. 6(1)(d) GDPR), or
- to comply with another legal obligation
Unfortunately, the EDPB only sums up possible options that can be found in the GDPR but does not clearly confirm that we are in a situation in which these options can actually be invoked by employers to avoid the problem that in many jurisdictions consent is not a valid ground in an employment context.
Exception of article 9(2)(i) GDPR
It is important to note that said exception of art. 9(2)(i) GDPR only applies ‘on the basis of Union or Member State law that applies for suitable and specific measures to safeguard the rights and freedoms of the data subject’. It is also worth mentioning that the ‘vital interest’ exception applies only in very limited situations of acute risk. Of course, the pandemic we are facing is exceptional but as long as authorities do not advise to take such measures to protect the vital interests of data subjects, it is in our opinion questionable whether an employer is free to impose temperature measurements under the GDPR. An alternative could be to require employees to check their temperature themselves regularly and to report to the occupational health and service provider in case of a fever.
Location data
The foregoing does not only apply to the processing of data concerning health, for instance when measuring fevers or registering symptoms, which may allow the exceptions of “vital interests” or “public interest in the area of public health” to be invoked. It also applies to the processing of location data, for instance with regard to travel history, by operators and public authorities, which is governed by the e-Privacy Directive. The EDPB recognizes that processing such data for reasons of safeguarding public health might fall under the notion of “national or public security” as listed in the e-Privacy Directive (and national implementation acts).The processing of electronic communication data, such as mobile location data, is governed by additional rules.The EDPB stresses that under the e-Privacy Directive location data can only be used by the operator when they are made anonymous, or with the consent of the individuals concerned. Therefore, public authorities should aim for the anonymous processing of location data (i.e. processing data aggregated in a way that it cannot be traced back to personal data). This could enable the generation of reports on the concentration of mobile devices at a certain location (“cartography”).
When it is not possible to process anonymous data only, art. 15 of the e-Privacy Directive allows the Member States to introduce emergency legislation.
The bottom-line remains that the rights and interests of data subjects should be carefully balanced against any other (legitimate) interests when processing personal data and that EU and national data protection laws should be adhered to, even in the event of “health crises”, such as the current COVID-19 outbreak.
Many clients have questions about the processing of (sensitive) personal data in light of the current COVID-19 coronavirus outbreak. In this document, we will inform you about the statement issued by the European Data Protection Board (“EPDB”) in that regard.
The EDPB is of the opinion that data protection laws as such do not hinder measures taken to mitigate the COVID-19 outbreak. However, as it is possible that more or different (categories of) personal data are processed due to the outbreak and the measures taken to that end, it is of importance that, according to the EDPB, “even in these exceptional times, the data controller must ensure the protection of the personal data of data subjects. Therefore, a number of considerations should be taken into account to guarantee the lawful processing of personal data.”.
The EDPB confirms that the GDPR provides for the legal grounds to enable the employers and the competent public health authorities to process personal data in the context of epidemics, without the need to obtain the consent of the data subject. According to the statement, such processing of personal data is possible for employers:
- for reasons of public interest in the area of public health (art. 9(2)(i) GDPR
- to protect vital interests (art. 6(1)(d) GDPR), or
- to comply with another legal obligation
Unfortunately, the EDPB only sums up possible options that can be found in the GDPR but does not clearly confirm that we are in a situation in which these options can actually be invoked by employers to avoid the problem that in many jurisdictions consent is not a valid ground in an employment context.
Exception of article 9(2)(i) GDPR
It is important to note that said exception of art. 9(2)(i) GDPR only applies ‘on the basis of Union or Member State law that applies for suitable and specific measures to safeguard the rights and freedoms of the data subject’. It is also worth mentioning that the ‘vital interest’ exception applies only in very limited situations of acute risk. Of course, the pandemic we are facing is exceptional but as long as authorities do not advise to take such measures to protect the vital interests of data subjects, it is in our opinion questionable whether an employer is free to impose temperature measurements under the GDPR. An alternative could be to require employees to check their temperature themselves regularly and to report to the occupational health and service provider in case of a fever.
Location data
The foregoing does not only apply to the processing of data concerning health, for instance when measuring fevers or registering symptoms, which may allow the exceptions of “vital interests” or “public interest in the area of public health” to be invoked. It also applies to the processing of location data, for instance with regard to travel history, by operators and public authorities, which is governed by the e-Privacy Directive. The EDPB recognizes that processing such data for reasons of safeguarding public health might fall under the notion of “national or public security” as listed in the e-Privacy Directive (and national implementation acts).The processing of electronic communication data, such as mobile location data, is governed by additional rules.The EDPB stresses that under the e-Privacy Directive location data can only be used by the operator when they are made anonymous, or with the consent of the individuals concerned. Therefore, public authorities should aim for the anonymous processing of location data (i.e. processing data aggregated in a way that it cannot be traced back to personal data). This could enable the generation of reports on the concentration of mobile devices at a certain location (“cartography”).
When it is not possible to process anonymous data only, art. 15 of the e-Privacy Directive allows the Member States to introduce emergency legislation.
The bottom-line remains that the rights and interests of data subjects should be carefully balanced against any other (legitimate) interests when processing personal data and that EU and national data protection laws should be adhered to, even in the event of “health crises”, such as the current COVID-19 outbreak.