GDPR through the prism of coronavirus epidemic
The general rule contained in Art. 6/1. (d) of the General Data Protection Regulation (GDPR) allows for the personal data (e.g. on the individual’s movement and geo-location) processing necessary in order to protect the vital interests of the data subject or of another natural person.
In addition, Art. 9/1. (g), (h) and (i) allow for the processing of special categories of personal data (e.g. data on individual’s health status), if it is necessary for reasons of substantial public interest, on the basis of Union or Member State law …; or if it is necessary for the purposes of preventive … medicine or if it is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care.
As further explained in recital (46) of GDPR, the processing of personal data should also be regarded to be lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person … as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread.
Given the above, there is little doubt that for the purpose of containing the corona virus epidemic and saving people’s lives, certain personal data may be processed, even when no other legal ground (e.g. individual’s consent) exists. The tough question is whose personal data may be processed, which personal data may be processed and for what purpose those data may be processed. May the authorities reveal that a certain person is infected in order to inform and thus protect the people with whom she is usually in contact? Should people be forced to disclose their location data to determine whether they have been to the most affected areas? Should quarantine be monitored by tracking people’s mobile devices?
While it is not easy to draw a hard-and-fast line between the right to privacy and the rights of other people to stay healthy, the data protection authorities’ standpoints on the topic offer some, if basic, insights. For now, they mostly focus on employer – employee relationships.
In Italy, Europe’s most affected country, the Garante opined that, while leaving the obligation on the employee to inform the employer of any danger to health and safety at the workplace intact, employers must refrain from collecting, in advance and in a systematic and generalised manner, including through specific requests to the individual worker or unauthorized investigations, information on the presence of any signs of influenza in the worker and his or her closest contacts, or anyhow regarding areas outside the work environment.
The French CNIL adopted a similar position, detailing that, for example, mandatory readings of the body temperatures of each employee or the collection of medical sheets or questionnaires from all employees should not be carried out.
The Irish Data Protection Commission warned that, the processing of personal data for the purpose of the provision of healthcare and the management of public health issues should be necessary and proportionate. The Commission also stressed the importance of confidentiality, meaning that any communications to staff about the possible presence of coronavirus in the workplace should not generally identify any individual employees.
Similarly, the Danish Datatilsynet believes that the disclosure of infected employees should only be made in exceptional circumstances.
Article provided by: Matija Jamnik (JK Group, Slovenia)
Discover more about INPLP, the INPLP-Members and the GDPR-FINE database
Dr. Tobias Höllwarth (Managing Director INPLP)