On March 19, 2020, European Data Protection Board (EDPB) published the new Statement on Data Protection During the COVID-19 Outbreak
Legal basis
Data protection rules (such as the GDPR) do not hinder measures taken in the fight against the coronavirus pandemic. EDPB underlined in new Statement that, even in these exceptional times, the data controller and processor must ensure the protection of the personal data of the data subjects. Emergency is a legal condition which may legitimise restrictions of freedoms provided these restrictions are proportionate and limited to the emergency period. Employer needs to apply the principle of proportionality and data minimization.
Protection of public interest
The GDPR allows competent public health authorities and employers to process personal data in the context of an epidemic, in accordance with national law. In particular, when processing is necessary for reasons of substantial public interest in the area of public health. Under those circumstances, there is no need to rely on consent of individuals. The relevant legal basis includes personal data processing in the public interest, or to protect an individual’s vital interests.
Privacy principles
Personal data must be processed for specified and explicit purposes. Individuals must receive transparent information on the processing activities, including the applicable retention period for the collected data and the purposes of the processing. It is important to adopt adequate security measures and confidentiality policies ensuring that personal data are not disclosed to unauthorised parties. Measures implemented to manage the current emergency and the underlying decision-making process should be appropriately documented.
Use of mobile location data
In case o using mobile location data as a possible way to monitor, contain or mitigate the spread of COVID-19 EDPB indicated, that public authorities should first seek to process location data in an anonymous way (processing data aggregated in a way that individuals cannot be re-identified), which could enable generating reports on the concentration of mobile devices at a certain location. When it is not possible to only process anonymous data, the ePrivacy Directive enables Member States to introduce legislative measures to safeguard public security
Please see more here: EDPB Statement
Marlena Wach, Ph.D.