Data protection and coronavirus (COVID-19)

The coronavirus disease (COVID-19) outbreak has infected more than 4 million people (May 18th , 2020) all round the world. Its spread has also left businesses counting costs and people losing jobs.

Protezione dei Dati Personali e Coronavirus (COVID-19). La situazione in Europa e in Italia

The economic implications affected nearly all industries from Customer Service to Operations.

The Impact of Coronavirus on Stock Markets

The outbreak also significantly affected the data protection field. Therefore, the Data Protection authorities from around the world are stepping up actively in order to provide their input and guidance on the matter of data processing activities and the fight against the coronavirus. 

The European Data Protection Board (EDPB)

On March 19, 2020, the European Data Protection Board (EDPB) adopted a «Statement on the processing of personal data in the context of the COVID-19 outbreak». The statement emphasized that while data protection rules, including the European Union’s General Data Protection Regulation (“GDPR”) should not “hinder measures taken in the fight” against COVID-19, data controllers and processors must ensure, “even in these exceptional times,” the protection of individuals’ personal data. The EDPB specifically explained that all measure taken in this context should be in compliance with the general principles of law, and that “emergency is a legal condition which may legitimize restrictions to freedom provided these restrictions are proportionate and limited to the emergency period.

Additionally, the EDPB named once again the core data privacy principles to be abided by the data controllers and processors. Among those principles are the ones stating that individuals should receive transparent information on processing activities, including related purposes for processing and retention periods and that company’s must adopt adequate security measures and confidentiality policies, as well as document measures implemented and underlying decision-making processes to manage the current emergency.

With regard to the legal basis for processing personal data, the EDPB explained that the GDPR provides legal grounds for employers and competent public health authorities to process data in the context of an epidemic in accordance with national legislation and in accordance with the conditions set therein. In the context of employment, processing may be necessary for the compliance with a [national] legal obligation to which the employer is subject (such as obligations relating to health and safety at the workplace), or in the public interest, such as the control of illness and other health threats. The EDPB also stressed that exceptions to the medical data processing prohibitions can be made available to companies “where it is necessary for reasons of substantial public interest in the area of public health”or “where there is a need to protect the vital interests of the individual.” However, although the EDPB was able to provide some clarifications to the most important question, many practitioners criticize that no specific recommendations were provided but rather a repetition of the general principles stated in the General Data Protection Regulation (GDPR).

The Guarantor for the personal data protection- the Italian situation

On March 19, 2020, the European Data Protection Board (EDPB) adopted a «Statement on the processing of personal data in the context of the COVID-19 outbreak». The statement emphasized that while data protection rules, including the European Union’s General Data Protection Regulation (“GDPR”) should not “hinder measures taken in the fight” against COVID-19, data controllers and processors must ensure, “even in these exceptional times,” the protection of individuals’ personal data. The EDPB specifically explained that all measure taken in this context should be in compliance with the general principles of law, and that “emergency is a legal condition which may legitimize restrictions to freedom provided these restrictions are proportionate and limited to the emergency period.

Additionally, the EDPB named once again the core data privacy principles to be abided by the data controllers and processors. Among those principles are the ones stating that individuals should receive transparent information on processing activities, including related purposes for processing and retention periods and that company’s must adopt adequate security measures and confidentiality policies, as well as document measures implemented and underlying decision-making processes to manage the current emergency.

With regard to the legal basis for processing personal data, the EDPB explained that the GDPR provides legal grounds for employers and competent public health authorities to process data in the context of an epidemic in accordance with national legislation and in accordance with the conditions set therein. In the context of employment, processing may be necessary for the compliance with a [national] legal obligation to which the employer is subject (such as obligations relating to health and safety at the workplace), or in the public interest, such as the control of illness and other health threats. The EDPB also stressed that exceptions to the medical data processing prohibitions can be made available to companies “where it is necessary for reasons of substantial public interest in the area of public health”or “where there is a need to protect the vital interests of the individual.” However, although the EDPB was able to provide some clarifications to the most important question, many practitioners criticize that no specific recommendations were provided but rather a repetition of the general principles stated in the General Data Protection Regulation (GDPR).

Contact us today to request more information on how to best comply with the rules on the protection of personal data during the coronavirus pandemic.

 

Fabrizio Bulgarelli – Partner RSM - Head of Risk Advisory Service (RAS) and IT Services