The European Data Protection Board (the “Board”) has issued a statement on personal data processing in association with the outbreak of the COVID-19 infection (the “statement”). In its statement, the Board has stated that the fight against the infection is most certainly in the interests of all humankind, but that administrators and processors must still adhere to the fundamental data processing principles set out in the General Data Protection Regulation (the “GDPR”) and secure adequate protection of all the personal data of the data subjects even in these exceptional times.
The Board’s statement also deals with the processing of personal data associated with the infection on the part of the public health authorities and employers, amongst other things. According to the Board, GDPR also covers exceptional situations and it enables processing which is in line with national law. In the case of employers, the Board has stated that the processing of any such data may be necessary for compliance with employer’s legal obligations associated with securing health and safety in the workplace. The statement also draws attention to the possibility of processing so-called sensitive personal data (which includes data on an individual’s state of health) in cases where the processing is necessary for reasons of public interest in the area of public health or for the protection of the vital interests of the data subject.
However, the Board calls upon employers to exercise restraint when processing sensitive personal data. It has especially emphasised the principles of proportionality and data minimisation. According to the Board, the employer may only process any sensitive personal data, if it is obliged to do so according to national law or if the national law enables it to do so. The Board has also appealed to the principle of integrity and confidentiality, whereby employers should not provide more information than is actually necessary in a specific case (for example, not providing the identity of any infected employees to the other employees when adopting protective measures, unless it is absolutely necessary to do so).
The Office for Personal Data Protection (the “Office”) has also issued statements on the processing of the health data of employees by employers in association with COVID-19 infections on its website. It has essentially permitted said personal health data processing with reference to the legal obligation of employers to provide a safe working environment and working conditions which are conducive to good health by means of the suitable organisation of occupational health and safety practices and measures aimed at preventing any risks. It is because GDPR enables the processing of sensitive personal data, if it is necessary for the purposes of carrying out the obligations of the controller in the field of employment. At the same time, however, the Office recommends proceeding in cooperation with the public health authorities. Like the Board, the Office has also stated that, if an employer informs the other employees of a potential risk (for example, that there is an infected person in the workplace) within the framework of the performance of its obligations, said employer should only provide this information about a specific individual at the extent which is necessary for the protection of health and always so that the dignity and integrity of the person in question is not impugned.
The Board’s statement further resolves the use of mobile location data to determine the positions of individuals by the governments of the member states for the purpose of monitoring, controlling or mitigating the spread of the infection. According to the Board, the public authorities should attempt to process any location data anonymously (i.e. process data aggregated in a way that individuals cannot be re identified). Each member state should adopt the appropriate legislation to process any non anonymised data. In this regard, we hereby state that so-called tracing has been made possible in the Czech Republic by Government Resolution no. 250 dated 18th March 2020 in association with the subsequent exceptional measures of the Ministry of Health dated 19th March 2020.
Based on these decisions, the Ministry of Health or the authorised regional hygiene stations can request mobile telephone operators to provide data on the movements of infected individuals based on the location data acquired from their mobile phones. The individual in question must give explicit consent for this to happen.
If you have any questions pertaining to personal data processing connected with the COVID-19 infection in your company, please do not hesitate to contact our specialists Matyáš Kužela or Tomáš Zwinger. They will be happy to help you set-up the data processing so that it is fully in line with GDPR.