Data Protection 30. March 2020

Czechia: Personal data processing during the COVID-19 outbreak

30. March 2020
Mgr. Matyáš Kužela
act legal Czechia

The European Data Protection Board (the “Board”) has issued a statement on personal data processing in association with the outbreak of the COVID-19 infection (the “statement”). In its statement, the Board has stated that the fight against the infection is most certainly in the interests of all humankind, but that administrators and processors must still adhere to the fundamental data processing principles set out in the General Data Protection Regulation (the “GDPR”) and secure adequate protection of all the personal data of the data subjects even in these exceptional times.

The Board’s statement also deals with the processing of personal data associated with the infection on the part of the public health authorities and employers, amongst other things. According to the Board, GDPR also covers exceptional situations and it enables processing which is in line with national law. In the case of employers, the Board has stated that the processing of any such data may be necessary for compliance with employer’s legal obligations associated with securing health and safety in the workplace. The statement also draws attention to the possibility of processing so-called sensitive personal data (which includes data on an individual’s state of health) in cases where the processing is necessary for reasons of public interest in the area of public health or for the protection of the vital interests of the data subject.

However, the Board calls upon employers to exercise restraint when processing sensitive personal data. It has especially emphasised the principles of proportionality and data minimisation. According to the Board, the employer may only process any sensitive personal data, if it is obliged to do so according to national law or if the national law enables it to do so. The Board has also appealed to the principle of integrity and confidentiality, whereby employers should not provide more information than is actually necessary in a specific case (for example, not providing the identity of any infected employees to the other employees when adopting protective measures, unless it is absolutely necessary to do so).

The Office for Personal Data Protection (the “Office”) has also issued statements on the processing of the health data of employees by employers in association with COVID-19 infections on its website. It has essentially permitted said personal health data processing with reference to the legal obligation of employers to provide a safe working environment and working conditions which are conducive to good health by means of the suitable organisation of occupational health and safety practices and measures aimed at preventing any risks. It is because GDPR enables the processing of sensitive personal data, if it is necessary for the purposes of carrying out the obligations of the controller in the field of employment. At the same time, however, the Office recommends proceeding in cooperation with the public health authorities. Like the Board, the Office has also stated that, if an employer informs the other employees of a potential risk (for example, that there is an infected person in the workplace) within the framework of the performance of its obligations, said employer should only provide this information about a specific individual at the extent which is necessary for the protection of health and always so that the dignity and integrity of the person in question is not impugned.

The Board’s statement further resolves the use of mobile location data to determine the positions of individuals by the governments of the member states for the purpose of monitoring, controlling or mitigating the spread of the infection. According to the Board, the public authorities should attempt to process any location data anonymously (i.e. process data aggregated in a way that individuals cannot be re identified). Each member state should adopt the appropriate legislation to process any non anonymised data. In this regard, we hereby state that so-called tracing has been made possible in the Czech Republic by Government Resolution no. 250 dated 18th March 2020 in association with the subsequent exceptional measures of the Ministry of Health dated 19th March 2020.

Based on these decisions, the Ministry of Health or the authorised regional hygiene stations can request mobile telephone operators to provide data on the movements of infected individuals based on the location data acquired from their mobile phones. The individual in question must give explicit consent for this to happen.

If you have any questions pertaining to personal data processing connected with the COVID-19 infection in your company, please do not hesitate to contact our specialists Matyáš Kužela or Tomáš Zwinger. They will be happy to help you set-up the data processing so that it is fully in line with GDPR.

Mgr. Matyáš Kužela
About the authors

Mgr. Matyáš Kužela


Matyáš Kužela focuses mainly on data protection and privacy, competition law, M&A and commercial law. With respect to data protection, Matyáš Kužela advises banks, international organizations and E-commerce entrepreneurs on data processing and transferring personal data abroad. He has extensive experience in representing clients before the Czech data protection authority. With respect to M&A and competition, Matyáš Kužela advises clients on Czech and international transactions that are subject to regulatory merger clearance. Further, he represents clients before the competition authorities in cartel investigations and helps clients with strong market position comply with the competition law requirements.

Mgr. Tomáš Zwinger

Senior Associate

Tomáš Zwinger focuses mainly on personal data protection law, IT & IP, M&A and medical law. With respect to data protection, Tomáš Zwinger advises international organizations on data processing and transferring personal data abroad. He also advises the clients in relation with the personal data breaches and in proceedings before the Czech Data Protection Authority.

About act legal Czechia:

Superior quality, competitive service yielding small team-oriented solutions tailored to the specific needs of clients.