Governments, public and private organisations throughout Europe are taking measures to try to contain and mitigate COVID-19 and its consequences including processing sensitive personal data. However, they should still keep GDPR and its obligations in mind in the time of COVID-19.
What should be considered in terms of GDPR?
Measures taken by such companies can involve the processing of different types of personal data in the fight against COVID-19 spread. Although emergency is a legal condition which may legitimise restrictions of freedoms, these restrictions must be proportionate and limited to the emergency period and must not be irreversible. In other words, even in these exceptional times, the data controller and processor must ensure the protection of the personal data of the data subjects.
Although health data is considered extremely sensitive under the GDPR and usually requires explicit consent for processing, GDPR provides for legal grounds as exceptions that allow for the processing of personal data without consent of data subjects if it’s ‘necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health’.
Although such exceptions allow for processing of sensitive personal data without consent of data subjects, the need for confidentiality, data minimization, purpose limitation and data security still applies.
Personal Data of Employees
In the employment context, the processing of personal data may be necessary for compliance with a legal obligation to which the employer is subject such as obligations relating to health and safety at the workplace, or to the public interest, such as the control of diseases and other threats to health. Derogations to the prohibition of processing of such sensitive personal data are also possible under GDPR for reasons of substantial public interest in the area of public health or to protect the vital interests of the data subject such as epidemies.
In the context of COVID-19, employers should only require health information to the extent that national law allows it and principle of proportionality and data minimisation is particularly relevant in this context. Employers may only obtain personal information to fulfil their duties and to organise the work in line with national legislation and nothing more.
Employers should keep staff informed about COVID-19 cases in the organisation and take protective measures, but should not communicate more information than necessary. In cases where it is necessary to reveal the name of the employee(s) who contracted the virus (e.g. in a preventive context) and the national law allows it, the concerned employees shall be informed in advance and their dignity and integrity shall be protected.
Processing of Telecom Data such as Location Data
For the processing of electronic communication data, such as mobile location data to track human mobility and to develop recovery strategies, additional rules apply. The national laws implementing the ePrivacy Directive providing for the principle that the location data can only be used by the operator when they are made anonymous, or with the consent of the individuals must also be respected.
Personal data protection rules do not apply to data which has been appropriately anonymised. Therefore, the public authorities should first aim for the processing of location data in an anonymous way (i.e. processing data aggregated in a way that it cannot be reversed to personal data). This could enable to generate reports on the concentration of mobile devices at a certain location (cartography).
When it is not possible, ePrivacy Directive enables the member states to introduce legislative measures to protect national security and public security. This emergency legislation is possible under the condition that it constitutes a necessary, appropriate and proportionate measure within a democratic society.
Organisations also have to consider how long to store any additional data they collect and process, who has access to that data and how long it will be retained.
In the time of COVID-19, when the exceptions under GDPR apply, crisis i.e. COVID-19 becomes the legal basis to collect and process any additional or sensitive personal data. Therefore, once the crisis is over, the best practice for organisations is not to keep such data longer than necessary and to properly dispose of such personal data.
There are exceptions in data protection law to ensure that it does not hinder useful measures to tackle emergency situations such as COVID-19 but this does not and should not mean that any personal data can be collected and processed without basic requirements of GDPR. In the time of COVID-19, all controllers and processors must be more careful as their obligations under GDPR still continue.
 In Cyprus, The Electronic Communications and Postal Services Law (L. 112(I)/2004).