In light of the ongoing COVID-19 pandemic across the globe, the European Data Protection Board recently released a statement regarding GDPR’s applicability in this time of crisis. The EDPB stressed that, even in these exceptional times, GDPR rules and regulations must be adhered to; they are perhaps more important now than ever. Below we list considerations that should be taken into account to guarantee the lawful processing of personal data during this time of crisis.
1. Information that you collect from individuals regarding COVID-19 is likely to be considered personal data.
Organizations may be collecting information from personnel in an effort to manage the impact of COVID-19 that would not typically be collected. In an effort to manage the impact of the COVID-19 outbreak. For example, companies may collect information such as whether their staff have self-isolated or self-quarantined by collecting device location data. This information would be considered personal data, and as much as it pertains to individuals' health, it would likely fall within special categories of personal data (“SCD”), which are subject to additional protections under GDPR.
2. You need to understand what personal data is required from individuals for the purpose(s) you are pursuing.
Organizations may want to collect as much information as possible from individuals relating to COVID-19; however, the GDPR requires that they only collect as much personal data and / or SCD as is strictly necessary for the purposes being pursued.
Prior to collecting any personal data and/or SCD from individuals, organizations should have a clear purpose in mind, as well as a clear understanding of what personal data and/or SCD, and level of detail, is required to fulfil this purpose.
For example, if your organization is trying to determine whether your employees should be self-isolating at home, it may be sufficient to ask questions such as whether the employee, or anyone within the employee’s household, is displaying symptoms of COVID-19 or is an individual considered to be at high risk to experiencing severe COVID-19 complications on a 'yes' or 'no' basis, as opposed to asking for detailed and specific information.
3. You need a valid legal basis for processing the personal data collected from individuals relating to COVID-19.
The GDPR requires organizations to have a legal basis for processing personal data. Such legal basis includes legitimate interests, contractual necessity or legal obligation, or other country-specific legal basis (as outlined by that country).
Because COVID-19 related information likely would be considered SCD, then a further condition must be satisfied, such as: employment-related obligations, preventative or occupational medicine or public interest in the area of public health.
If you are collecting new categories of personal data and/or SCD from individuals and using such data for new purposes, it will likely be necessary to update privacy notices to reflect the new changes in the collection of data from individuals.
5. Other issues to consider from a data protection compliance perspective.
There are a number of other issues that you should consider from a data protection compliance perspective, including:
• Disclosure of COVID-19 cases to personnel: employers may (subject to requirements of applicable law) inform personnel about COVID-19 cases. Disclosure of such information should be limited as much as possible.
• Responding to individual rights requests: the EDPB has stated that GDPR enforcement will not be suspended during the COVID-19 outbreak; this means that data subject requests must be responded to in a timely fashion.
• Remote working policies: many organizations have requested their employees work remotely, so you should review and update remote working policies, and to remind personnel of the requirements of these policies.
• Third-party data sharing: you may need to share the new personal data and/or SCD being collected due to COVID-19 with third parties for data processing purposes, or in relation to certain contractual obligations. Your data processing agreements with these third parties (i.e. insurers or medical professionals) must remain compliant with the requirements of the GDPR.
Organizations should continue to monitor guidance issued by the EDPB, as well as the guidance of national data protection regulators in the countries in which organizations have a presence. Please feel free to contact us with any questions you may have about GDPR or other data privacy regulation compliance!