COVID-19: How to remain GDPR compliant in the state of epidemic?
Authors: Jana Šteblaj, Barbara Hočevar
At a time when the spread of COVID-19 is increasing, many companies are facing complex questions how to strike a balance between ensuring a healthy and safe working environment and protecting employees’ privacy.
While dealing with COVID-19 businesses had to turn their well-established working processes upside down overnight. Remote work and processing of data relating to employees’ past travels, their social contact history and even a geo-location has become the new reality.
Emergency situation demands emergency measures, right?
Yes, but bearing in mind that the rules of the General Data Protection Regulation (“GDPR”) must be complied with also during the time of the epidemic.
Appropriate legal ground for data processing
Despite the emergency situation due to the epidemic, the GDPR requirement for data controllers to have an adequate legal basis for data processing, still applies. With respect to processing of personal data of individuals related to COVID-19, controllers may inter alia rely on one of the following legal bases:
- Performance of a contract (Article 6 (1)(b) of the GDPR): legal basis that can for example be used when the processing of personal data is necessary for implementation of the rights and obligations of the employer and the employee deriving from employment relationship;
- Compliance with legal obligation (Article 6 (1)(c) of the GDPR): this legal basis shall be relevant in particular when the employer is required to take certain measures in relation to COVID-19 to ensure safety and health at work;
- Existence of legitimate interests (Article 6 (1)(f) of the GDPR): its use is appropriate in cases when processing of certain personal data of employees (and other individuals) outweighs the interests of individuals due to the legitimate interests of the employer, such as the performance of a work process or health of employees.
It is worth mentioning that personal data such as health symptoms and the diagnosis of individuals, travel history and contacts with people with a confirmed COVID-19 diagnosis, information on self-isolation or quarantine fall under the so called special categories of data under the GDPR. These types of personal data are particularly sensitive due to their highly personal nature, and their lawful processing requires one to fulfil additional condition set out in the GDPR.
While lawful processing of special categories of data is very limited, the GDPR sets out certain exemptions which allow controllers to lawfully process health related data of individuals in the time of epidemic, if the processing is for example necessary for:
- Ensuring health and safety at workplace (Article 9(2)(b) of the GDPR);
- Protection of the vital interests of data subject (Article 9(2)(c) of the GDPR;
- Reasons of public health (Article 9(2)(i) of the GDPR).
GDPR does therefore not prohibit the processing of health-related data required to support the fight against the COVID-19 epidemic. However, controllers should be aware and comply with applicable rules of GDPR even in this challenging time of epidemic and accordingly adjust their actions.
With a view of ensuring lawful processing of data relating to COVID-19 and the organization of business operations in the time of epidemic and minimizing thereto related risk of severe GDPR sanctions, consider the measures you can apply and follow the guidelines below:
Embrace proportionality. Seek balance between the employees’ privacy and the employer’s obligation to guarantee health and safety at workplace. Apply common sense approach: if the adopted measure feels excessive, it likely is.
Limit the scope of data processing. Minimize processed data only to what is the necessarily required for the prevention of immediate risks for health and safety of people and for deciding on the appropriate response measures. If alternative options for achieving the purpose are available, choose the least invasive one.
Update privacy notices and hand them out to employees. Deliver concise and transparent privacy notice to employees that contains up-to-date information on the processing activities, including on the purposes for processing, retention periods and the rights of data subjects.
Ensure cyber security. When introducing remote work, educate employees on cyber security measures, ensure encryption of internet traffic, equip devices with up-to-date security software and prepare to manage potential data security incidents remotely.
Maintain confidentiality. Disclose only strictly necessary data. For example, if an employee tests positive for COVID-19, inform his/her co-workers on the possible exposure without disclosing the identity of the affected or providing more information than necessary.
Document decision-making processes. Record procedures for securing compliance with GDPR in writing to maintain evidence that the relevant data protection rules have been considered.
Consider conducting data protection impact assessment (DPIA). Personal data relating to COVID-19 and one’s health is sensitive nature data, processing of which entails high risks. Think about conducting a DPIA (note that this is mandatory in certain cases) to identify any associated risks and take appropriate steps to mitigate them.
Monitor guidelines of the competent authorities. Competent authorities are aware of the ambiguities relating to the current challenges, and are regularly providing guidance as to the interpretation of GDPR and other insightful notices related to COVID-19. Guidelines of the Slovenian Information Commissioner are available here.
Monitor developments and respond accordingly. Adjust implemented measures on processing of personal data to the rapidly changing state of epidemic and measures adopted by the competent authorities.
Delete data once the purpose of its processing is fulfilled. Data relating to COVID-19 should in principle only be processed as long as necessary for implementing measures and fulfilling the rights and obligations of the controller relating to COVID-19 epidemic. Once the purpose of processing is fulfilled, delete the respective data.