The Statement of the European Data Protection Board on Data Processing in the Context of the COVID-19 Outbreak

The European Data Protection Board (EDPB) has adopted a statement regarding processing of personal data in the context of the COVID-19 outbreak on 19 March 2020. In the statement, EDPB underlines that, the data controller and processor must ensure the protection of the personal data of the data subjects, even in exceptional times; however, data protection rules (such as the GDPR) do not hinder measures taken in the fight against the coronavirus pandemic.

EDPB implies that, the processing of personal data (especially location data and/or special categories of personal data such as health data) may be legitimate without relying on consent of individuals only when;

  • It falls under the legal mandate of the public authority (e.g. public health authorities) provided by national legislation and the conditions enshrined in the GDPR,
  • It is necessary for the employer to comply with a legal obligation such as obligations relating to health and safety at the workplace, or to the public interest, such as the control of diseases and other threats to health,
  • Member States introduce legislative measures which are necessary, appropriate and proportionate (proportionality of the measure in terms of duration and scope, limited data retention and purpose limitation) to safeguard public security in accordance with the Charter of Fundamental Rights and the European Convention for the Protection of Human Rights and Fundamental Freedoms.

Please find the related statement here for detailed information.