Data Protection under SARS-CoV-2: Difference between revisions
Line 39: | Line 39: | ||
===Austria=== | ===Austria=== | ||
The Data protection authority (the DSB) issued guidelines [https://www.dsb.gv.at/ here]. | The Data protection authority (the DSB) issued guidelines [https://www.dsb.gv.at/informationen-zum-coronavirus-covid-19- here]. The DPA explained the existing legal basis for the collection and processing of health data by employers, in particular the transfer of sensitive data to health authorities. In addition, the DPA provided a sample form for the collection of private contact details of employees in order to warn about an infection in the company. An information sheet about data security and home office can also be found on the webpage. | ||
===Denmark=== | ===Denmark=== | ||
The Data protection authority (the Datatilsynet) issued guidelines [https://www.datatilsynet.dk/presse-og-nyheder/nyhedsarkiv/2020/mar/gode-raad-om-hjemmearbejde/ here]. | The Data protection authority (the Datatilsynet) issued guidelines [https://www.datatilsynet.dk/presse-og-nyheder/nyhedsarkiv/2020/mar/gode-raad-om-hjemmearbejde/ here]. It contains advice to the employers and employees. The DPA emphasized the importance of internal guidelines for working at home and related security measures, which shall be taken on company and personal devices. | ||
===Estonia=== | ===Estonia=== | ||
Line 51: | Line 51: | ||
===Germany=== | ===Germany=== | ||
The Federal Data protection authority (the BfDi) issued guidelines [https://www.bfdi.bund.de/SiteGlobals/Modules/Buehne/DE/Startseite/Pressemitteilung_Link/HP_Text_Pressemitteilung.html here], as well as the DPA of Bradenburg, see [https://www.lda.brandenburg.de/cms/detail.php/bb1.c.661589.de?highlight=dsgvo here]. | The Federal Data protection authority (the BfDi) issued guidelines [https://www.bfdi.bund.de/SiteGlobals/Modules/Buehne/DE/Startseite/Pressemitteilung_Link/HP_Text_Pressemitteilung.html here], as well as the DPA of Bradenburg, see [https://www.lda.brandenburg.de/cms/detail.php/bb1.c.661589.de?highlight=dsgvo here]. The federal DPA emphasized the sensitivity of personal data in the context of COVID-19 and the arising responsibility. The DPA stated that data protection is not an obstacle for the collection and processing of personal data, for example employee or visitor data, as long as measures are reasonable and proportionate. | ||
===Greece=== | ===Greece=== | ||
Line 72: | Line 72: | ||
===Norway=== | ===Norway=== | ||
The Data protection authority (the Datatilsynet) issued guidelines [https://www.datatilsynet.no/personvern-pa-ulike-omrader/korona/ here]. | The Data protection authority (the Datatilsynet) issued guidelines [https://www.datatilsynet.no/personvern-pa-ulike-omrader/korona/ here]. The DPA answered questions regarding the use of video services for communications and webcams for schools. Further recommendations relate to the data processing from health authorities, hospitals and companies in their role as controller or processors and as employers. | ||
===Slovenia=== | ===Slovenia=== | ||
Line 78: | Line 78: | ||
===Sweden=== | ===Sweden=== | ||
The Data protection authority (the Datainspektionen) issued guidelines [https://www.datainspektionen.se/nyheter/coronavirus-och-personuppgifter/ here]. | The Data protection authority (the Datainspektionen) issued guidelines [https://www.datainspektionen.se/nyheter/coronavirus-och-personuppgifter/ here]. The DPA answered questions relating to the responsabilities of the employer and the processing of personal data in connection with the virus. The DPA emphasized that individuals' right to privacy still need to be safeguarded, in particular that an employer may only register the personal data that are necessary for the purpose in question and then restrict access to those who need the information at work. | ||
===The UK=== | ===The UK=== |
Revision as of 12:03, 19 March 2020
General Comments
The sudden and unexpected outbreak of cases of COVID-19-afflictions ("Corona-Virus"), which was declared a pandemic by the WHO has also given cause to new data processing activities by EU member states and private companies. This processing activities mostly focus on preventing/slowing the further the spreading of the Corona-Virus and on monitoring the citizen's abidance with governmental measures such as quarantine.
At the moment, it is not easy to figure out, which processing activities are actually supposed to be conducted and which are only rumours. This page will therefore be adapted, once certain processing activities have been confirmed. At the moment, this article does not assess the lawfulness of particular processing activities, but rather outlines the general conditions for data processing in connections with the Corona-Virus.
It must be noted that several activities - such as monitoring, if citizen's comply with quarantine and stay indoors by watching at mobile phone locations - can be done without having to use personal data under Article 4(1) GDPR because all necessary information can be derived from anonymised data. The GDPR does not apply on activities that only rely on anonymised data.
Article 5 Principles
Regardless of the exceptional situation, data processing activities in connection with measures against the Corona-Pandemic thar rely on personal data (Article 4(1) GDPR) have to comply with the principles of data processing as lined out in Article 5 GDPR:
- Lawfulness, fairness and transparency: Data processing must be lawful under Article 6 GDPR and/or Article 9 GDPR. Some member states have already passed laws that deal with the Corona-Virus which must be taken into consideration when assessing the lawfulness of the processing. See below for more information. Furthermore processing must be fair and transparent. This includes i.e. that data subjects whose data is being processed for purposes of fighting the Corona-Virus must be informed under Article 13 GDPR or Article 14 GDPR once their data has been obtained.
- Purpose limitation: Data collected for the purposes of preventing/slowing the further the spreading of the Corona-Virus and monitoring the citizen's abidance with governmental measures shall only be processed for these purposes
- Data minimsation: Only data that are truly neccessary for these purposes may be collected and processed.
- Accuracy: Data must be accurate and, where necessary, kept up to date.
- Storage limitation: Once the purposes for processing are fulfilled, the data must be deleted or anonymised.
- Integrity and confidentiality: appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage must be esured by technical or organisational measures (Art 32 GDPR).
Legal Basis under Article 6
As far as the data processing concerns only personal data, that do not qualify as special categories of personal data (Art 9(1) GDPR), processing activities can - realistically - be based on:
- Article 6(1)(d) GDPR, if the processing is necessary to protect the vital interests of the data subject or of another natural person: Since the Corona-Virus is considered to be highly virulent data can be processed in order to protect both infected people and other, to prevent them from being infected. This legal basis could be invoked e.g. for telecommunication providers that seek to transfer personal data to governmental institution for monitoring the citizen's abidance with governmental measures (if these data are actually peronal data, i.e. not anonymised).
- Article 6(1)(e) GDPR, if processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. This legal basis can be invoked by public authorities puruiting the purpose mentioned above.
- Article 6(1)(f) GDPR, legitiminate interests pursued by the controller: This legal basis may also be invoked by private controllers, since there will not always be vital interests of the data subject of othe persons at stake, but processing is only necessary for "less severe" reasons, e.g. if certain goods and services are limited due to difficulties of supply and it must be insured that these goods and services are equally distributed among customers. Article 6(1)(f) GDPR does ot apply to processing carried out by public authorities in the performance of their tasks; these authorities have to rely on Article 6(1)(e) GDPR.
Legal Basis under Article 9
Article 9(1) lines out under what conditions special categories of personal data may be processed. With regards to the Corona-Pandemic this mostly concerns health data, genetic data and biometric data for the purpose of uniquely identifying a natural person (e.g. at airports or state borders).
Article 9(1)(i) GDPR deals with scenarios such as the current Corona-Pandemic, which qualifies as a "seroius cross-border threat to health":
"[...] processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy."
Furthermore, Recital 46 of the GDPR specifically mentions epidemic scenarios:
"The processing of personal data should also be regarded to be lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis. Some types of processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters."
DPA Guidelines
In the context of the Corona pandemic, the EU/EEA Data protection authorities released guidelines on the processing of personal data and also on the continuity of their tasks in times of the Corona-Pandemic:
Austria
The Data protection authority (the DSB) issued guidelines here. The DPA explained the existing legal basis for the collection and processing of health data by employers, in particular the transfer of sensitive data to health authorities. In addition, the DPA provided a sample form for the collection of private contact details of employees in order to warn about an infection in the company. An information sheet about data security and home office can also be found on the webpage.
Denmark
The Data protection authority (the Datatilsynet) issued guidelines here. It contains advice to the employers and employees. The DPA emphasized the importance of internal guidelines for working at home and related security measures, which shall be taken on company and personal devices.
Estonia
The Data protection authority (the AKI) issued guidelines here.
France
The Data protection authority (the CNIL) issued guidelines here. The CNIL addressed the numerous requests from businesses about the collection and sharing of employees' health data.
Germany
The Federal Data protection authority (the BfDi) issued guidelines here, as well as the DPA of Bradenburg, see here. The federal DPA emphasized the sensitivity of personal data in the context of COVID-19 and the arising responsibility. The DPA stated that data protection is not an obstacle for the collection and processing of personal data, for example employee or visitor data, as long as measures are reasonable and proportionate.
Greece
The Data protection authority (the HDPA) issued guidelines here.
Hungary
The Data protection authority (the NAIH) issued guidelines here.
Iceland
The Data protection authority (the Persónuvernd) issued guidelines here.
Ireland
The Data protection authority (the DPC) issued guidelines here.
Luxembourg
The Data protection authority (the CNPD) issued guidelines here. The CNPD wrote some recommendations adressed both to private and public sphere and concerning the measures which have to be implemented for the prevention, information, and safety of all the stakeholders'.
The Netherlands
The Data protection authority (the AP) issued guidelines here.
Norway
The Data protection authority (the Datatilsynet) issued guidelines here. The DPA answered questions regarding the use of video services for communications and webcams for schools. Further recommendations relate to the data processing from health authorities, hospitals and companies in their role as controller or processors and as employers.
Slovenia
The Data protection authority (the IP) issued guidelines here.
Sweden
The Data protection authority (the Datainspektionen) issued guidelines here. The DPA answered questions relating to the responsabilities of the employer and the processing of personal data in connection with the virus. The DPA emphasized that individuals' right to privacy still need to be safeguarded, in particular that an employer may only register the personal data that are necessary for the purpose in question and then restrict access to those who need the information at work.
The UK
The Data protection authority (the ICO) issued guidelines here. The ICO mainly focused on the processing of personal data in the employment context, i.e the security measures which have to be implemented during homeworking, collection and sharing of the employees' health data.
EDPB
The EDPB issued a statement here. Mainly, the EDPB focused on the processing necessary for reasons of publis interest or to protect vital interest or to comply with another legal obligation (Articles 6 and 9 GDPR). Also, the EDPB mentionned that additional rules for the processing of electornic communications apply, in the light of the ePrivacy Directive.