Data Protection under SARS-CoV-2
General Comments
The sudden and unexpeceted outbreak of cases of COVID-19-afflictions ("Corona-Virus"), which was declared a pandemic by the WHO has also given cause to new data processing activities by EU member states and private companies. This processing activities focus on preventing/slowing the further the spreading of the Corona-Virus and on monitoring the citizen's abidance with governmental measures such as quarantine.
At the moment, it is not easy to figure out, which processing activities are actually supposed to be conducted and which are only rumours. This page will therefore be adapted, onc certain processing activities have been confirmed.
Several activities - such as monitoring, if citizen's comply with quarantine and stay indoors by watching at mobile phone locations - can be done without having to use personal data under Article 4(1) GDPR because all necessary information can be derived from anonymised data.
Article 5 Principles
Regardless of the exceptional situation, data processing activities in connection with measures against the Corona-Pandemic have to comly with the principles of data processing as lined out in Article 5 GDPR:
- Lawfulness, fairness and transparency: Data processing must be lawful under Article 6 GDPR and/or Article 9 GDPR. Some member states have already passed laws that deal with the Corona-Virus which must be taken into consideration when assessing the lawfulness of the processing. See below for more information. Furthermore processing must be fair and transparent. This includes i.e. that data subjects whose data is being processed for purposes of fighting the Corona-Virus must be informed under Article 13 GDPR or Article 14 GDPR once their data has been obtained.
- Purpose limitation: Data collected for the purposes of preventing/slowing the further the spreading of the Corona-Virus and monitoring the citizen's abidance with governmental measures shall only be processed for these purposes
- Data minimsation: Only data that are truly neccessary for these purposes may be collected and processed.
- Accuracy: Data must be accurate and, where necessary, kept up to date.
- Storage limitation: Once the purposes for processing are fulfilled, the data must be deleted or anonymised.
- Integrity and confidentiality: appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage must be esured by technical or organisational measures (Art 32 GDPR).
Legal Basis under Article 6
As far as the data processing concerns only personal data, that do not qualify as special categories of personal data (Art 9(1) GDPR), processing activities can be based on Article 6(1)(e) GDPR. These provision allows for.
Legal Basis under Article 9
To be added soon...
DPA Guidelines
In the context of the Corona pandemic, the EU/EEA Data protection authorities released guidelines on the processing of personal data. You can have a look at the list below. Feel free to edit it!
Austria
The Data protection authority (the DSB) issued guidelines here.
Denmark
The Data protection authority (the Datatilsynet) issued guidelines here.
Estonia
The Data protection authority (the AKI) issued guidelines here.
France
The Data protection authority (the CNIL) issued guidelines here.
Germany
The Federal Data protection authority (the BfDi) issued guidelines here, as well as the DPA of Bradenburg, see here.
Greece
The Data protection authority (the HDPA) issued guidelines here.
Hungary
The Data protection authority (the NAIH) issued guidelines here.
Iceland
The Data protection authority (the Persónuvernd) issued guidelines here.
Ireland
The Data protection authority (the DPC) issued guidelines here.
Luxembourg
The Data protection authority (the CNPD) issued guidelines here.
The Netherlands
The Data protection authority (the AP) issued guidelines here.
Norway
The Data protection authority (the Datatilsynet) issued guidelines here.
Slovenia
The Data protection authority (the IP) issued guidelines here.
Sweden
The Data protection authority (the Datainspektionen) issued guidelines here.
The UK
The Data protection authority (the ICO) issued guidelines here.
EDPB
The EDPB issued a statement here.
