With respect to the situation caused by the pandemic and its possible data protection impacts, please find below a summary of the statement of the European Data Protection Board (EDPB) on the processing of personal data in the context of the COVID-19 outbreak, issued on 19 March 2020.
The EDPB starts by emphasizing that “[d]ata protection rules (such as the GDPR) do not hinder measures taken in the fight against the coronavirus pandemic. The fight against communicable diseases is a valuable goal shared by all nations and therefore, should be supported in the best possible way… [e]ven so, the EDPB would like to underline that, even in these exceptional times… a number of considerations should be taken into account to guarantee the lawful processing of personal data and in all cases it should be recalled that any measure taken in this context must respect the general principles of law… [e]mergency is a legal condition which may legitimise restrictions of freedoms provided these restrictions are proportionate and limited to the emergency period.”
I. Considerations for employers in the context of employment
1. Are employers allowed to process special categories of data?
If the employer is subject to a legal obligation, such as obligations relating to health and safety at the workplace or the public interest (such as the control of diseases and other threats to health), processing may take place in line with the requirements of applicable data protection laws. This means that in addition to having a legitimate data processing purpose and legal basis of processing, information must be given in due course to the persons concerned, the principles must be observed (such as data minimisation and limited data retention) and adequate security measures must be in place. It is also important to document the steps that the employer takes.
Article 9 (2) i) of the GDPR allows the processing of certain special categories of personal data, such as health data, where it is necessary for reasons of substantial public interest in the area of public health on the basis of Union or national law. Furthermore, Article 9 (2) c) provides that data processing is allowed where there is a need to protect the vital interests of the data subject and recital 46 of the GDPR explicitly refers to the control of an epidemic.
2. Can an employer require visitors or employees to provide specific health information in the context of the pandemic?
The employer should and may only require health information to the extent that national law allows it. Of course, the principles of data processing (such as data minimisation, limited retention period and proportionality) must also be respected.
3. Is an employer allowed to perform medical check-ups on employees?
Employers can only access and process health data if there is a legal obligation that requires it to do so.
4. Can an employer disclose the fact that an employee is infected with the virus to his/her colleagues or to external parties?
Employers should inform personnel about infections and are required to take adequate safeguards. At the same time, it is important not to communicate more information than necessary. If it is necessary to disclose the name of the employee who contracted the virus (with a view to preventing further possible infections) and national law allows it, the employees affected have to be informed in advance and their dignity has to be protected.
5. What information processed in the context of the virus can employers obtain?
Employers may obtain personal information to comply with their legal obligations. Under Hungarian law, employers are required to maintain a healthy and safe workplace and the employer and the employee have to cooperate with each other during the employment in good faith (i.e. an employee who knows that he/she has been infected or may have been infected because, for example, he/she has returned from a country where the number of infections have been very high, the employee should certainly inform the employer of the risk).
Prior to an employer deciding on the processing of personal data (including health data) in the context of the pandemic, the circumstances of the employment have to be analyzed and the employer should proceed on the basis of assessing all the circumstances in light of the statement of the EDPB and the information paper of the Hungarian Data Protection Authority issued on 10 March 2020. For further details on the said information paper, please click on the following link: https://szecskay.hu/en/publications/data-protection-employment-law-and-economic-measures-during-corona-crisis
II. Considerations for Member States
1. Can public authorities process special categories of data?
The GDPR allows public health authorities to process personal data in the context of an epidemic in line with applicable laws. For example, if processing is necessary for reasons of public interest in the area of public health.
With regard to the processing of personal data, including special categories of data by public health authorities, the EDPB considers that Articles 6 and 9 of the GDPR enable the processing of personal data, in particular when it falls under the competence of the public authority.
2. Can location data be processed?
To answer this question, the respective national law must be followed. Article 15 of the ePrivacy Directive authorizes Member States to adopt regulations to safeguard public security. Such exceptional legislation must be necessary, appropriate and proportionate and must be in line with the Charter of Fundamental Rights and the European Convention for the Protection of Human Rights and Fundamental Freedoms.
In Hungary, the Act on Electronic Telecommunications implements the rules of the ePrivacy Directive and the Act contains no explicit rules concerning epidemics. However, the Act does contain certain provisions when location data may / has to be processed.
3. Can Member States use personal data related to individuals’ mobile phones to monitor, contain or mitigate the spread of COVID-19?
Member States should first seek to process anonymous data, i.e. data based on which the individuals can no longer be identified. If this is not possible, the ePrivacy Directive allows Member States to adopt regulations with a view to safeguarding public security. In this case, the type of processing causing the least intrusion in the privacy of the individuals must be chosen and the Member States are also required to provide for adequate safeguards.
The EDPB also adds that “[i]nvasive measures, such as the “tracking” of individuals (i.e. processing of historical non-anonymised location data) could be considered proportional under exceptional circumstances and depending on the concrete modalities of the processing. However, it should be subject to… safeguards to ensure the respect of data protection principles (proportionality of the measure in terms of duration and scope, limited data retention and purpose limitation).”
The above content does not constitute legal advice, this summary merely provides general information of the data protection aspects mentioned above.
Should you have any questions concerning the above, please consider Zoltán Balázs Kovács and our team at your disposal.