Processing of personal data in the context of COVID-19
It is well known that public and private organisations are taking the necessary measures to contain and mitigate the dramatic effects of the coronavirus. These measures are likely to require the processing of different types of personal data, including health data, which is a special category of data under the GDPR.
The GDPR provides for appropriate legal basis to process personal data in the context of epidemics without the obligation to obtain consent of the data subject. Article 9 of the GDPR sets out exceptions to the rule which controllers may rely upon to legitimise the processing of special categories of data, in particular, where the “processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health”.
Controllers must assure the lawful processing of personal data and follow properly data protection obligations and requirements. The IDPC encourages all controllers to comply strictly with the instructions provided by the public health authorities to prevent the spread of the COVID-19, including any processing of personal data as necessary in compliance with national laws. It is equally important that appropriate measures are applied to secure processing operations to achieve the right balance between the need for processing health data and the rights of data subjects.
The EDPB has adopted a statement on the processing of personal data in the context of the COVID-19 outbreak that is accessible here.