protección datos

This post is also available in: Español

The current health emergency crisis stemming from the global spread of coronavirus is forcing a more flexible interpretation of the regulatory framework on data processing, to the point that the European Data Protection Board (“EDPB”) has had to rethink its data protection strategy for the next few years (2020-2024).   

On March 19, the EDPB published a Statement in which it stressed that the data protection regulations and, in particular, the General Data Protection Regulations (“GDPR”), should not be an obstacle in the global fight against the coronavirus. In the EDPB’s opinion, processing personal data, even with the use of new technologies, could be legally justified under European data protection legislation.

Together with this first general statement, the EDPB set out several considerations that data controllers must take into account when adopting measures to combat the coronavirus that involve personal data processing. In particular, the EDPB highlights the following:

  • Legal basis for processing: the EDPB recognizes both the public interest and the preservation of vital interests as legitimate bases for data processing (including health data) to tackle COVID-19.
  • Use of mobile location data: the EDPB refers to the measure suggested by some Member States of using the citizens’ mobile location data to control or mitigate the spread of the coronavirus. The EDPB highlights that the authorities should process the data anonymously, and only when this is not possible can such data be processed exceptionally. To that effect, the EDPB stresses that the Directive (EU) on privacy and electronic communications allows Member States to implement temporary legislative measures to ensure public safety, which must always comply with the principle of proportionality, and requires that they opt for the least intrusive solution to the fundamental right to data protection.
  • Data processing in the workplace: the EDPB states that data processing by employers is necessary to comply with certain legal obligations and, in particular, those relating to the need to ensure the safety and health of employees. The EDPB states that the national regulations of each Member State should be consulted regarding the possibility for companies to request information from employees (or visitors) on their health status or to perform medical examinations. The EDPB believes that the identity of persons infected by the virus should not be revealed to the rest of employees, unless absolutely necessary for the company to take appropriate measures to ensure employees’ health, in which case the affected employees must be informed in advance that their information will be communicated.  
  • Compliance with the principle of proactive responsibility: naturally, and in accordance with the GDPR, data subjects must be informed about how their data will be processed at this crossroads. The EDPB, therefore, stresses that the data controller must take extra measures to prevent security breaches and, in particular, to prevent unauthorized access to the personal data of those affected. The data controller must also document the measures implemented to manage this health emergency and the decision-making process on the data processing.

In any event, the EDPB recalls that data processing in the context of the coronavirus pandemic must comply with the essential principles laid down in data protection regulations and, in particular, with the principle of data minimization, so that data collection and processing are limited to preventing the spread of the virus.

Author: Sergi Gálvez

This post is also available in: Español

Autores:

Asociado

42 artículos

Asociado del Área de Propiedad Intelectual y Protección de Datos. Especialista en protección de datos y tecnologías disruptivas. Participa en el asesoramiento recurrente en materia de protección de datos y contratación tecnológica de compañías nacionales e internacionales, especialmente en la configuración jurídica de evaluaciones de impacto, transferencias internacionales de datos personales, contratos de encargo de tratamiento y en el asesoramiento durante violaciones de seguridad. Además de prestar asesoramiento continuado a clientes en los ámbitos mencionados, tiene experiencia en asesorar a empresas de diferentes sectores en la configuración legal de proyectos que implementan tecnologías disruptivas, tales como el Big Data, Internet of Things, artificial intelligence y smart robots.

sergi.galvez@cuatrecasas.com