On 16 March 2020, the Chair of the European Data Protection Board (“EDPB“), an entity which replaced the Article 29 Working Party, provided a statement on the processing of personal data in the context of the COVID-19 crisis.
In this statement, EDPB confirmed that:
– employers are permitted to process personal data during pandemics such as COVID-19, provided that they have appropriate legal grounds such as public interest in public health, protecting vital interests (Art. 6 and 9 GDPR) or complying with another legal obligation. In this specific case, the consent of the data subject is not required.
– for the processing of electronic data (such as mobile location data) by public authorities, the authorities should first aim to process such information in an anonymous way, and, if this is not possible, Member States can introduce legislative measures on grounds of national and public security.
The EDPB statement comes at a time when the question “What data can be collected by employers in such a crisis?” has been raised more often, and the topic of digital surveillance is very current.
As regards data which may be collected by employers, they can obtain information, based on a questionnaire, about regions where employees have travelled, about their travel plans or about the presence of symptoms of an infection with the coronavirus.
On the other hand, employers are not allowed to take mandatory temperature readings of their employees or visitors, nor can they require them to fill out compulsory medical questionnaires about their health history because these data can be collected only under specific circumstances by medical staff.
As regards the use of existing technologies (smart phones) for tracing people who have tested positive for the coronavirus and their contacts as a tool for stopping the spread of the coronavirus, emergency legislation in this respect is possible, but any Member State that adopts such a measure must put adequate safeguards in place and give individuals the right to judicial recourse.