EDPB chair: Processing personal data in the context of coronavirus

By Jaclyn Jaeger2020-03-16T14:58:00+00:00

No comments

In a statement released Monday, the chair of the European Data Protection Board (EDPB) addressed things companies need to consider as they process different types of personal data in the context of the coronavirus.

Data protection rules, such as the EU’s General Data Protection Regulation (GDPR), “do not hinder measures taken in the fight against the coronavirus pandemic,” said EDPB Chair Andrea Jelinek. “However, I would like to underline that, even in these exceptional times, the data controller must ensure the protection of the personal data of the data subjects. Therefore, a number of considerations should be taken into account to guarantee the lawful processing of personal data.”

The GDPR provides for the rules to apply to the processing of personal data in a context like the one relating to COVID-19. “Indeed, the GDPR provides for the legal grounds to enable the employers and the competent public health authorities to process personal data in the context of epidemics, without the need to obtain the consent of the data subject,” Jelinek said. This applies, for example, when the processing of personal data is necessary for employers for reasons of public interest in the area of public health or to protect vital interests (Articles 6 and 9 of the GDPR) or to comply with another legal obligation, she says.

In addition to the EDPB’s guidance, individual data regulators throughout the European Union—such as the U.K.’s Information Commissioner’s Office and Ireland’s Data Protection Commission—have also provided their own FAQs on the topic.

Mobile location data

For the processing of electronic communication data, such as mobile location data, additional rules apply. The national laws implementing the ePrivacy Directive provide for the principle that location data can only be used by the operator when they are made anonymous, or with the consent of the individuals.

Public authorities should first aim to process location data in an anonymous way (i.e. processing data aggregated in a way that it cannot be reversed to personal data), which could enable the generation of reports on the concentration of mobile devices at a certain location, Jelinek said. When it’s not possible to only process anonymous data, Article 15 of the ePrivacy Directive enables member states to introduce legislative measures pursuing national security and public security. In this context, it shall be noted that safeguarding public health may fall under the national and/or public security exception, the EDPB noted.

“This emergency legislation is possible under the condition that it constitutes a necessary, appropriate, and proportionate measure within a democratic society,” Jelinek said. “If such measures are introduced, a member state is obliged to put in place adequate safeguards, such as granting individuals the right to judicial remedy.”

Jaclyn JaegerJaclyn Jaeger is a freelance contributor to Compliance Week after working for the company for 15 years. She writes on a wide variety of topics, including ethics and compliance, risk management, legal, enforcement, technology, and more.View full Profile

Topics

No comments

Interested in writing for CW?

Compliance Week accepts outside contributions from corporate chief compliance officers and other senior-level GRC practitioners. To learn more, contact Editor in Chief Kyle Brasseur.

Article
EDPB challenges Hungary’s GDPR suspension under Article 23

2020-06-04T17:41:00Z By Kyle Brasseur

The European Data Protection Board will issue guidelines on the implementation of Article 23 of the GDPR after Hungary’s government used the article to suspend data subject rights until the end of its coronavirus state of emergency.
News Brief
3M to pay $9.6M over Iran sanctions lapses

2023-09-22T18:34:00Z By Jeff Dale

The Office of Foreign Assets Control ordered multinational conglomerate 3M to pay more than $9.6 million over apparent Iran sanctions violations by its subsidiary and a U.S. employee of a separate subsidiary.
Premium
Experts: How ESG materiality assessments impact compliance

2023-09-22T12:52:00Z By Jeff Dale

Transparency in environmental, social, and governance reporting has become an important goal, with materiality assessments impacting compliance outcomes, experts said during CW’s virtual ESG Summit.

No comments yet

You're not signed in.

Only registered users can comment on this article.

More from Data Privacy

News Brief
CCPA first state privacy law deemed adequate by Dubai financial hub

2023-08-10T16:52:00Z By Jeff Dale

The Dubai International Financial Centre announced the California Consumer Privacy Act passes muster, allowing compliant California businesses to be the first permitted to transfer data with the DIFC without additional contractual measures.
Premium
Expert views mixed on viability of new EU-U.S. data transfer framework

2023-07-18T14:46:00Z By Neil Hodge

The European Commission might have given a green light to the latest mechanism to allow safe data transfers between the European Union and the United States, but experts have mixed views regarding how long it will last and whether it is even legal.
News Brief
EU adopts Privacy Shield replacement for U.S. data transfers

2023-07-10T17:41:00Z By Kyle Brasseur

The European Commission announced it adopted a new agreement with the United States to allow for transatlantic data flows without fear of violating the European Union’s General Data Protection Regulation.