EDPB chair: Processing personal data in the context of coronavirus

By Jaclyn Jaeger2020-03-16T14:58:00+00:00

No comments

In a statement released Monday, the chair of the European Data Protection Board (EDPB) addressed things companies need to consider as they process different types of personal data in the context of the coronavirus.

Data protection rules, such as the EU’s General Data Protection Regulation (GDPR), “do not hinder measures taken in the fight against the coronavirus pandemic,” said EDPB Chair Andrea Jelinek. “However, I would like to underline that, even in these exceptional times, the data controller must ensure the protection of the personal data of the data subjects. Therefore, a number of considerations should be taken into account to guarantee the lawful processing of personal data.”

The GDPR provides for the rules to apply to the processing of personal data in a context like the one relating to COVID-19. “Indeed, the GDPR provides for the legal grounds to enable the employers and the competent public health authorities to process personal data in the context of epidemics, without the need to obtain the consent of the data subject,” Jelinek said. This applies, for example, when the processing of personal data is necessary for employers for reasons of public interest in the area of public health or to protect vital interests (Articles 6 and 9 of the GDPR) or to comply with another legal obligation, she says.

In addition to the EDPB’s guidance, individual data regulators throughout the European Union—such as the U.K.’s Information Commissioner’s Office and Ireland’s Data Protection Commission—have also provided their own FAQs on the topic.

Mobile location data

For the processing of electronic communication data, such as mobile location data, additional rules apply. The national laws implementing the ePrivacy Directive provide for the principle that location data can only be used by the operator when they are made anonymous, or with the consent of the individuals.

Public authorities should first aim to process location data in an anonymous way (i.e. processing data aggregated in a way that it cannot be reversed to personal data), which could enable the generation of reports on the concentration of mobile devices at a certain location, Jelinek said. When it’s not possible to only process anonymous data, Article 15 of the ePrivacy Directive enables member states to introduce legislative measures pursuing national security and public security. In this context, it shall be noted that safeguarding public health may fall under the national and/or public security exception, the EDPB noted.

“This emergency legislation is possible under the condition that it constitutes a necessary, appropriate, and proportionate measure within a democratic society,” Jelinek said. “If such measures are introduced, a member state is obliged to put in place adequate safeguards, such as granting individuals the right to judicial remedy.”

Jaclyn JaegerJaclyn Jaeger is a freelance contributor to Compliance Week after working for the company for 15 years. She writes on a wide variety of topics, including ethics and compliance, risk management, legal, enforcement, technology, and more.View full Profile

Topics

No comments

Interested in writing for CW?

Compliance Week accepts outside contributions from corporate chief compliance officers and other senior-level GRC practitioners. To learn more, contact the CW Editor.

Article
EDPB challenges Hungary’s GDPR suspension under Article 23

2020-06-04T17:41:00Z By Kyle Brasseur

The European Data Protection Board will issue guidelines on the implementation of Article 23 of the GDPR after Hungary’s government used the article to suspend data subject rights until the end of its coronavirus state of emergency.
News Brief
FRC fines PwC, EY for London Capital & Finance audit failings

2024-05-07T18:58:00Z By Kyle Brasseur

Big Four firms PwC and EY were each penalized by the Financial Reporting Council for alleged shortcomings during their respective audits at collapsed investment firm London Capital & Finance.
News Brief
Federal banking regulators issue TPRM guidance for community banks

2024-05-06T15:29:00Z By Aaron Nicodemus

Three federal banking regulators have issued a guide on third-party risk management focusing the unique risks faced by community banks in their third-party relationships.

No comments yet

You're not signed in.

Only registered users can comment on this article.

More from Data Privacy

Premium
What’s the problem for GDPR repeat offenders?

2024-05-02T14:57:00Z By Neil Hodge

The General Data Protection Regulation has been in force for nearly six years. Some industries—and some companies—have been more prone to fall foul of the rules than others.
Premium
EDPB decision sparks ‘consent or pay’ debate for Big Tech firms

2024-04-19T19:16:00Z By Neil Hodge

Big Tech firms might need to rethink their plans to charge users for not selling their personal data for behavioral advertising following a decision by Europe’s primary data regulator.
News Brief
CPPA warns of collecting too much data in first enforcement advisory

2024-04-05T19:40:00Z By Adrianne Appel

The California Privacy Protection Agency warned businesses to stop asking for excessive information from consumers who have requested to opt out of having their data collected or who are otherwise exercising their privacy rights under the California Consumer Privacy Act.