The European Data Protection Board (EDPB) is part of the effort to combat the COVID-19 pandemic, carrying out punctual analyzes and specialized efforts, within the limits of the tasks conferred by the GDPR. According to art.68 paragraph (3) of the GDPR, The Board shall be composed of the head of one supervisory authority of each Member State and of the European Data Protection Supervisor, or their respective representatives.
Thus, on March 16, a statement of the President of EDPB was published – Mrs. ANDREA JELINEK – “Governments, public and private organizations throughout Europe are taking measures to combat and mitigate COVID-19. This may involve processing different types of personal data.”
A new statement by the President of the EDPB in the context of the COVID-19 pandemic was published on March 19, addressing four major segments – the legality of processing, the basic principles, the use of mobile location data (geolocation) and employment. The EDPB statement was also taken on the ANSPDCP website on March 25, 2020. We consider that the issues related to employment are of interest, being formulated guidelines such as Questions and answers, respectively:
Can an employer require visitors or employees to provide specific health information in the context of COVID-19?
The application of the principle of proportionality and data minimization is particularly relevant here. The employer should only require health information to the extent that national law allows it.
Is an employer allowed to perform medical check-ups on employees?
The answer relies on national laws relating to employment or health and safety. Employers should only access and process health data if their own legal obligations require it.
Can an employer disclose that an employee is infected with COVID-19 to his colleagues or to externals?
Employers should inform staff about COVID-19 cases and take protective measures, but should not communicate more information than necessary. In cases where it is necessary to reveal the name of the employee(s) who contracted the virus (e.g. in a preventive context) and the national law allows it, the concerned employees shall be informed in advance and their dignity and integrity shall be protected.
What information processed in the context of COVID-19 can be obtained by the employers?
Employers may obtain personal information to fulfill their duties and to organize the work in line with national legislation.”
We need to make it clear that, under the notion of national legislation, all the normative acts can be found to contribute to the regulation of a situation, regardless of their level – laws, emergency ordinances, military orders (newer), government decisions, orders of the specialized ministers etc.
As a measure of the resumption of the Plenary work of the EDPB – being delayed in March 2020, remote meetings of this body were organized on April 3 and 7, 2020.
In the 19th Plenary Session of April 3, the main objective of the processing of personal data for combating COVID-19 was discussed, with three sub-points, respectively: “Role of contact points Corona, Scope of application of mandates and assignment of tasks and Platform for information exchange between EDPB members.”
At the 20th Plenary Session of April 7, CEPD “assigned concrete mandates to its subgroups of experts to develop guidance on several aspects of data processing in the fight against COVID-19”, respectively:
“1. geolocation and other tracking tools in the context of the COVID-19 outbreak – a mandate was given to the subgroup of technology experts to conduct this work;
2. processing of health data for research purposes in the context of the COVID-19 outbreak – a mandate for compliance, electronic governance and health expert for the conduct of this work was granted.
Given the high priority of these two topics, the EDPB has decided to postpone the guidance work on teleworking tools and practices in the context of the COVID-19 outbreak.”
ANDREA JELINEK, President of EDPB, said: “The EDPB will move swiftly to issue guidance on these topics within the shortest possible time, to ensure that the technology is used responsibly to support and hope to win the battle against the Corona pandemic. I strongly believe that data protection and public health go hand in hand.”