Processing of personal data in context of Coronavirus COVID-19 outbreak

In the first publication dated March 17, 2020 the DSI reminded that the lawful processing of personal data is only allowed in accordance with Article 6 of the General Data Protection Regulation (GDPR), inter alia pointing out that processing of personal data will be considered lawful if it is necessary:

1) to carry out a task in the public interest or in the exercise of official authority vested in the controller, or 

2) for the purposes of legitimate interests pursued by the controller. 

Furthermore, the DSI added that the data concerning health falls under Article 9 of the GDPR, which stipulates that processing of special categories of personal data, is allowed only e.g. in the public interest concerning health matters. Therefore, processing of personal health data in context of Coronavirus COVID-19 outbreak should be aimed against cross boarder health threats and should be carried out so that it serves people in fight against the spread of this disease, in the meantime keeping in mind that privacy of individuals cannot be at risk of exposure via public statements or lists of persons which are ill or quarantined.  

Given that into account, lawful processing of personal data would be considered in following examples:

Such processing is needed for the public interest to restrict the spread of a virus infection, inform competent authorities, as well as take precautions measures regards to own personnel and business.  

It shall be noted that it is prohibited to publically share, including posting such information on social media, personal data of other individuals if a person assumes to know that someone is infected with COVID-19, as such actions undeniably violate a person’s rights to privacy and data protection.

As regards to the second publication, the DSI explained requirements for lawful processing of sensitive data and emphasizing who and why is allowed to process respective personal data. 

The DSI declared that data protection regulation should not interfere with the efforts of trying to contain and minimize the spread of an infectious diseases (including COVID-19), however, it should be observed to prevent unjustified and disproportionate publication of identifiable information on people, who have contracted a virus or people within a risk group. In this regard, it is important that the information (also containing health related data of people) is published for the benefit of public health, but pursuant to such information it would not be possible to identify individuals, as it may provoke discrimination and create risk for the rights and freedoms of those individuals. 

In conclusion the DSI encourages people to rely only on information coming from official sources, state institutions official websites and their social networking site accounts. Should you have any personal data related queries in context of Coronavirus COVID-19 outbreak or else, our time is ready to help.