18 March 2020
Back to homepage

COVID-19 Couldn’t Care Less About GDPR

As a general state of emergency envelopes the world, and everything in it, one aspect worth looking at in light of the COVID-19 outbreak is the dynamic between a person’s medical information and their personal data protection rights.  When declaring Covid-19 as a pandemic, World Health Organization (WHO) director general pleaded to all countries to “find, isolate, test and treat every case and trace every contact”.  Indeed, every day in almost every country around the world, a significant number of people are sent for testing, quarantined, and questioned about who they have come into contact with, all with the aim of breaking the chain of contagion.  Does that mean that public health outranks a person’s right to protection of personal data?  The following is a brief overview of points central to this question.


It is true that data plays a crucial role in containing the spread of the coronavirus; however not all data processing can be justified on that basis.  Wide-spread testing and temperature measurement in order to track the virus raises some practical and security-related questions, or en masse, GDPR-related questions.  Therefore, a middle ground must be found between protecting public health and personal privacy.  Foreseeably, each jurisdiction has its own distinct requirements, limitations and conditions.


EU’s GDPR exemptions


Under EU data protection law (GDPR), special partition is made which planks down personal data concerning health under “special category data”.  Thus, employers need to ensure that any communication does not include data about an individual who may be absent, including their symptoms.  Employers should conduct a detailed review of whether any information released could be used to “single-out” or identify the employees concerned.  In instances where there is a confirmed case of the virus among staff, it is highly advisable to consider measures to avoid naming any individuals and their medical information.


Health data’s “special category data” designation shows how GDPR legislators were thinking ahead by providing derogations for this category.  Namely, derogating from the prohibition on processing special categories of personal data should also be allowed: (i) when prescribed under Union or Member State law, (ii) so as to protect personal data and other fundamental rights, (iii) where it is in the public interest to do so, and in particular processing personal data for health security (amongst other spheres), including the prevention or control of communicable diseases and other serious threats to health.  Such derogations may be made for health purposes, including public health and management of health-care services.


Accordingly, Article 6 and Article 9 of the GDPR provide the legal grounds for employers and the competent public health authorities to process personal data in the context of epidemics, without the need to obtain the consent of the data subject.  This applies e.g. when the processing of personal data is necessary for employers for reasons of public interest in the area of public health or to protect vital interests or to comply with another legal obligation.  As more coronavirus cases are detected, employers will need to monitor the impact of the outbreak and, if necessary, take steps to protect their employees.  However, sharing information in this regard should be proportionate to the risk and must be carefully assessed on an ongoing basis.  It is up to employers to decide what steps should be taken to ensure employee safety.

Additionally, Article 15 of the ePrivacy Directive allows the Member States to introduce legislation in the interest of national security and public security.

The foregoing does not, however, constitute a free-for-all access to personal data, nor is it a law of the jungle approach to data collection.


GDPR mechanisms in other countries


As pointed out, every jurisdiction has been finding its own way of coping with the COVID-19 outbreak.  With respect to data protection, different jurisdictions are trying to find their longitude for the reason that data plays a crucial role in containing the spread of the virus.  However not every data processing can be justified on that basis. A happy medium must be struck between protecting public health and personal privacy.  A distinction must be made between the collection of sensitive data for which there is no apparent legal basis under the GDPR and the collection of data for which there is.

Pertinent questions in the wake of the COVID-19 outbreak

  1. Have data privacy regulators issued any guidance either permitting or restricting the collection of personal data for purposes of identifying COVID-19 cases?

Countries like Austria and Belgium (although not in an enviable situation) have not issued special guidance concerning restrictions or proposing new exemptions in terms of data sharing.

On the other hand, China, Italy, France and Spain have issued guidance and notices, by way of which they have either emphasized the general principles for protecting an individuals’ personal data or even permitted employers to collect and register dates and identities of persons suspected of having been exposed to coronavirus.

  1. Are employers permitted to disclose to other employees the identity of an employee confirmed as having COVID-19?

None of the countries above approve of disclosing the identity of any individual who is confirmed as having COVID-19 without a valid legal basis.  The existence of a legal basis is to be assessed on a case-by-case basis, as there may be cases where disclosure might appear necessary in order to protect the vital interests of other persons.  Data privacy regulators hold that it is preferable to keep an infected employee’s identity anonymous in the absence of a legal basis for disclosure to other employees.  In short, this issue requires prudent management, while it is preferable that an infected employee’s identity is kept secret.


GDPR mechanism in Serbia

National personal data protection legislation is completely harmonized with EU regulations.  Therefore, Article 4 of the Serbian Personal Data Protection Act [1](“PDP”), defines personal health data as personal data related to the physical or mental health of an individual, including the provision of health care services, which reveal information about his or her health.

The PDP also allows for derogations from the general principles for processing personal data, including personal data concerning health.  Namely, it stipulates that the rights guaranteed by the PDP may be restricted if: (i) restrictions do not affect fundamental rights and freedoms, and (ii) this is a necessary and proportionate measure, in a democratic society for the protection of, inter alia, public health.

Accordingly, Article 17 of the PDP prohibiting personal data processing that reveals data concerning health shall not apply if processing is necessary on grounds of public interest in the area of public health, such as combating serious cross-border threats to health or ensuring high standards of quality and safety in health care, and in medicinal products or medical devices.


The final battle

Data protection should not stand in the way of businesses protecting the health and safety of their employees.  This means that organizations are allowed to share information to fulfil their legal obligations to relevant authorities and to safeguard employees.  Considering the times we find ourselves in, proportionality must be weighed, while carefully assessing risks and needs on regular basis.  As different jurisdictions explore their own ways of dealing with the coronavirus situation, it remains with businesses to decide what steps they will take to ensure the safety of their employees.  Each business should examine suitable assessment methods for employees that may have come into contact with an infected employee.

[1] “Official Gazette of the Republic of Serbia”, No. 87/2018.


For more information, please contact us via covid19@geciclaw.com