Start of main content

European Data Protection Committee pronouncement on data processing in relation to health emergencies

| COVID-19 / Publications | Privacy, IT & Digital Business

European Data Protection Committee Declaration in the context of the COVID-19 emergency

In line with the announcement made last week by the Spanish Data Protection Agency, the European Data Protection Committee (EDPC) has today issued a declaration on the application of data protection regulations in the context of the emergency caused by COVID-19.

First, the ECDC points out that, apart from the exceptional situation we are facing, data controllers have an obligation to ensure compliance with the regulations and the right to data protection of data subjects. Thus, the ECDC has considered it appropriate to issue a series of guidelines and instructions in order to guarantee the lawfulness of potential data processing operations carried out in the context of a health emergency. In this sense, we must highlight:

(i) Firstly, the ECDC specifies that, in accordance with Articles 6 and 9 of the GPR, health authorities and employers are entitled to process the personal data of data subjects without the need to obtain their consent. In this respect, in the same line as the EPRD, reference is made to the fact that employers may be protected to process personal data for reasons of public interest, for the protection of vital interests or to fulfil a legal obligation. The ECDC, however, does not elaborate on the data that may be collected by companies from external visitors or their specific grounds for legitimacy.

(ii) On the other hand, special mention is made of the processing of data coming from electronic devices, such as location data obtained through mobile devices. Therefore, it is stated that, in accordance with the Directive on privacy and electronic communications (Directive 2002/58/EC), only mobile operators would be entitled to do so, provided that the data have been rendered anonymous or the consent of the data subjects has been obtained. In the context of an emergency, anonymised location data may be particularly useful, for example for mapping reports (e.g. knowing the concentration of mobile devices in a certain location). Thus, the ECDC points out that public authorities should ensure that location data are processed in an anonymous way, so as not to allow re-identification of the data subjects.

(iii) Finally, remember that, according to Article 15 of the said Directive, the Member States of the European Union have the possibility of taking various measures with the aim of ensuring public and national security, provided that such measures are necessary, proportionate and appropriate within a democratic society.

In short, as can be seen, the purpose of the ECDC declaration is to ensure a uniform interpretation, at European level, of the protection rules in relation to the processing of personal data caused by the emergency. In our case, the recommendations and guidelines established by the ECDC are in line with the criterion maintained by the AEPD.

You can see the complete informative note from the ECDC or download it here. 

For more information please contact:

Isabel Martínez Moriel

End of main content