Poland: Processing data in the context of a pandemic

​published on 1 April 2020 | reading time approx. 4 minutes

After a short press release, the European Data Protection Board issued a full statement on the processing of personal data in the context of the COVID-19 pandemic. 

• Legal basis for processing »

• Telecommunications data within the meaning of ePrivacy Directive »

• Basic principles for processing personal data under the GDPR »

• Questions and answers »

The EDPB points out that legislation (including the GDPR) does not impede national efforts to combat the virus. Curbing the pandemic is in the common interest of mankind, as is the use of modern technologies in this area.

The EDPB underlines that even in the very difficult situation that we are currently facing, Data Controllers should ensure the protection of personal data of data subjects and take into account a number of factors to ensure that personal data are processed lawfully.

This state of emergency we are currently facing may to some extent justify a restriction of freedom, provided that such restrictions are proportionate, limited to the duration of the state of emergency and are not irreversible.

Legal basis for processing

The EDPB says that the GDPR explicitly defines the rules that apply to data processing in the context of the COVID-19 pandemic. The GDPR allows authorised public health authorities and employers to process personal data in accordance with national law.

The EDPB indicates that:

The processing of data by public health authorities is possible on the basis of Articles 6 and 9 of the GDPR,
• in the context of employment and processing by employers, the EDPB indicates that data processing may be necessary in order for employers to comply with e.g. legal obligations relating to health and safety at work or the public interest. The following legal bases are indicated as the possible legal bases for processing personal data concerning health:
  • 1) Article 9(2)(i) – processing is necessary for reasons of public interest in the area of public health,
  • 2) Article 9(2)(c) – processing is necessary to protect the vital interests of the data subject (or of another natural person).

In the second of the indicated legal bases, the EDPB refers to recital (46) of the GDPR which includes a clear reference to the monitoring of an epidemic: “(46) The processing of personal data should also be regarded to be lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis. Some types of processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters”.

Telecommunications data within the meaning of ePrivacy Directive

Telecommunications data, such as location data, should also be processed in compliance with national law and national regulations implementing the ePrivacy Directive (on privacy and electronic communications). The main principle of the Directive is that location data may, as a rule, be processed on the basis of the consent of the user to whom the data relate or anonymously.

However, Article 15 of the Directive allows restriction of certain rights and obligations provided for by the Directive when such restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security (i.e. State security), defence, public security.

Such restriction should be strictly related to the emergency situation and should not last longer than that situation.

Basic principles for processing personal data under the GDPR

Processing personal data in the situations described above may not violate the basic principles of the GDPR, i.e.:

• data must be collected in the necessary scope and for the purpose for which they are collected (purpose limitation),
• the principle of transparency applies, i.e. the data subject should be informed in a transparent manner (in accordance with Article 13 or 14 of the GDPR) about the main principles of processing, including the period for which the personal data will be stored, the purposes of the processing in an intelligible and easily accessible way for the recipient of the information,
• appropriate security measures must be ensured, and confidentiality rules must be developed to ensure that the data are not made available to unauthorised persons (integrity and confidentiality principle). The implemented measures and the related decision-making process should be appropriately documented (accountability principle).

Questions and answers

In its statement, the EDPB included a Q&A section relating to the processing of location data obtained from mobile devices and processing of data as part of recruitment processes. In the section concerning employers, however, the EDPB refers readers to national legislation, i.e. in respect of the possibility of obtaining data concerning health of workplace visitors, verifying health of workers, or the scope of data that are necessary in the context of a pandemic.

The EDPB offered a detailed answer only to the question 'can an employer disclose to an employee’s colleagues or to third parties that the employee has COVID-19?”. The answer was as follows: “The employer should inform the staff of any COVID-19 cases in the workplace and take protective measures but should not disclose any information beyond the necessary scope. In cases where it is necessary to disclose the name of the employee(s) who has contracted the virus (e.g. for preventive purposes) and national law allows it, the employees concerned should be informed thereof in advance and their dignity and integrity should be protected.”

The statement by the EDPB can serve as guidance for enterprises and be helpful in interpreting laws related to personal data concerning health of employees. The statement confirms the approach already represented by national commentaries and does not add anything new in this respect. Importantly, employers may invoke the premise of data processing when it is necessary for them to fulfil e.g. legal obligations related to health and safety at work, e.g. Articles 207 and 211 of the Labour Code under which the employer is responsible for health and safety in the workplace and is required to protect the health and life of employees by ensuring safe and hygienic working conditions based on the appropriate use of scientific and technical achievements (Article 207 of the Labour Code), while the employee is required to cooperate with the employer and superiors (Article 211 of the Labour Code).