Data protection and COVID-19

The recent outbreak of COVID-19 have urged the government, as well as public and private organizations to adopt necessary measures to prevent the spreading of the virus and mitigate its effects. Many of the measures adopted include the processing of information on the movement of employees (such as name, address, workplace, travel details), of suppliers, data from the Trafficking Information Management System (TIMS), as well as one of the most vulnerable category of data, health data.

For this reason, the Information and Data Protection Commissioner has issued a press release calling upon all controllers, whether audio-visual or online media, or public and private organizations to act in full respect of the privacy and human dignity of individuals, as well as comply with the Law no. 9887/2008 “On the protection of personal data” and all related sub-legal acts.

Though being aware of the unprecedented challenge that the country is facing at the moment, the Office of the Commissioner has invited citizens to file any complaint in relation to the protection of their personal data and their right to be informed.

Our recommendations

It seems obvious that the call of the Commissioner is not intended to stand in the way of the public health measures related to the management of the COVID-19. Nevertheless, a correct interpretation of the controllers’ duties under the data protection rules, as well as the adoption of the appropriate safeguards in the current context might be necessary in order to avoid the risk of being subject to sanctions or penalties as a result of possible violations. Measures such as the use of self-declaration forms and/or questionnaires on travel history, as well as health conditions of individuals accessing airports, offices or local units should be evaluated on a case-by-case basis.

In light of the COVID-19 emergency, controllers must remain aware of the importance of respecting the principles of proportionality and data minimization when processing personal data. Both these principles translate in specific obligations for data controllers and processors.

Data minimization requires that personal data should be adequate, relevant and limited to what is necessary to achieve the purpose. In the case at hand, the purpose would refer to the implementation measures for the prevention or mitigation of the spread of COVID-19.

On the other hand, proportionality means personal data should be correlated with the scope of processing, and not excessive in relation to the purposes for which they are collected and processed. This means that information processed should only be used for necessary purposes related to the managing of the COVID-19 situation.

In addition to that, lawfulness of processing is of paramount importance. If an employer or other entities are seeking additional information about employees or other individuals, including sensitive information such as health data, there must be appropriate legal grounds for the processing.

The Law provides for an exhaustive list of legal basis on which personal data may be processed, including: (i) consent of data subject; (ii) contractual necessity (i.e. the processing is necessary for the performance of a contract to which the data subject is a party); (iii) vital interest of data subject; (iv) compliance with legal obligations of the controller; (v) public interest; (vi) legitimate interest of the controller or by other third parties, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

It seems doubtful whether, under the current situation, data controllers can rely on the explicit consent of the data subject. That is why other legal grounds for processing should be considered. For instance, the processing of sensitive data is allowed for reasons of a substantial public interest, which also includes protection of public health. However, in order to proceed to the processing for such reasons, a prior authorization should be obtained by the Information and Data Protection Commissioner.  On the other hand, for personal data different from sensitive data, controllers may rely on the necessity to comply with legal obligations relating to health and safety or on the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Similarly, controllers may also rely on their legitimate interest, provided that the processing is necessary and it strikes a fair balance between the interest of the controller and the interest of the data subject. As a last resource, the vital interest of the data subject (or in case of sensitive data, also the vital interest of another individual) could also constitute legal bases for the processing, though only in extreme cases.

Finally, it is worthy to note that the recent Commissioner’s Instruction No. 49, dated 02.03.2020 “On the protection of health data” has provided further guidance on the conditions of processing of such data and the obligations of data controllers or processor that operate in the health care system, including public or private organizations as well as other organizations responsible for the supervision and control of health care.