Global menu

Our global pages

Close

Coronavirus - Data protection authorities guidance tracker - Global

  • Global
  • Coronavirus - Data and Cyber Security issues
  • Privacy, data protection and cybersecurity

30-07-2020

Introduction

International organisations will need to consider how data protection laws and regulatory guidance apply to their proposed response programmes in order to select suitable solutions, whilst being mindful of the corresponding levels of compliance risk. The level of data protection risk attached to any proposed solution or programme will vary from country to country – a key indicator will be the approach being taken by the data protection authorities (“DPAs”) and other relevant authorities/bodies.

Use our snapshot comparison table to see those jurisdictions where regulatory risk could be higher and click through to each for further commentary.

Developments are very fast-moving so please take note of when each country’s summary was last updated.

Key

Restrictive

DPAs have, as a rule, prohibited the collection of health data in relation to Covid-19. There may however be gateways employers can take, which must be considered on a strict case by case analysis.

Neutral

DPAs have stated that health data can be collected under the GDPR for Covid-19 purposes in limited circumstances and as such, the GDPR does not create a barrier to process certain health data in this respect.

Supportive

DPAs have specifically stated that health data can be collected under the GDPR for Covid-19 purposes (e.g. collecting health data in relation to Covid-19 about employees or from visitors), though only where necessary and proportionate.

No guidance available

 

Comparison table of regulatory risk

Click a country for further details:

Supportive

Neutral

Restrictive

Austria
Croatia
Republic of Cyprus
Estonia
Hong Kong
Ireland
Poland
Russia
South Africa
Spain
United Kingdom

 

Europe (General)
Belgium
Bulgaria
China (PRC)
Czech Republic
Denmark
Finland
Germany
Greece
Italy
Latvia
Lithuania
Malta
Norway
Slovakia
Slovenia
Sweden
Switzerland

Luxembourg
Netherlands

Further country information

Europe

 

Regulatory stance: Neutral

Relevant DPAs and other authorities/bodies:

  • European Data Protection Board (“EDPB”)
  • European Union Agency for Cybersecurity European (“ENISA”)

Latest position: Whilst it has refrained from issuing sweeping and prescriptive guidance on how organisations should seek to comply with data protection laws at this time, the EDPB has published a number of guidance papers on specific Covid-19 issues, namely the processing of health data for scientific research and the use of location data and contact tracing tools. The EDPB has also published its guidelines on consent under the GDPR, which will help organisations navigate the application of consent as a lawful basis for the processing of special category personal data and, for example, in an employment context. The ENISA has also published a number of resources to help organisations manage the security risks associated with Covid-19, such as increased remote working.

Useful links:

Contact us

Paula Barrett, Partner Co-Lead of Global Cybersecurity and Data Privacy

 

Austria

As at 4 June 2020

Regulatory stance: Supportive

Relevant DPAs and other authorities/bodies: Austrian Data Protection Authority (Österreichische Datenschutzbehörde, DSB)

Latest position:

The general position of the Austrian DPA is that the Covid-19 pandemic does not change the fact that personal data must always be processed on an appropriate lawful basis. The DPA acknowledges that under certain circumstances employers may question their employees if they have travelled to areas of risk or if they have had contact with infected persons. Mandatory temperature scanning for employees may be permissible, but only if there are no less intrusive means available to prevent the spreading of an infection (e.g. working remotely, keeping distance, protective screens, facemasks, use of disinfectant). Mandatory Covid-19 rapid tests for employees may be permissible if all requirements of labour law are met and if there has already been an infection in the company and this is required to prevent further spreading of the infection. The DPA has also issued guidance on working remotely (including advice on data security). Use of private mobile numbers of staff may be acceptable according to the DPA.

Useful links:

Contact us

Georg Röhsner, Managing Partner, georg.roehsner@eversheds-sutherland.at

Manuel Boka, Partner, manuel.boka@eversheds-sutherland.at

Michael Röhsner, Senior Associate, michael.roehsner@eversheds-sutherland.at

 

Belgium

As at 10 July 2020

Regulatory stance: Neutral

Relevant DPAs and other authorities/bodies:

  • Belgian Data Protection Authority (« Gegevenbeschermingsautoriteit/L'Autorité de protection des données »)

Latest position: The general position of the Belgian Data Protection Authority is that the Covid-19 pandemic does not change the fact that personal data must always be processed on an appropriate lawful basis. In particular, the principles of proportionality and minimum data processing must be respected. Furthermore, companies must be transparent about the measures taken and adequately inform their employees and visitors about the purposes of processing and the retention period of the personal data collected in this context.

There is moreover no reason for a broader or systematic application of the lawfulness ground contained in Article 6.1(d) GDPR (vital interests) in the context of taking preventive measures by companies and employers.

 

As for the mere recording of body temperature, the Belgian Data Protection Authority does not consider this as a processing of personal data in so far as it only consists of a direct reading of the measured body temperature and if it is not recorded in a file. However, as soon as the processing or inclusion of data in a file is fully or partially automated,  GDPR shall apply and the data controller must take into account all basic principles of data protection law. Moreover, pending a sufficiently clear and specific legal basis (e.g. by law or collective bargaining agreement), data controllers are currently not allowed to : (i) take persons temperatures when recording the measurement result in a file; (ii) take persons temperatures, if the consequences of the measurement’s result for the person concerned are subsequently recorded in a file; (iii)  take persons temperatures using advanced electronic measuring devices such as fever scanners, heat cameras or other automated systems.

 

The Belgian data protection authority has also issued guidance with respect to other Covid-19 measures on the work floor; the use of health applications and the processing on the use of detection applications and the establishment of a database to prevent the spread of the coronavirus. The protection of personal data does not prevent the use of technological tools in the fight against the COVID-19 epidemic, as long as they respect certain fundamental principles (e.g. proportionality; voluntary use by citizens; source code available, etc.)

Useful links

 

 

Contact us:

Koen Devos, Partner

Caroline Schell, Associate

 

Bulgaria

As at 30 July 2020

Regulatory stance
Neutral

Relevant DPAs and other authorities/bodies
Commission for Personal Data Protection

Latest position
In general, the approach of the national DPA is that the Covid-19 pandemic does not change the fact that personal data must always be processed on an appropriate lawful basis.

Specific guidelines to employers

1. Opinion No. П НМД-17-151/2020, Sofia, 15 May 2020 г.
Regarding: Collective COVID-19 testing of employees

(i) The employer has the right to issue an order for mandatory collective testing to identify employees who are infected with or are carriers of COVID-19 under the terms of Art. 6, Para. 1, Item f of Regulation (EU) 2016/679, only if the balancing test indicates that its legitimate interests take precedence over the rights and freedoms of the data subjects (its employees).

(ii) Processing of health data and data from samples containing genetic material of persons tested for COVID-19 by way of collective PCR testing may be carried out only by the competent health authorities, which are bound by the obligation of professional secrecy, and in accordance with applicable law.

2. Opinion No. П НМД-17-114/2020, Sofia, 26 May 2020
Regarding: Processing of personal data regarding health status and level of information of employees in case of an employee infected with COVID-19

(i) There are no legal grounds for requesting information from employees who work from home regarding their health status and that of their family members. The employer may introduce restricted entrance regime on the territory of the enterprise only if required by the specific labour activity. All other measures related to the search for contact persons of the infected person are within the competence of the health authorities.

(ii) On the grounds of Art. 4, Para. 1 of the Health and Safety at Work Act the employer may inform its staff if there is an infected employee but may not provide any data for his identification, even if such infected employee is established in an indisputable manner. The health authorities should take an appropriate action for identification and testing of the contact persons.

Useful links
https://www.cpdp.bg/en/index.php
https://www.cpdp.bg/index.php?p=element&aid=1252 (in Bulgarian only)

Contact us
Violetta Kunze, Partner, E: violetta.kunze@dgkv.com 

China (PRC)

As at 18 May 2020

Regulatory stance: Neutral

Relevant DPAs and other authorities/bodies: Cyberspace Administration of China

Latest position: On 4 February 2020, the Office of the Central Cyberspace Affairs Commission issued the Notice (with immediate effect) regarding data protection in COVID-19 contingency measures. The Notice specifies that: 1) all regions and departments prioritise the protection of personal information. Unauthorised entities may not unlawfully collect any personal information on the grounds of pandemic prevention and treatment; 2) the collection of personal information necessary for joint prevention and control should be done with reference to the national standards and adhere to the principle of minimum scope on data subject selection; 3) personal information collected for purposes of epidemic prevention and treatment must not be used or disclosed for any other purpose, except in certain circumstances; 4) institutions that collect or have control of personal information should be vigilant to data security and unauthorised use; 5) under the guidance of relevant departments, capable enterprises are encouraged to actively use big data to analyse and predict the movements of key persons who are either confirmed, suspected, or have been in close contact with those who are infected; and 6) breaches of rules and laws in the collection, use, or disclosure of personal information should be reported to the departments of internet information or public security.

Useful links

Contact us

Jack Cai, Managing Partner

Sam Chen, of Counsel

Jerry Wang, Senior Associate

Croatia

As at 18 May 2020

Regulatory stance: Supportive

Relevant DPAs and other authorities/bodies: Croatian Data Protection Authority (“Azop”)

Latest position: Azop position since the beginning of the Covid-19 outbreak has been largely supportive. In particular, Azop has stated that employer is allowed to process health data of its employees due to protection of risks related to COVID-19 pandemic. In relation to other data processing concerning COVID-19 pandemic Azop has not taken a stance. Azop has also pointed out to the Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak adopted by the European Data Protection Board, as well as to the Declaration by the Chair of the Committee of Convention 108 and the Data Protection Commissioner of the Council of Europe on the principles of data protection in the times of fight against the COVID-19 pandemic.

Useful links:

Contact us

Ivan Ivković

Republic of Cyprus

As at 18 May 2020

Regulatory stance: Supportive

Relevant DPAs and other authorities/bodies: Cyprus Data Protection Commissioner

Latest position: The Cyprus Data Protection Commissioner adopts the position of the European Data Protection Board in relation to the legal aspects of measures adopted to combat the COVID-19 crisis. Regarding  the use of technical equipment, including thermal cameras, the Commissioner clarifies that the use of such equipment should be governed by the principles of the General Data Protection Regulation – including the principles of informed consent, necessity, transparency, purpose limitation, data minimisation. The Commissioner clarifies that controllers should be fully informed, prior to using such equipment, of its technical specifications and capabilities, as well what personal data can be collected by the same.

Useful links:

Contact us

Alexandros Georgiades (a.georgiades@chrysostomides.com.cy)         

Ioanna Sapidou (i.sapidou@chrysostomides.com.cy)

Czech Republic

As at 18 May 2020

Regulatory stance: Neutral

Relevant DPAs and other authorities/bodies: Czech Data Protection Authority (DPA)

Latest position: The general position of the DPA is that the Covid-19 pandemic does not change the fact that personal data must always be processed on an appropriate lawful basis. The DPA acknowledges that temperature checks of employees can be conducted without consent based on employer’s legitimate interest and compliance with preventive employer’s obligations in EHS under current extraordinary and time limited pandemic situation. The Czech DPA has also issued guidance on announcement of covid-19 positive cases not only at workplaces and statement on collection and processing of localization data for the purpose of tracing infection chains has also been issued.

Useful links:

Contact us

Radek Matouš, Principal Associate

Denmark

As of 18 May 2020

Regulatory stance: Neutral

Relevant DPAs and other authorities/bodies: The Danish Data Protection Authority (“Datatilsynet”)

Latest position: The general position of the Danish Data Protection Authority is that processing of personal data must always follow a legitimate purpose and be limited to what is necessary, and consider carefully whether the purpose can be fulfilled using lesser means. The DPA has specifically commented on processing information related to Covid-19 in the employment context. The DPA has commented that employers can process health information insofar as an appropriate lawful basis for processing can be identified. The information allowed to be processed is often determined by employment law rules and applicable public law on health etc. The DPA has stated that personal data not specific or concrete enough to constitute health information (such as that an employee is on sick leave but without specifying a reason, or that an employee has returned from a high-risk area) may be processed as long as it is necessary, in pursuit of a legitimate purpose and subject to a lawful basis for the processing. The DPA acknowledges that in some circumstances it may also be necessary for the employer to process information that an employee is infected with Covid-19 in order to enable management and co-workers to take necessary precautions. Summarily, it can be said that the current stance of the DPA is that it is incumbent upon data controllers to exercise caution and be very observant of whether and what is necessary and relevant to process in terms of health information, and that the processing must be well-reasoned.

Useful links:

Contact us

Helena Lybæk Gudmundsdottir

Estonia

As at 18.05.2020

Regulatory stance: Supportive

Relevant DPAs and other authorities/bodies: Estonian Data Protection Inspectorate (AKI)

Latest position: Data Protection Inspectorate provided the regulatory stance on 20 March 2020. The main stance is that for every data collection, the controllers shall ensure following the principles of (including special category personal data like health data) proportionality and necessity. It has also acknowledged that employers have an obligation to ensure the health and safety of employees, as well as a duty of care, and that data protection law doesn’t prevent them from doing this. The data minimisation principle should be put into practice and organisations should explore whether they can achieve the desired result through less privacy intrusive means. It is allowed for the employers to ask from the employees whether they have contacted with the infected persons, as well as whether they have been in risk areas.

Useful links:

Contact us

Tambet Toomela, Partner

Finland

As at 18 May 2020

Regulatory stance: Neutral

Relevant DPAs and other authorities/bodies: Office of the Data Protection Ombudsman

Latest position: The general position of the DPA is that the Covid-19 pandemic does not change the fact that personal data must always be processed on an appropriate lawful basis.

Useful links:

Contact us

Tiina Ashorn, Partner

Mari Rusi, Specialist counsel

Germany

As at 14 May 2020

Regulatory stance: Neutral

Relevant DPAs and other authorities/bodies:

 

Latest position: The general position of all authorities is that the Covid-19 pandemic does not change the fact that personal data must always be processed on an appropriate lawful basis. Response measures taken by organisations must be critically examined for their suitability. The DPAs in Hamburg and North Rhine Westphalia acknowledge that temperature checks of employees can be conducted without consent under special circumstances. The DPAs have also issued guidance also on working remotely (including advice on data security). The DPA in Bavaria issued a checklist on everything employers and employees need to consider when working from home. Use of private mobile numbers of staff may be acceptable according to the DPAs. Guidelines on the collection of customer contact data for the purpose of tracing infection chains has also been issued. This relates in particular to the collection of customer data in the gastronomy, since now the gastronomy is permitted to reopen.

Useful links:

Contact us

Nils Müller, Principal Associate

Constantin Herfurth, Associate

Greece

As at 15 May 2020

Regulatory stance: Neutral

Relevant DPAs and other authorities/bodies: Hellenic Data Protection Authority (HDPA)

Latest position: In its guidelines on the processing of personal data in the context of Covid-19, the HDPA explains that the data protection framework does not prohibit the processing of personal data which is necessary for the combat of Covid-19 and sets forth the applicable legitimate bases that could be relied upon for the processing of personal data, including health data, with a special focus on the employment context. The HDPA states that, in order for a controller to take the necessary measures to prevent the spread of Covid-19, no personal data processing may be precluded prima facie as prohibited. The HDPA explains that the data protection legislation does not apply to temperature screening where the temperature reads are not recorded. On the other hand, any system of temperature screening that records the temperature should be carried out only when the controller has concluded that there are no other less privacy-intrusive means to achieve the same purpose and concludes that a systematic, constant and generalised collection of personal data leading to the creation and regular update of employee health profiles is highly unlikely to pass the proportionality test. Also, in its guidelines on teleworking which was issued shortly after its guidelines above, the HDPA recommends the adoption by the employers of certain security measures to ensure secure remote access and suggests avoiding the use of personal email accounts and messaging applications.

Useful links:

Contact us

Mary Deligianni

Hong Kong

As at 15 May 2020

Regulatory stance: Supportive

Relevant DPAs and other authorities/bodies: Privacy Commissioner for Personal Date (“PCPD”)

Latest position: The PCPD views that personal data privacy right is not an absolute right and may be subject to other competing interests, such as the absolute right to life and the interests of the public, including public health. The general position regarding the collection and use of health data in times of a pandemic is that data protection principles should not hinder measures taken in combating COVID-19 especially when the collection and use of data is in the interest of public health generally. Nevertheless, the PCPD stresses that organisations should not derogate their responsibilities in handling personal data. Employers are reminded to follow the general rule that the measures taken to collect data should be necessary, appropriate and proportionate and they should seek to process the relevant data in an anonymised or de-identified way. The PCPD also advises organisations on practicable steps to take to safeguard personal data security in a home office setting. Separately, the PCPD has issued a number of statements advising on a range of other privacy issues arising from COVID-19, such as those relating to the Government’s mandatory quarantine measures.

Useful links:

Contact us

Jennifer Van Dale, Partner

Duncan Watt, Of counsel  

Rhys McWhirter, Of Counsel

Yonah Leung, Senior Associate

Ireland

As at 18 May 2020

Regulatory stance: Supportive

Relevant DPAs and other authorities/bodies: Data Protection Commission (DPC)

Latest position: The DPC’s stance from the beginning of the Covid-19 pandemic has been largely supportive in respect of organisations’ containment, management and mitigation plans. This is illustrates in one of its initial publications on Data Protection and COVID-19. The DPC stated that “Data protection law does not stand in the way of the provision of healthcare and the management of public health issues”. It caveated this statement by emphasising that there are important considerations that should be taken into account when collecting and processing personal data in these circumstances: “Measures taken in response to Coronavirus involving the use of personal data, including health data, should be necessary and proportionate. Decisions in this regard should be informed by the guidance and/or directions of public health authorities, or other relevant authorities”.

Useful links:

Contact us

Marie McGinley, Partner

Italy

As at 18 May 2020

Regulatory stance: Neutral

Relevant DPAs and other authorities/bodies: Garante per la Protezione dei Dati Personali (“Garante della Privacy”)

Latest position: The general position of the Italian Data Protection Authority (“IDPA”) is that the Covid-19 pandemic does not change the fact that personal data must always be processed in compliance with data protection law principles and on an appropriate lawful basis. IDPA makes reference to Italian emergency laws, that include a specific Protocol to regulate the access to undertakings’ premises. These laws, include data protection indications. E.g. for the collection of some data and/or the performance of body temperature checks (Italian law sets a temperature threshold for the accesses). In particular, regarding this last case, IDPA notes that  “it is not permitted to record the data relating to the body temperature found; conversely, it is permitted to record the fact that the threshold set out in the law is exceeded, and recording is also permitted whenever it is necessary to document the reasons for refusing access to the workplace - in compliance with the principle of ‘data minimisation’ (Article 5(1)(c) of the Regulation)”. IDPA also prescribes employers not to disclose positive employees’ identities with the other employees. IDPA also stated that employers can require employees to take a COVID-19 test if this is deemed necessary by the company doctor (a specific figure under Italian Health and Safety Law), who is the only one able to see the relevant outcomes and to report employers employees’ fitness to work. Employers can offer their employees to pay their tests but they cannot be aware of the relevant outcome.

Useful links:

Contact us

Massimo Maioletti, Partner

Latvia

As at 18 May 2020

Regulatory stance: Neutral

Relevant DPAs and other authorities/bodies: Data State Inspectorate (DSI)

Latest position: The DSI has provided limited guidance on personal data processing in the light of Covid-19 circumstances and it has been neutral. DSI has stressed the principle of lawfulness and purpose limitation by explaining that in order to ascertain the lawfulness and proportionality of the processing of personal data, the purpose of the specific activity, the purpose for which the personal data is collected, processed and published must be taken into account. The information shall be published to the extent necessary to achieve the relevant purpose. It has been expressly acknowledged by DSI that the protection of personal data should not be an obstacle to the effective fight against the spread of infectious diseases, including Covid-19. In order to prevent unjustified personal data processing, DSI has provided an analysis of a couple of situations regarding dissemination of information on persons infected with Covid-19.

Useful links:

Contact us

Elīna Muciņa, Partner

Lithuania

As at 19 May 2020

Regulatory stance: Neutral

Relevant DPAs and other authorities/bodies: State Data Protection Inspectorate

Latest position: The general position of the Inspectorate is that the Covid-19 pandemic does not change the fact that personal data must always be processed on an appropriate lawful basis and the principle of data minimalization adhered to. The employers are entitled to collect and keep the personal data on whether the employee is quarantined or obtained a disease (without recording the specific disease or the reason for the quarantine). The employer is entitled to request for information from its employees or visitors if they have COVID-19 symptoms or they were diagnosed with COVID-19, however, having obtained such information, the employer is not entitled to retain such information, as such information shall only be used for immediate disease prevention purposes. The State Data Protection Inspectorate has issued the guidelines on data processing of employees, recommendations on organizing remote studying and recommendations on data processing of employees during remote work.

Useful links:

Contact us

Rimtis Puišys, Partner

Akvilė Jurkaitytė, Associate

Luxembourg

As at 18 May 2020

Regulatory stance: Restrictive

Relevant DPAs and other authorities/bodies: National Commission for Data Protection (CNPD)

Latest position: Companies are entitled to take some measures such as inviting their employees to inform them or the health authorities regarding eventual exposure to the Covid-19 (individual information). Companies are also allowed to collect date and identity of the person(s) suspected to have been exposed to virus, and to transmit such information to health authorities in case of exposure. However, companies are not entitled to (i) collect health personal data of employees and visitors on a systematic and general basis, such as conducting COVID-19 symptoms inspections; (ii) require employees to report on a day to day basis to their employer health personal data such as body temperature. This being said, the CNPD is of the view that it is allowed to organize systematic temperature scanning at the entrance of premises accessible to public, provided that no personal data is recorded. The CNPD considers that it would be disproportionate to collect personal data when conducting temperature scanning.

Useful links:

Contact us

Hervé Wolff

Malta

As at18 May 2020

Regulatory stance: Neutral

Relevant DPAs and other authorities/bodies: Information and Data Protection Commissioner (IDPC)

Latest position: The position of the IDPC is that the COVID-19 pandemic does not change the fact that special categories of data, including health data, should always be processed on a lawful basis. In this respect, the IDPC notes that Article 9 of the GDPR sets out exceptions to the rule which controllers may rely upon to legitimise the processing of special categories of data, in particular, where the “processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health”. Controllers are moreover instructed to ensure that appropriate measures are applied to secure processing operations to achieve the right balance between the need for processing health data and the rights of data subjects. The IDPC has adopted and endorsed the Statement on the processing of personal data in the context of the COVID-19 outbreak issued by the European Data Protection Board (EDPB) on the 19 March 2020.

Useful links:

Contact us

Maria Margo Zammit Fiorentino

Netherlands

As at 15 May 2020

Regulatory stance: Restrictive

Relevant DPAs and other authorities/bodies: The Dutch Data Protection Authority (Dutch: Autoriteit Persoonsgegevens)

Latest position: The Dutch Data Protection Authority (‘Dutch DPA’) is of the opinion privacy principles should be adhered without exception and repeatedly states it will initiate enforcement actions were organizations breach these principles. On 8 May 2020, the Dutch DPA nuanced its position on temperature screening during the Covid 19-pandemic. The Dutch DPA currently states that the GDPR does not apply when only the temperature itself will be read and the information will not be recorded or saved in an automated system. As a result, the Dutch DPA is not legally competent, but fundamental (privacy) rights may remain at issue. The Dutch DPA remains with its view that employers cannot lawfully process health data of employees and that consent thereto is unlikely to be valid. Only a company doctor may do so and the employer may merely ask the employee to monitor its own health closely. 

Useful links:

Contact us

Olaf van Haperen, Partner

Robbert Santifort, Associate

Norway

As at 18 May 2020

Regulatory stance: Neutral

Relevant DPAs and other authorities/bodies: The Norwegian Data Protection Authority – Datatilsynet https://www.datatilsynet.no/en/

Latest position: The general position of the DPA is that the Covid-19 pandemic does not change the fact that personal data must always be processed on an appropriate lawful basis an in accordance with law. Response measures taken by organisations and public authorities must be examined for their suitability. However, the DPA understands that privacy regulations are not practices as strictly as normal in the special situation with Covid-19. The DPA has stated that the authority has The DPA is closely monitoring the mobile tracking application developed by the Public Health Institute in order to ease tracking of persons who has been in contact with an infected individual. The DP has also issued some guidance regarding covid-19 and privacy at the workplace, in schools and for video consultation for healthcare professionals etc.

Useful links:

Contact us

Kari Gimmingsrud

Isak Mendoza

Poland

As at 18 May 2020

Regulatory stance: Supportive

Relevant DPAs and other authorities/bodies:

  • Personal Data Protection Authority
  • National Sanitary Inspectorate

Latest position: Following PUODO (Polish DP Authority) statement on 5 May, the proper legal basis is art. 9.2i GDPR in relation to the decision of GIS. The employer is legitimated to temperature check upon GIS (National Sanitary Inspectorate) decision. The decision may be general or individual issued at the request. There is currently no general decision on the requirement of temperature check. PUODO also stated that the consent for temperature check obtaining from employees is an improper legal basis and may be challenged as invalid. There is no PUODO direct statement on another possible legal basis e.g. Art. 9.2b in relation to Occupational Health and Safety legal requirements. In the case employer decide to implement temperature check anyway, Art. 9.2b in relation to Occupational Health and Safety legal requirements may be a possible legal basis under the GDPR in Poland.  It may be challenged as well, but there is the only legal basis possible to use as an alternative to GIS decision.

Useful links:

Contact us

Aleksandra Kunkiel-Kryńska, Partner

Marta Gadomska-Gołąb, Partner

Agnieszka Sagan-Jeżowska, Senior Associate

Russia

As at 18 May 2020

Regulatory stance: Supportive

Relevant DPAs and other authorities/bodies: Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor)

Latest position: The general position of the Russian Data Protection Authority is that the Covid-19 pandemic does not change the fact that personal data must always be processed on an appropriate lawful basis. Response measures taken by organisations must be critically examined for their suitability. At the same time, the Russian Data Protection Authority acknowledges that temperature checks of employees can be conducted without consent of the employees. Moreover, Russian DPA took quite a liberal approach that visitors to company premises who do not have an employment relationship with the company are tacitly expressing their consent to their temperature being measured (though in an anonymous way) by showing intent to visit the company premises.

Useful links: Use of thermal imagers during the Covid-19 epidemic – clarifications (10 March 2020)

Contact us

Ekaterina Mironova, Principal Associate

Ivan Kaisarov, Senior Associate

Slovakia

As at 18 May 2020

Regulatory stance: Neutral

Latest position: The general position of the Slovak Data Protection Authority is that the Covid-19 pandemic does not change the requirement that personal data must always be processed on an appropriate lawful basis. Response measures taken by organisations must be critically examined for their suitability.

The DPA recognizes the Public Health Authority´s measure that bodily temperature of employees and visitors must be measured at entrances to hospitals and production plants. Thus, such operation would occur to comply with relevant law, other operations may consider processing this sensitive personal data on basis of a legitimate interest, both in compliance with an applicable legal ground pursuant to article 9 (2) GDPR.

Useful links:

Contact us

Helga Maďarová, Senior Associate

Jana Sapáková, Principal Associate

Slovenia

As at 18 May 2020

Regulatory stance: Neutral

Relevant DPAs and other authorities/bodies: Information Commissioner (Informacijski pooblaščenec)

Latest position: The general position of the DPA is that the Covid-19 pandemic does not change the fact that personal data must always be processed on an appropriate lawful basis. In its opinions, the DPA emphasises that employers should consult with a selected occupational medicine practitioner before implementing response measures in order to assess their suitability. The DPA acknowledges that temperature checks of the employees can be conducted without consent under special circumstances. The DPA also issued an opinion on processing of employee personal data when using an application for monitoring homeworking. Employer may collect personal data of visitors in specific circumstances according to the DPA.

Useful links: Opinions issued by the Information Commissioner

Contact us

Sandra Kajtazović

South Africa

As at 18 May 2020

Regulatory stance: Supportive

Relevant DPAs and other authorities/bodies: Information Regulator

Latest position: Although the Information Regulator (Regulator) acknowledges that not all the sections of POPIA have come into effect, the Regulator encourages proactive compliance by responsible parties when processing personal information of data subjects who have tested or are infected with COVID-19, or who have been in contact with such data subjects.

The Regulator has issued the Guidance Note to give effect to the right to privacy as it relates to the protection of personal information and provide guidance to the public and private bodies and their operators on the limitation of the right to privacy when processing personal information of data subjects for the purpose of containing the spread and reduce the impact of COVID-19.

The Regulator recognises the need to effectively manage the spread of COVID19, which has necessitated the limitation of various constitutional rights of data subjects. The Regulator therefore supports the need to process personal information of data subjects in order to curb the spread of COVID-19.

The Guidance Note stipulates that (inter alia):

Responsible parties must process the personal information of data subjects in a lawful and reasonable manner in order to detect, contain and prevent the spread of COVID-19. 

Responsible parties must collect personal information of a data subject for a specific purpose, which in this context is to detect, contain and prevent the spread of COVID-19. It is not necessary for a responsible party to obtain consent from a data subject to process his or her personal information in the context of COVID -19, when: processing complies with the obligation imposed by law on the responsible party; processing protects a legitimate interest  of the data subject; processing is necessary for the proper performance of a public law duty by a public body; or processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.

Electronic Communication Service Providers must provide the Government with mobile location-based data of data subjects and the Government can use such personal information in the management of the spread of COVID19 if certain criteria are met.

Useful links:

Contact us

Grant Williams  GrantWilliams@eversheds-sutherland.co.za +27 10 003 1375

Kelly Hutchesson KellyHutchesson@eversheds-sutherland.co.za + 27 10 003 1380

Spain 

As at 18 May 2020

Regulatory stance: Supportive (but restrictive regarding temperature checking unless Health Ministry recommended so)

Relevant DPAs and other authorities/bodies:

Latest position: The AEPD has expressed its concern about the generalization of temperature checking by shops, workplaces and other establishments, since it involves a particularly intense interference in the rights of data subjects and is being carried out without the prior criterion of the health authorities.

Useful links:

Contact us

Vicente Arias, Partner

Sweden

As at 18 May 2020

Regulatory stance: Neutral

Relevant DPAs and other authorities/bodies: Data Protection Authority (Sw. Datainspektionen)

Latest position: The general position of the Swedish Data Protection Authority (the “DPA”) is that the Covid-19 pandemic does not change the fact that personal data must always be processed on an appropriate lawful basis. The DPA has issued guidance on digital infection tracing and also stated that if a request for prior consultation in relation to a service for digital infection tracing is received, this will be prioritized. The DPA also clarified that if a private entity develops and app for digital infection tracing with the use of location data from telephones or electronic communication service providers, the consent of the data subject is necessary. The DPA has issued guidance also on digital teaching (including information on data security).

Useful links:

Contact us

Torbjörn Lindmark, Partner

Josefine Karlsson, Senior Associate

 

Switzerland

As at 2 June 2020

Regulatory stance: Neutral

Relevant DPAs and other authorities/bodies: Swiss Federal Data Protection and Information Commissioner (FDPIC)

Latest position: The Swiss data protection authority (FDPIC) is of the opinion that data privacy principles have to be adhered. In particular, the collection, processing and retention of health related personal data should be limited to the necessary minimum. Whenever possible, personal data about employees should be provided be the employees themselves, for example by informing the employer if they exhibit symptoms of a COVID-19 infection. Furthermore, in the FDPIC’s view, companies may collect personal data about customers, clients, etc. in relation to protective measures against COVID-19 only on a voluntary basis, without any direct or indirect detriment if the individual does not want to provide the personal data. The FDPIC is also closely monitoring the mobile proximity tracking app (SwissCovid App) developed in Switzerland on behalf of the Federal Office for Public Health.

Useful links

Legal data protection framework for coronavirus containment

Contact us

Markus Näf, Partner

Michel Verde, Senior Associate

 

United Kingdom

As at 14 May 2020

Regulatory stance: Supportive

Relevant DPAs and other authorities/bodies:

Latest position:  The ICO’s stance from the outset of the Covid-19 outbreak has been largely supportive as regards organisations’ containment, management and mitigation plans. It even issued a document emphasising its “empathetic and pragmatic” approach during the public health emergency. The ICO’s primary message for controllers is to ensure that any collection of personal data (including special category personal data like health data) must be proportionate and necessary. It has also acknowledged that employers have an obligation to ensure the health and safety of employees, as well as a duty of care, and that data protection law doesn’t prevent them from doing this. In its “Workplace testing – guidance for employers”, the ICO reminds employers of the key data protection compliance points to consider when testing staff upon their return to the office. Among other things, data protection impact assessments should be conducted, notices provided and processes put in place to ensure that individuals’ rights can be exercised effectively. In addition, the data minimisation principle should be put into practice and organisations should explore whether they can achieve the desired result through less privacy intrusive means. The NCSC has also published a number of resources to help organisations manage the security risks associated with Covid-19, such as increased remote working.

Useful links:

Contact us

Paula Barrett, Partner Co-Lead of Global Cybersecurity and Data Privacy

 

 

 

 

As at 14 May 2020

Paula Barrett, Partner
Michael Bahar, Partner

< Go back

Print Friendly and PDF

© Eversheds Sutherland 2023. All rights reserved. Eversheds Sutherland is a global provider of legal and other services operating through various separate and distinct legal entities.

Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed and affiliated firms and the members of Eversheds Sutherland (Europe) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements and operate in accordance with their locally registered names. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global LLP. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client.