GDPR & COVID-19

April 17, 2020

“Data protection rules (such as GDPR) do not hinder measures taken in the fight against the coronavirus pandemic.”

This, the summary by the Chair of the European Data Protection Board (EDPB) dated 19 March 2020. The Statement further stipulates “Emergency is a legal condition which may legitimise restrictions of freedoms provided these restrictions are proportionate and limited to the emergency period.”

The official document advises, however, that  “Even in these exceptional times, the data controller and processor must ensure the protection of the personal data of the data subjects.”

In summary, the GDPR provides for the legal grounds to enable employers  and public health authorities to process personal data in the context of epidemics, without the need to obtain the consent of the data subject.

The emergency legislation is being made possible under the condition that it constitutes a ‘necessary, appropriate and proportionate measure within a democratic society’.

How are the legal bases laid out?

The GDPR allows ‘competent public health authorities and employers’ to process personal data in the context of an epidemic, in accordance with national law and in a circumstance where processing is necessary for reasons of substantial public interest, such as the area of public health.

In an employment context, the processing of personal data may be necessary for compliance with a legal obligation to which an employer is subject, based on the reasoning above; public interest (health) or to protect a vital interest.

With respect to the use of location data; generally this can only be used by the operator once anonymised or with the prior consent of individuals.  However, the ePrivacy Directive enables member states to introduce further legislative measures to safeguard public security, through Article 15.


The core principles for processing in the context of COVID-19 set out in the Statement are explained as follows:

Personal data required to arrive at the objectives in question should be processed for purposes which are specified and explicit.
Processing activities being carried out should be made transparent to data subjects and the main features of the activities should be laid out.
Adequate security measures should be adopted alongside confidentiality policies to ensure personal data is not disclosed to unauthorised parties.

You can read the official EDPB statement here: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_statement_2020_processingpersonaldataandcovid-19_en.pdf

Become a Partner
As a partner you have the option to promote a wide spectrum of GDPR services from the complete GDPR checklist to GDPR managed services. PanoSec have an affiliate program and a channel partner program.
Affiliate Partners
Our affiliate program gives you the opportunity to gain a percentage of any revenue earned from customers you refer to us.

The program works as follows:

1. Create an account: Affiliate Registration
Register via the "Affiliate Registration" button below, then login to your account and click on "Programs".

2. Start promoting PanoSec products!
Once you are in the programs page, get your unique affiliate links and start marketing. You can track all your affiliate referrals in your personal dashboard.
Affiliate registration
Channel Partners
PanoSec Channel Partners Program is focused on technology companies, security VARs, SaaS service providers, business continuity experts and insurance companies who will use PanoSec as a part of their security offer to end users.

Start Now