“Data protection rules (such as GDPR) do not hinder measures taken in the fight against the coronavirus pandemic.”
This, the summary by the Chair of the European Data Protection Board (EDPB) dated 19 March 2020. The Statement further stipulates “Emergency is a legal condition which may legitimise restrictions of freedoms provided these restrictions are proportionate and limited to the emergency period.”
The official document advises, however, that “Even in these exceptional times, the data controller and processor must ensure the protection of the personal data of the data subjects.”
In summary, the GDPR provides for the legal grounds to enable employers and public health authorities to process personal data in the context of epidemics, without the need to obtain the consent of the data subject.
The emergency legislation is being made possible under the condition that it constitutes a ‘necessary, appropriate and proportionate measure within a democratic society’.
The GDPR allows ‘competent public health authorities and employers’ to process personal data in the context of an epidemic, in accordance with national law and in a circumstance where processing is necessary for reasons of substantial public interest, such as the area of public health.
In an employment context, the processing of personal data may be necessary for compliance with a legal obligation to which an employer is subject, based on the reasoning above; public interest (health) or to protect a vital interest.
With respect to the use of location data; generally this can only be used by the operator once anonymised or with the prior consent of individuals. However, the ePrivacy Directive enables member states to introduce further legislative measures to safeguard public security, through Article 15.
The core principles for processing in the context of COVID-19 set out in the Statement are explained as follows:
Personal data required to arrive at the objectives in question should be processed for purposes which are specified and explicit.
Processing activities being carried out should be made transparent to data subjects and the main features of the activities should be laid out.
Adequate security measures should be adopted alongside confidentiality policies to ensure personal data is not disclosed to unauthorised parties.
You can read the official EDPB statement here: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_statement_2020_processingpersonaldataandcovid-19_en.pdf