On 18 March, 2020, the Hellenic (Greek) Data Protection Authority (“HDPA”) issued guidelines on data protection and COVID-19. With these guidelines, the HDPA aims to provide guidance on the interpretation and application of data protection legislation during the COVID-19 pandemic. In this blog, we summarise the key points included in the HDPA’s guidelines.
- Categorization of personal data
The HDPA draws the following distinction with respect to the types of personal data:
- data concerning the health status of an identified or identifiable natural person (“data subject”), including whether the data subject has received health care recently, is data concerning the health of the data subject, and, therefore, falls within the special categories of personal data (under Article 9 of General Data Protection Regulation – “GDPR”), which are subject to stricter protection. Examples of types of data related to the health of the data subject include data concerning i) whether the data subject has been infected by the virus or not, ii) whether he or she remains at home due to illness and iii) whether he or she has presented any signs of illness (g., cough, fever);
- in contrast, other personal data, such as information regardingthe data subject’s recent visits to a foreign country with a high number of COVID-19 cases, or whether one of the data subject’s relatives or colleagues has been infected by COVID-19, does not constitute data related to the health of the data subject. As a result, such data does not fall within the special categories of personal data.
- Scope of application of GDPR and Greek data protection law
Pursuant to Article 2(1) of the GDPR and Article 2 of the Law 4624/2019 (the Greek law implementing the GDPR), the legal framework for the processing of personal data applies solely in cases where personal data is processed wholly or partly by automated means or where it otherwise forms part of a filing system or is intended to form part of a filing system. As a result, although information provided orally concerning – for example – whether a data subject has been infected by COVID-19 or whether one’s body temperature is higher than normal does not fall within the scope of the GDPR, where it not recorded.
- Processing by public authorities
Public authorities acting as data controllers may process personal data in the context of adopting the necessary measures to tackle the COVID-19 outbreak and limit its spread. Notably, this data processing may be based on different legal bases under the GDPR, such as those provided by Article 6(1)(c), (d) and (e), pursuant to which the processing is necessary i) for compliance with a legal obligation to which the controller is subject; ii) to protect the vital interests of the data subject or of another natural person; or iii) for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Further, public authorities may process sensitive personal data based on Article (9)(2)(b), (e), (h) and (i), where the data processing is either necessary i) for the purposes of carrying out obligations derived from employment and social security and social protection law; ii) for the purposes of preventive or occupational medicine for the assessment of the working capacity of the employee; iii) for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health; or iv) where the processing relates to personal data which is manifestly made public by the data subject.
That said, the HDPA points out that the right to the protection of personal data is not an absolute right and, as such, it must be balanced against other fundamental rights, in accordance with the principle of proportionality. As a result, the right to the protection of personal data does not present a barrier for the authorities to adopt the necessary measures to combat COVID-19, provided that the basic principles are respected and the relevant substantive and procedural guarantees and conditions for lawful processing are ensured.
- Issues concerning businesses and employers
With respect to private sector companies, the HDPA notes that, pursuant to national legislation, employers have the obligation to take the necessary measures to ensure the safety and health of their employees. This means that employers may lawfully process the personal data of their employees to ensure the protection of their safety and health, as long as the basic principles of Article 5 of the GDPR are respected. Notably, this processing may be based on Article 6(1)(c), (d) and (e), and Article 9(2)(b), (e) and (i) of the GDPR, and should be carried out in accordance with the guidance of the authorities.
In addition, the HDPA notes that it has received many queries from employers asking for guidance with respect to the conditions under which the processing of personal data of employees, suppliers, customers and others is lawful. For example, companies have asked whether measures, such as taking the temperature of people entering their business premises, or asking employees to complete questionnaires about the health of their relatives or their travel history, or informing other employees about the identity of an employee infected by COVID-19, would be compliant with the GDPR. The HDPA explains that all employers acting as data controllers should carry out all data processing activities that are necessary to ensure the protection of their employees’ health, and that none of the measures mentioned above could be considered automatically unlawful, especially during these unprecedented circumstances.
However, the HDPA highlights that any data processing should be carried out in accordance with Articles 5 and 6 of the GDPR, noting that the employers are responsible for demonstrating compliance with the GDPR (based on the principle of “accountability”). Further, employers should also make sure that i) they collect only data that is related to the processing purpose in accordance with the GDPR principles of purpose limitation and proportionality; and ii) the confidentiality of the data collected is protected through the requisite security measures.
Finally, with respect to processing more privacy-intrusive data (such as temperature controls at the entrance to facilities), the HDPA notes that these activities should be carried out only when the data controller has concluded that there are no other less privacy-intrusive means to achieve the same purpose. As a result, the HDPA concludes that a systematic, constant and generalised collection of personal data leading to the creation and regular update of employee health profiles is highly unlikely to be compliant with the principle of proportionality.
- Disclosure of data about deceased persons
Pursuant to Recital 27 of the GDPR, the data protection legislation does not apply to deceased persons. However, the HDPA notes that, because the disclosure of data related to patients who died from COVID-19 may lead to the indirect identification of living natural persons (e.g., who came into contact with or were relatives of the deceased), the principles of Article 5(1) and the provisions of Article 6 of the GDPR may exceptionally apply to the disclosure of such data.
- Voluntary disclosure of personal data by COVID-19 patients
The HDPA clarified that, when data subjects publish personal data related to their health voluntarily, such as the fact that they have been tested positive for COVID-19, the processing of this data by third parties should be deemed lawful (pursuant to Article 9(2)(e) of the GDPR). However, the HDPA notes that the principles of Article 5 of the GDPR should be respected in any event.
- Disclosure of data by the data controller
The HDPA notes that the disclosure of personal data related to the health of the data subjects should not be permitted if it may i) lead to prejudice and stigma against the data subjects, and/or ii) deter compliance with the measures imposed by the authorities, which may eventually undermine their effectiveness. This prohibition is applicable, even if the disclosure is justified under grounds in Articles 5, 6 or 9 of the GDPR.
- Processing for journalistic purposes
The HDPA points out that, before disclosing data enabling the identification of any data subjects (e.g., name, pictures or other characteristics), journalists should always assess the necessity of such disclosure, considering that even public authorities (such as the National Public Health Organization and the General Secretariat for Civil Protection) process anonymised data for epidemiological analysis, or process data that has been previously pseudonymised.
* * * *
These guidelines from the Greek authority follow similar statements and guidance from other European regulators, including the European Data Protection Board and the Supervisory Authorities of Belgium, Czech Republic, Denmark, Finland, France, Germany, Hungary, Iceland, Ireland, Lichtenstein, Lithuania, Luxembourg, the Netherlands, Norway, Slovakia, Slovenia, Spain, Sweden, Poland and the UK. Covington will continue to monitor ongoing developments in this area.