On 18 March, 2020, the Hellenic (Greek) Data Protection Authority (“HDPA”) issued guidelines on data protection and COVID-19. With these guidelines, the HDPA aims to provide guidance on the interpretation and application of data protection legislation during the COVID-19 pandemic. In this blog, we summarise the key points included in the HDPA’s guidelines.
- Categorization of personal data
The HDPA draws the following distinction with respect to the types of personal data:
- data concerning the health status of an identified or identifiable natural person (“data subject”), including whether the data subject has received health care recently, is data concerning the health of the data subject, and, therefore, falls within the special categories of personal data (under Article 9 of General Data Protection Regulation – “GDPR”), which are subject to stricter protection. Examples of types of data related to the health of the data subject include data concerning i) whether the data subject has been infected by the virus or not, ii) whether he or she remains at home due to illness and iii) whether he or she has presented any signs of illness (g., cough, fever);
- in contrast, other personal data, such as information regardingthe data subject’s recent visits to a foreign country with a high number of COVID-19 cases, or whether one of the data subject’s relatives or colleagues has been infected by COVID-19, does not constitute data related to the health of the data subject. As a result, such data does not fall within the special categories of personal data.