The Data Protection Regulation allows the processing of special categories of personal data, e.g. data on the health of a natural person, in situations in which this is necessary because of public interest reasons relating to public health. This definition includes protection against serious risks, such as the COVID-19 pandemic, as referred to in Article 9(2)(i) of the GDPR. In the current situation, Article 6(1)(d) of the GDPR can also be used, since it allows the collection and processing of data for purposes necessary to protect the vital interests of a natural person. An additional rationale for using the above provisions is Recital 46 of the GDPR, which refers to the possibility of processing data when processing is necessary 'for humanitarian purposes, including for monitoring epidemics and their spread'.
Data may be collected by the public institutions and organisations as well as by private companies. They may be collected from:
It should also be borne in mind that data may still be collected on the basis of the consent of natural persons (Article 6(1)(a) of the GDPR), if we are not sure about the use of these grounds.
Example: Collecting private phone numbers from employees is possible upon their consent. It is required to specify the precise purpose for which such data is collected, e.g. contact during remote work. A second possibility of contact with an employee is to redirect calls from a landline number to a private phone, but this form also requires the employee's consent.
Even in exceptional situations, such as the coronavirus pandemic, it is important to ensure compliance with the basic principles of personal data processing:
Governments, public and private organizations across Europe are taking appropriate measures to reduce and mitigate the impact of the COVID-19 pandemic. Therefore, both the PDPO (Personal Data Protection Office) and the EDPB (European Data Protection Board) have published statements on this matter: