Coronavirus and personal data collection

Coronavirus and personal data collection 

Krzysztof Grabowski, Data Protection Officer
Coronavirus and personal data collection
In the era of the coronavirus pandemic, data protection regulations provide companies with the tools facilitating their operations in this extremely difficult period. What are the possibilities of data processing under exceptional circumstances permitted by the GDPR?

The Data Protection Regulation allows the processing of special categories of personal data, e.g. data on the health of a natural person, in situations in which this is necessary because of public interest reasons relating to public health. This definition includes protection against serious risks, such as the COVID-19 pandemic, as referred to in Article 9(2)(i) of the GDPR. In the current situation, Article 6(1)(d) of the GDPR can also be used, since it allows the collection and processing of data for purposes necessary to protect the vital interests of a natural person. An additional rationale for using the above provisions is Recital 46 of the GDPR, which refers to the possibility of processing data when processing is necessary 'for humanitarian purposes, including for monitoring epidemics and their spread'.

Data may be collected by the public institutions and organisations as well as by private companies. They may be collected from:

  • employees
  • visitors
  • people entering the company premises, e.g. with deliveries of goods.

It should also be borne in mind that data may still be collected on the basis of the consent of natural persons (Article 6(1)(a) of the GDPR), if we are not sure about the use of these grounds.

Example: Collecting private phone numbers from employees is possible upon their consent. It is required to specify the precise purpose for which such data is collected, e.g. contact during remote work. A second possibility of contact with an employee is to redirect calls from a landline number to a private phone, but this form also requires the employee's consent.

Even in exceptional situations, such as the coronavirus pandemic, it is important to ensure compliance with the basic principles of personal data processing:

  • The amount of personal data should be adequate for the intended purpose
  • Data should be processed for a specific and explicit purpose
  • The obligation to provide information to natural persons should be fulfilled:
    • the retention times
    • the purpose of processing
    • the rights of natural persons
    • contact to the administrator or the DPO (if designated).
  • The information obligation should be easily accessible and written in a comprehensible language
  • Personal data records should be secured by appropriate technical and organizational measures
  • The consent of a natural person must be voluntary

Governments, public and private organizations across Europe are taking appropriate measures to reduce and mitigate the impact of the COVID-19 pandemic. Therefore, both the PDPO (Personal Data Protection Office) and the EDPB (European Data Protection Board) have published statements on this matter:


Business Support Package