• Bel 0172 503 250
  • Routebeschrijving

Privacy and Corona (COViD-19)

The countries in the EU and all over the world have taken measures to fight the coronavirus. The question is how this can be done effectively while taking into account the General Data Protection Directive (GDPR). The GDPR applies to all businesses and organisations operating in the EU.

Are exceptional measures such as data access and processing of specific sensitive data allowed under the GDPR?

For example, Italy has taken a decree allowing extensive data access and processing in order to prevent further spread of the virus. However, the consequences of extensive measures to contain the outbreak should not be underestimated. People who are infected could fear that any further information on their social status, recent contacts, meetings etc. could be used for other purposes. For example could insurance companies get access to such data?

Privacy and Corona FAQ

Click on one of the questions below to jump straight to the answer.

How do businesses and organisations fight the virus and be compliant with the GDPR rulebook?

Article 6 of the GDPR states that processing of personal data without consent is lawful where it is necessary for compliance with a legal obligation to which the controller is subject, to protect the vital interests of the data subject or of another natural person, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Article 9 GDPR prohibits processing of special categories of personal data (including biometric and health data) without explicit consent. The following limited exceptions apply:

· “to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;"

· “for reasons of substantial public interest;”

· “for the purposes of preventive or occupational medicine. . . medical diagnosis. . . [or] the provision of health or social care or treatment;" and

· “for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health."

The GDPR makes clear that processing special categories of personal data without consent may be necessary for public health reasons but such processing should not result in the data being processed for other purposes.

What can employers do?

As companies should take action to minimise the risk of infection and to provide a healthy and safe work environment, they can obtain information on whether an employee has travelled to a region with confirmed COVID-19 cases.

Some systemic data collection may also be required, such as through questionnaires to report on travel plans.

These subjects are covered by articles 6 and 9 of the GDPR due to workplace health and safety.

The Netherlands Data Protection Authority (Autoriteit Persoonsgegevens) have also published a Q&A on the coronavirus:

One of the most frequently asked questions is if the employer can check the mailbox of a sick employee. The initial answer is yes. Because of the interest of the employer to continue the business while its employee is sick. Checking the e-mail account must however then be necessary and may only relate to business e-mails.

What can’t you do?

Currently (production) companies are staying open and are exploring the possibilities to prevent any further spread the virus by reading the temperature of employees and/or visitors. The Netherlands Data Protection Authority has stated that such measures are not allowed (and there is no room for informed consent if such measures are mandatory). However, the question remains whether the GDPR applies if such readings are anonymous and the readings are not recorded (digitally or physically).

Privacy in health care

Medical health care providers are bound by medical confidentiality.

Only in exceptional situations can a healthcare provider pass on your medical information. As a patient, you must be able to count on your medical information staying confidential, so everything you tell a healthcare provider in confidence remains confidential.

Medical confidentiality applies to, amongst others, doctors, dentists, pharmacists, GZ-psychologists, psychotherapists, physiotherapists, midwives and nurses. This is regulated by law. However, in the current situation for COVID-19 there are exceptions such as the Public Health Act. Under the latter Act, your healthcare provider must, for example, report infectious diseases as COVID-19 directly to the Municipal Health Service (GGD).