COVID-19 has resulted to a universal lockdown, leaving millions of questions regarding cyber security and the processing of sensitive personal data in a teleworking environment.
The European Data Protection Board (EDPB) clearly stated that although there have been no changes made in the Regulation, it is crucial for all data controllers to ensure the protection of the personal data of data subjects. In view of the circumstances, the Board has highlighted a number of considerations to be followed, for the guarantee of a lawful processing and the avoidance of possible breaches.
The broadness of the GDPR text has covered the possibility of processing of personal data in a context of emergency states, such as the COVID-19 pandemic. The legislation indeed, sets all necessary legal grounds to enable all legal entities, physical persons, as well as all competent public health authorities, to process personal data in the context of emergency situations, without the necessity to obtain the data subject’s consent. According to the Article 6 and 9 of the GDPR, an exceptional application of the legislation in an emergency context may be allowed, due to the principle of the public interest in the domain of public health or the protection of vital interests. Another legitimate foundation is the compliance with a legal obligation.
As far as the processing of electronic communication data is concerned, each Member State must individually comply on a national level. According to the ePrivacy Directive, location data may only be used by the mobile operator in an anonymous form, or alternatively, with the consent of the data subjects. Anonymity is crucial for the avoidance of a potential transformation of such mobile data into sensitive personal data.
In the event that an anonymous data processing is impossible, the ePrivacy Directive in it’s Article 15 enables the exceptional introduction of national interpretation laws, on the grounds of national and public security, such as the safeguarding of the public health of the population. The adoption of emergency measures is possible only in case a national government considers it to be a necessary, appropriate and proportionate action that does not constitute a threat to the democracy within the society. Furthermore, the legislator must prove the necessity of such measures by the establishment of all necessary safeguards, including the guarantee of a judicial remedy to all subjects.
For legal entities having been obliged to opt for teleworking operations, it is considered necessary to remain compliant with the relevant EU legislations, in order to keep providing lawful personal data processing. Constant data control and high level of cyber security is advisable for the avoidance of sanctions.
The present article is for informational purposes only and does not, under any circumstances, constitute legal advice. For further information on the subject, please visit our website and/or contact Arsen Theofanidis LLC.
Nika Kalifatidou
Advocate- Legal Consultant
Arsen Theofanidis LLC