On March 6, 2020, the Irish Supervisory Authority (“DPC”) issued guidance on how companies should process personal data when taking steps to contain the spread and mitigate the effects of COVID-19.

The DPC made clear that data protection law does not stand in the way of the provision of healthcare and the management of public health issues, but stressed that companies should be mindful of the following obligations when processing personal data in the context of the COVID-19 crisis:

Legal bases: According to the DPC, where organizations are acting on the guidance or directions of the competent public authorities, it is likely that the relevant data processing may be considered lawful on the basis that it is “necessary for reasons of public interest in the area of public health” under Article 9(2)(i) GDPR.  However, suitable safeguards should be implemented.  Such safeguards may include limitation on access to the data, strict time limits for erasure, and other measures such as adequate staff training to protect the data protection rights of individuals.

In addition, the DPC found that companies may rely on Article 9(2)(b) GDPR (“obligations in the field of employment”) to process the personal data of their employees, as employers have a legal obligation to protect their employees under the Irish Safety, Health and Welfare at Work Act 2005 (as amended).  However, employers should rely on this legal basis only where it is deemed necessary and proportionate to do so, and should ensure that any data that is processed be treated in a confidential manner, as elaborated below.

Furthermore, the DPC took the view that in emergency situations, where no other legal basis can be identified, companies may be in a position to rely on Article 9(2)(c) GDPR to process personal data to protect the vital interests of an individual data subject or other persons.

In light of the above, according to the DPC, employers would be justified in “asking employees and visitors to inform them if they have visited an affected area and/or are experiencing symptoms”, as well as “requiring employees to inform them if they have a medical diagnosis of COVID-19 in order to allow necessary steps to be taken”.  Nonetheless, it stated that “implementation of more stringent requirements, such as a questionnaire, would have to have a strong justification based on necessity and proportionality and on an assessment of risk”.

Transparency and privacy notices: The DPC stressed that organizations processing personal data must be transparent regarding the measures they implement to limit the spread of COVID-19. In particular, they must provide the concerned individuals with an appropriate, concise and easily understandable notice, which should specify, among other things, the purpose of collecting the personal data and how long the data will be retained for.

Confidentiality and security: The DPC held that employers should make sure that they process the personal data of their employees in a way that ensures their security and confidentiality; the identity of affected individuals should not be disclosed to any third parties or to their colleagues without a specific justification.  In other words, an employer may inform its staff that there has been a case, or suspected case, of COVID-19 in its organization and ask them to work from home, but the affected individual should not be named.

Data minimization: The DPC also warned companies that they should process only the minimum amount of data that is necessary to achieve the purpose of implementing measures to prevent or contain the spread of COVID-19.

Record keeping: According to the DPC, controllers should ensure that they document any decision-making process regarding measures implemented to manage COVID-19, which involve the processing of personal data.

The publication of the DPC’s guidance follows the publication of similar guidance by other European regulators, including those of France, Denmark, Iceland, Italy, Luxembourg, Norway, and Poland.  However, the authorities of some major European jurisdictions, like Germany and Spain, have not yet published guidance on this matter, but might do it soon.  The European Data Protection Board (“EDPB”) might also decide to intervene at some point, given that the views of EU supervisory authorities are not always aligned.  Covington will continue to monitor developments in this area.

Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as Privacy International and the European security agency, ENISA.