Corona Desk

Protection of personal data and COVID 19
Mislav Bradvica | 24.03.2020

Informative answer with particular emphasis on GDPR

We have highlighted a few of the most frequently asked questions at this stage


“Data protection rules (such as GDPR) do not hinder measures taken in the fight against the coronavirus pandemic. However, I would like to underline that, even in these exceptional times, the data controller must ensure the protection of the personal data of the data subjects. Therefore, a number of considerations should be taken into account to guarantee the lawful processing of  personal data.”

Andrea Jelinek, President of the European Data Protection Board 16 March 2020

In this moment it is not necessary anymore to mention that the global spread of the corona virus disease Covid-19 has caused a number of challenges for states in view of the organisation of an effective healthcare mechanism and in view of the establishment of plans to keep the economies from collapsing.
At the same time every entrepreneur is at this moment faced with the challenge of finding quick and adequate solutions to keep their business vital, but even more important - also with the challenge of protecting the health and safety of their employees.
In these moments employers are reaching for measures like gathering information about the current health situation of the employees (especially about the existence of symptoms of the corona virus disease Covid-19), are informed about the recent movements of their employees (trips to risky areas), contacts with other persons and the like.
It is clear from this, of course, that this is not the usual data set that would be expected in the employer-employee relationship. On the contrary, employers are even entering into the so-called special category of personal data that most of the “freshly established” systems have not yet encountered.
Therefore, it is quite understandable that at the moment most employers - especially in the European Union - are asking themselves at least the following: Can I collect this information? If yes, how to organize the processing and storage of this data? Is this all GDPR compliant?
In order to facilitate this process for you, we have highlighted a few of the most frequently asked questions at this stage and some that we think need clarification, and have provided a concise and informative answer for each - with particular emphasis on GDPR.

What is considered legitimate processing of personal data in this situation (especially health data)?
What GDPR processing bases can I rely on?

It should first be made aware that GDPR classifies health data into the so-called special category of personal data (Article 9 GDPR) which should therefore be protected with an extra dose of caution.
However, the prohibition of processing data in this category is also not absolute, that is, it is allowed if certain conditions are fulfilled.
Thus, even in these extraordinary circumstances, processing of employee health information is permitted if necessary:
- to respect the legal obligations of the data controller (Article 6 (1) c) GDPR), or for the purposes of fulfilling the obligations and exercising the special rights of data controller in the field of labor law (Article 9 (2) b) GDPR) –e.g. obligations to protect safety, health and workers' lives as defined by the Labor Act and the Occupational Safety and Health Act;
- to protect key interests of the data subjects or other natural persons - (Article 6 (1) d) GDPR) – e.g. communicating employee health information to medical staff;
- for legitimate interests purposes (Article 6(1)f) GDPR) – provided that processing is necessary, appropriate and proportionate (LIA test);
Or as the most stressed lawful basis for processing:
- processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health (Article 9 (2) i) GDPR.

Stop here and seek legal help from an internal legal team or external legal counsel (lawyer).
If this is not possible at this point in time, record the process of processing the personal data and the lawful basis on which you have relied and inform your legal advisors as soon as possible.

What is even considered personal and/or health data in this situation?
Personal data in terms of GDPR is all information relating to an individual whose identity is identified or can be directly or indirectly identified through certain identifiers.
On the other hand, for the time being, there is no unified view as to what would represent health data whose processing is justified in the COVID-19 situation - neither at the level of the Republic of Croatia nor at EU level.
However, generally speaking, European countries that have approached this problem in a moderately restrictive manner have interpreted that health data would be considered information for processing if the person was infected with the virus COVID-19.
The fact that a person travelled from a "risk area" or is in isolation (without further explanation of the reasons for isolation) should not in itself be considered health data. Thereat, we believe that information on the existence of symptoms of COVID-19 virus symptoms in certain individuals would undoubtedly be included in the health data category.
In any case, what should not be forgotten at this point is the fact that the processing of personal data on the health of the data subjects should be necessary and proportionate, and the personal data appropriate, relevant and limited to what is necessary for the purposes for which they are being processed.

How to protect the security of personal and health data of my employees?
The basic requests of the GDPR stipulate that processing must be based on at least the following principles:
- The principle of necessity;
- The principle of proportionality; and
- Implementation of measures protecting the rights of data subjects.
To this end, personal data protection measures related to COVID-19 should include:
- Restricting the number of persons who have access to such data – e.g. to form an internal crisis headquarters;
- Introduce strict time limits – for example limit the processing of records while public measures and recommendations for emergency are in place;
- Persons processing personal data must be persons already familiar with the rules governing the processing of personal data – or try to rely on the 0-24 available assistance of external advisors;
- Ensuring transparency in relation to the category of data being processed and the reasons for such processing – so clearly define what you need from the information and why you should not go beyond the given frames;
Thereby, in order to fulfill his duty the data controller is to ensure compliance with the GDPR and must be able to prove the same (reliability principles), entrepreneurs should document the decisions they make and, if possible, the reasons for making such decisions regarding the processing of personal data.
Finally, if a COVID-19 virus infection occurs within your organisation, GDPR does not prevent you from notifying other employees about the infection and referring them to appropriate measures.
However, in doing so, protect the privacy of the infected person and avoid revealing his/her identity.

Is the entrepreneur allowed to send heath information of his employees to public authorities?
As pointed out earlier, in this emergency situation there are even several legal grounds for processing personal and health data of employees and communicating them to health care institutions.
To this end, healthcare institutions may request the submission of such information on the basis of:
Article 6 (1)e) - processing is necessary for the performance of a task that is of public interest or for the exercise of the official authority vested in the data controller;
Article 9 (2)i) - processing is necessary for the public interest in the field of public health, such as protection against serious cross-border threats to health or ensuring high standards of quality and safety of health care.
Again, each employer is obliged to process the personal and health data of the subjects in a proportionate manner, transparently recording all processing processes, while applying the appropriate security measures.

Work from home and GDPR?
GDPR is not a barrier to organising work from home.
Here, the employer is first expected, within the framework of labor law, to provide the employee with adequate opportunities for such work.
However, do not forget to make sure that adequate security measures have been implemented in your organisation for this type of work (e.g. secure remote access to servers and databases and the ability to use the organisation's e-mail remotely).

Recommendations and status quo
In conclusion, it is crucial at this point to ensure that you as an employer are aware
- of the categories of personal data you collect as a result of a pandemic caused by the COVID-19 virus,
- that such processing is covered by at least one suitable lawful basis for processing (answer to the first question); and
- that you have adequately protected the security of your employees’ personal and health data.
Also note that the advice and recommendations of the competent authorities are likely to change and be amended depending on how this situation develops.
For this reason, we encourage you to regularly follow the recommendations posted on the following links:
- Personal Data Protection Agency:
- European Data Protection Board:

Also, the BMWC GDPR team is at your disposal at all times.

about author

Mislav Bradvica

Mislav Bradvica is a Croatian Attorney at Law known for his work in the field of Litigation Law, Restructuring Law and Competition Law.

get in touch