Search
Close this search box.
AI-based solution designed to automate personal data discovery and classification
Discover personal data across multiple systems in the cloud or on-premise
Harbor cooperation between DPO, Legal Services, IT and Marketing
Turn data subject request into an automated workflow with a clear insight into data every step of the way
Collaborate with stakeholders and manage DPIA and LIA in real-time with Assessment Automation
Guide your partners trough vendor management process workflow
Identifying the risk from the point of view of Data Subject
Quickly respond, mitigate damage and maintain compliance
Consolidate your data and prioritize your relationship with customers
Privacy portal allows customers to communicate their requests and preferences at any time
Introducing end-to end automation of personal data removal

Latest Blog posts

Learn the terms

General Data Protection Regulation

Here you can find the official content of the Regulation (EU) 2016/679 (General Data Protection Regulation) in the current version. All Articles of the GDPR are linked with suitable recitals.

Latest papers

How will Coronavirus affect your privacy

How will Coronavirus affect your privacy

In these uncertain times, we are all concerned about the global pandemic, and everything else falls into the background. The pandemic affected all segments of our lives, including our privacy.

As reported in the World Health Organization assessment, the Chinese government took unprecedented rigorous measures to prevent the virus from spreading – “New technologies were applied, such as the use of big data and artificial intelligence (AI) to strengthen contact tracing and the management of priority populations.”

According to Gabriel Leung, Dean of the Li Ka Shing Faculty of Medicine at the University of Hong Kong statement for the Science:

“Two widely used mobile phone apps, AliPay and WeChat—which in recent years have replaced cash in China—helped enforce the restrictions because they allow the government to keep track of people’s movements and even stop people with confirmed infections from traveling. […]Color codes on mobile phones—in which green, yellow, or red designate a person’s health status—let guards at train stations and other checkpoints know who to let through.”

So you might be thinking, is this kind of supervision by authorities appropriate to the situation?

When it comes to personal data processing, there is a big difference in your geographical location. For example, China, the European Union, and the USA have different legislation governing the processing personal data of their citizens.

Governments, public institutions, and private organizations throughout Europe are taking measures to contain and mitigate COVID-19, which inevitably involves the processing of different types of personal data.

However, the European Union has put an emphasis on the protection of fundamental human rights and freedoms that are also applicable to personal data processing, which is not necessarily the case with other countries.

Processing personal data due to Coronavirus in the EU

If you are watching the news and are informed about details regarding Coronavirus, you might have come across sensitive personal information about patients and their family members.

The information can include the movement of patients and details about their previous and current health status.

Even if the names of patients are not directly disclosed, in some cases, it might be possible to identify the individual indirectly, so it natural to question if their rights have been violated.

Is data processing lawful in the case of the Coronavirus pandemic?

Although the General Data Protection Regulation (GDPR) protects a whole array of rights regarding the processing of personal data of EU citizens and residents, it also predicts situations in which such rights can be restricted, just like this Corona pandemic.

It is important to note that those restrictions need to be done with respect to the essence of the fundamental rights and freedoms of an individual and are a necessary and proportionate measure in a democratic society, as stated in the GDPR Article 23.

This means processing can be done in an emergency situation or for other important objectives of the general public interest, such as public health. We can all agree that containing the Coronavirus pandemic classifies as such.

The lawful basis for processing, can be the protection of vital interests when processing is necessary to protect someone’s life and freedoms or public task.

The protection of vital interests is supposed to be used only in a specific situation where no other lawful basis is applicable and used as a last resort. Meaning, there is no need to obtain consent from the individual.

The public task can be an appropriate legal base if the processing is necessary for performing a task in the public interest. This is applicable for public authorities in order for them to execute their services, and are authorized to do so by the EU or national law.

Nonetheless, Data Protection principles like the data minimization principle and the principle of proportionality should be respected at all times.

Is personal data processing in the case of Coronavirus ethical?

It is important to note that processing that has a foothold in the law does not automatically mean it is right from an ethical perspective.

Fundamental human rights, although protected, can be restricted in certain circumstances, such as Coronavirus. Your rights may have to be restricted to protect other people’s rights or the rights of the community.

Therefore, the DPIA (Data Protection Impact Assessment) needs to be done prior to the processing to determine all consequences and evaluate an activity that is specifically related to the processing of personal data.

Data Protection Impact Assessment is a process that identifies and minimizes risks related to personal data processing. Organizations usually conduct a DPIA once they engage in a new data processing activity.

What is a DPIA and how to conduct it? [Video & Infographics]

Under the GDPR, DPIA is a legal requirement if a data controller envisages a processing activity “likely to result in a high risk to the rights and freedoms of natural persons” (GDPR, Article 35).

Such processing and disclosing of personal information is done with a greater good in mind. It is a mutual obligation to protect each other and society from a serious threat.

At all times, public health officials should keep in mind that the information disclosed needs to be done with respect to the patient and in the minimum amount to achieve public health goals.

The important thing is to strike a balance between social responsibility and ethical responsibility.

What is the obligation of the employer during the COVID-19?

Public institutions and organizations are not the only ones processing the personal data of individuals. Organizations in the private sector are also processing sensitive personal information due to Coronavirus.

As an employer, you have an obligation to protect your employees, and therefore, you are allowed to take certain measures.

For instance, ask your employees about having symptoms or if they have recently traveled to one of the countries that are considered the center of the Coronavirus outbreak.

However, you should not disclose or collect more information than is necessary. Restrict the access to that information to essential personnel and apply appropriate safeguards.

Make sure you are compliant with Article 5 regarding the GDPR principles relating to processing of personal data.

This is just a high-level overview. Since not all EU countries are affected the same, the allowed measures can be differentiated.

EU guidelines on the processing of personal data in the case of COVID-19

In response to the Coronavirus outbreak, the European Data Protection Board has issued a statement on the processing of personal data in the context of COVID-19. Andrea Jelinek, Chair of the European Data Protection Board (EDPB), stated:

Data protection rules (such as GDPR) do not hinder measures taken in the fight against the coronavirus pandemic. However, I would like to underline that, even in these exceptional times, the data controller must ensure the protection of the personal data of the data subjects. Therefore, a number of considerations should be taken into account to guarantee the lawful processing of personal data.”

This means we are not automatically put into the Madmax scenario of societal collapse; the processing still has to be done in accordance with the GDPR, and data subjects’ rights should always be respected.

If the national law has implemented the ePrivacy Directive, if possible, the location data should only be used when the data is anonymous or with proper consent. If this is not possible, Article 15 of the ePrivacy Directive enables the Member States to introduce legislative measures pursuing national security and public security.

Why is processing personal data important in containing COVID-19

In order to measure the pandemic, information on health status and chronic illnesses has to be collected, and the movement of all those with whom they have been contacted has to be monitored.

Extreme measures applied are justified if they help combat the global pandemic, and from a privacy perspective, monitoring people and collecting medical information is indeed an extreme measure.

Not much can be done without proper data. There are still facts about the virus that doctors and scientists have not yet figured out, and their access to data can give better insight into how the virus is behaving and change the course and progress of the outbreak.

In order for public health experts to understand the spread of the virus, or how it affects someone’s health, it sometimes requires them to process and/or disclose personal information about the patients to alert the public.

Conclusion

The World Health Organization has commended the remarkable speed with which Chinese scientists and public health experts isolated the causative virus, established diagnostic tools, and determined key transmission parameters, gaining invaluable time for the response.

China is already working on rebooting its economy, reopening its schools, and returning to a normal life, even as it works to contain the remaining chains of COVID-19 transmission.

The non-pharmaceutical measures combined with public health measures interrupted the chains of human-to-human transmission, and we are hoping that the EU lockdown will have the same effect.

Hopefully, processing of our personal information and monitoring our movements can help contain the pandemic and assist scientists in developing the vaccine and understand the virus better.

However, processing should never be excessive; we should never lose focus on why the processing is conducted, and as soon as the threat diminishes, the processing should cease.

Request a Data Privacy Manager demo

Let us navigate you through the Data Privacy Manager solution and showcase functionalities that will help you overcome your compliance challenges.

Scroll to Top