Coronavirus and GDPR , the Spanish AEPD weighs in:

• Data protection should not be used to hinder or limit the effectiveness of the measures taken by authorities in the fight against the pandemic.
• Consent may not be required. Appropriate legal bases for the processing of personal data for the control of epidemics and their spread, include public interest (art. 6.1.e), vital interests of an individual or all susceptible to be infected (art. 6.1.d), or compliance with a legal obligation (employer’s prevention of occupational risks for personnel).
• Emergency laws provide health authorities the powers to adopt necessary measures. Parties processing personal data must follow these instructions.
• Subject to the limitations set in labor and workplace safety laws, employers may process data necessary to guarantee the health of personnel and avoid contagion within the company.
• Processing personal data, even in these situations of health emergency, must continue to be done in accordance with the regulations on the protection of personal data, especially data minimization; and purpose limitation.

Read the full guidance from Agencia Española Proteción Datos.