Ireland’s Data Protection Commission weighs in on the issue of COVID-19 and data access requests:

“The Data Protection Commission acknowledges the significant impact of the Covid-19 health crisis which may affect organisations’ ability to action GDPR requests from individuals, such as access requests.

While the statutory obligations cannot be waived, should a complaint be made

Coronavirus and Data Protection guidance from the Catalan Data Protection Authority:

  • Under Articles 6.1.(e) and 9.2.(i) GDPR, health authorities may share health data when this is needed for reasons of public interest in the field of public health, such as protection against serious trans-boundary health threats, or to guarantee high levels of quality and safety

The Czech Republic’s Data Protection Authority, Urad pro Ochranu Osobnich Udaju, provides its guidance on GDPR and COVID-19:

  • Public health authorities are authorized to process personal data to the extent and for the purpose laid down by Act No. 258/2000 on public health protection. This includes taking appropriate measures to reduce the spread of contagious

Following a series of opinions from individual nations’ Data Protection Authorities, the European Data Protection Board (EDPB) has issued long-awaited guidance on compliance with the General Data Protection Regulation under the strain of a pandemic.

The EDPB does not go into detail regarding legal bases but states that:

  •  GDPR does not get in the way

The Austrian Data Protection Authority weighs in on Coronavirus and GDPR:

  •  Employers may collect the personal contact information of employees for the purpose of efficient communication during the pandemic. This information may not be used for any other purpose and must be deleted after the pandemic is over.
  • Collecting this information is permissible under Art.


This is not the time for strict enforcement of data protection. We are showing agility during this crisis.

  • Information that someone is infected with coronavirus is health information.
  • Information that someone has been quarantined or returned from a so-called “risk area” is not health information.
  • Employers should not disclose information that individual employees

The United Kingdom’s Information Commissioner’s Office has provided it’s guidance on COVID-19 and data privacy.

  • Public health messages are not direct marketing.
  • It’s about being proportionate – if some data processing feels excessive, then it probably is.
  • The ICO is a reasonable and pragmatic regulator… Regarding compliance with data protection, it will take into account

Coronavirus and GDPR – the Belgian authority weighs in:

  • Public health is paramount and prevention and the right to privacy are not incompatible.
  • Follow the instructions of the competent authorities so that all measures taken are proportionate.
  • Even in the context of taking preventive health measures, the general principle is that any processing of personal

Coronavirus and GDPR , the Spanish AEPD weighs in:

  • Data protection should not be used to hinder or limit the effectiveness of the measures taken by authorities in the fight against the pandemic.
  • Consent may not be required. Appropriate legal bases for the processing of personal data for the control of epidemics and their spread,