General Data Protection Regulation (GDPR)

Democratic Senators introduced a second COVID-19 privacy bill.

It addresses the collection and processing of data in connection with fighting the COVID-19 pandemic. This Democratic Senate bill shares a number of key points with the recently filed Republican Senate bill, among them:

  • consent required for collection and revocable
  • disclosure at collection
  • information security
  • data minimization

Alessandra Pierucci, Chair of the Committee of Convention 108 and Jean-Philippe Walter, Data Protection Commissioner of the Council of Europe, issued a Joint Statement on Digital Contact Tracing.

Key principles for digital tracing:
  • transparency
  • data minimization
  • impact assessment
  • de-identification
  • safeguards from automated decision making

More details in my client alert.

Italy’s Garante and France’s CNIL publish updated guidelines on privacy in the workplace as workplaces are opening up for a phased return to normal.


  • Automatic collection of temperature (e.g. by thermal cameras) is not allowed
  • Taking temperature by means of a manual thermometer (such as for example of infrared type without contact) at

The European Data Protection Supervisor addressed the coronavirus crisis in a post titled “Carrying the torch in times of darkness.”

“The outbreak of Covid-19 is affecting our lives at an unprecedented pace. It is testing the resilience of our societies as we respond to this global crisis and try to contain its consequences, both in

The European Data Protection Board issues guidance on consent, in reliance upon the Working Party Article 29 Guidelines on Consent.

Key additions/ takeaways.
  • Consent relying on an alternative option offered by a third party fails to comply with the GDPR.
  • A service provider cannot prevent data subjects from accessing a service on the basis that

Data Protection Authorities for France and the Netherlands have weighed in on the use of temperature taking in the fight against the spread of COVID-19.

Netherlands’ Autoriteit Persoonsgegevens:

“We hear that all kinds of organizations use different means to check people quickly for fever. Not only with a thermometer, but also with thermal cameras”

“That’s not allowed. This is a serious offense under [GDPR] . If this happens, we will enforce.”

“We don’t want to wake up in a few months in a society with a kind of Chinese situation, in which the employer is constantly watching you and can even see your care data and have all kinds of consequences.”

  • Employers may not check people’s temperature and process their health data.
  • Consent as a legal basis is not possible in an employment relationship, because an employee may feel pressured to give permission.
  • Only a doctor should do health tests and process the medical data of personnel.
  • You may not check temperature of visitors or vendors either. Consent here is not possible because there is no equivalence here either. The visitor will feel compelled to agree.
  • Employees of companies that measure temperature should report this to the works council and to the data protection officer.
Spain’s Agencia Española Proteccíon Datos:

Continue Reading Temperature-Taking Under GDPR: Guidance from Spain, the Netherlands

Coronavirus and Data Protection: The UK Information Commissioner’s Office has issued an opinion on the Google-Apple joint initiative for contact tracing apps.

Key Takeaways

  • The Google and Apple framework appears to be aligned with data protection principles.
  • The app developers have primary responsibility to ensure data protection principles are met.
  • There must be transparency as

The European Law Blog posts on how COVID-19 related data collection activities in third countries should affect EU data transfer adequacy decisions.

“The data collection and processing measures taken in third countries to combat the coronavirus are relevant to an evaluation of the continued validity of existing adequacy decisions and the potential conclusion of new