General Data Protection Regulation (GDPR)

The Austrian Data Protection Authority weighs in on Coronavirus and GDPR:

  •  Employers may collect the personal contact information of employees for the purpose of efficient communication during the pandemic. This information may not be used for any other purpose and must be deleted after the pandemic is over.
  • Collecting this information is permissible under Art.

General:

This is not the time for strict enforcement of data protection. We are showing agility during this crisis.

Work:
  • Information that someone is infected with coronavirus is health information.
  • Information that someone has been quarantined or returned from a so-called “risk area” is not health information.
  • Employers should not disclose information that individual employees

The United Kingdom’s Information Commissioner’s Office has provided it’s guidance on COVID-19 and data privacy.

  • Public health messages are not direct marketing.
  • It’s about being proportionate – if some data processing feels excessive, then it probably is.
  • The ICO is a reasonable and pragmatic regulator… Regarding compliance with data protection, it will take into account

Coronavirus and GDPR – the Belgian authority weighs in:

  • Public health is paramount and prevention and the right to privacy are not incompatible.
  • Follow the instructions of the competent authorities so that all measures taken are proportionate.
  • Even in the context of taking preventive health measures, the general principle is that any processing of personal

Coronavirus and GDPR , the Spanish AEPD weighs in:

  • Data protection should not be used to hinder or limit the effectiveness of the measures taken by authorities in the fight against the pandemic.
  • Consent may not be required. Appropriate legal bases for the processing of personal data for the control of epidemics and their spread,

Italy, which is currently dealing with the most serious COVID-19 outbreak in Europe, weighs in on health data and GDPR .

Employers should NOT:

  • systematically collect (e.g. through specific requests to employees or unauthorized investigations) information on the presence of any flu symptoms or travel of employees or closest contacts.
This means do not:
      • collect

France’s Data Processing Authority CNIL weighs in on Coronavirus and GDPR.

Employers should NOT:

  • Collect in a systematic and generalized manner, or through individual inquiries and requests, information relating to the search for possible symptoms presented by an employee/agent and their relatives.
This means:
  •  No mandatory readings of the body temperatures of each employee
  • No

Tell me, don’t sell me, the GDPR version.

The Dutch Data Protection Authority (AP) has imposed a fine of 525,000 euros on tennis association KNLTB for selling personal data without proper consent.

In 2018, the KNLTB unlawfully provided personal data of a few hundred thousand of its members to two sponsors for a fee. The