Iceland’s data protection authority offers advice on GDPR compliance during the COVID-19 outbreak.

Key takeaways

  • Information that a person is quarantined is generally not considered to be sensitive personal information, but it is appropriate to pay particular attention to the principles of the Data Protection Act on data minimization and fairness.
  • Maintain only the minimum

General:

This is not the time for strict enforcement of data protection. We are showing agility during this crisis.

Work:
  • Information that someone is infected with coronavirus is health information.
  • Information that someone has been quarantined or returned from a so-called “risk area” is not health information.
  • Employers should not disclose information that individual employees

Coronavirus and GDPR – the Belgian authority weighs in:

  • Public health is paramount and prevention and the right to privacy are not incompatible.
  • Follow the instructions of the competent authorities so that all measures taken are proportionate.
  • Even in the context of taking preventive health measures, the general principle is that any processing of personal

Italy, which is currently dealing with the most serious COVID-19 outbreak in Europe, weighs in on health data and GDPR .

Employers should NOT:

  • systematically collect (e.g. through specific requests to employees or unauthorized investigations) information on the presence of any flu symptoms or travel of employees or closest contacts.
This means do not:
      • collect

Tell me, don’t sell me, the GDPR version.

The Dutch Data Protection Authority (AP) has imposed a fine of 525,000 euros on tennis association KNLTB for selling personal data without proper consent.

In 2018, the KNLTB unlawfully provided personal data of a few hundred thousand of its members to two sponsors for a fee. The

Risky business.

“All in all, the privacy risk can be defined as the possibility of an unwanted or unexpected consequence from the perspective of the individual, causing any level of harm or nuisance to her, resulting from the loss of either confidentiality, integrity or availability (information security issues) of her personal data or from insufficient

European Union Data Protection Authorities discussed enforcement priorities at the International Association of Privacy Professionals (IAPP) Data Protection Intensive.

Key takeaways:

  • CNIL: Online advertising and cookies are a focus right now.
  • Ireland DPC: currently handling 10,000 complaints with 23 investigations into so-called big tech companies, and two investigations at the decision-making stage. An area of

  • Connected cars are “terminal equipment” and consent under the ePrivacy regime is required.
  • Connected cars are IoT devices.
  • Geolocation is very sensitive; don’t collect unless necessary.
  • Implement data protection by design and default at every stage.
  • Connected cars pose unique challenged for transparency and consent – you must find ways to overcome them.

These are