All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, or stored in any retrieval system of any nature without prior permission of the publisher. Application for permission for other use of copyright material including permission to reproduce extracts in other published works shall be made to the publisher. Full acknowledgment of author, publisher and source must be given. Nothing in this newsletter shall be construed as legal advice. Professional advice should therefore be sought before any action is undertaken based on this publication.
In this newsletter we deal with the implications for GDPR following the outbreak of COVID-19 in relation to:
a. employers when balancing between confidentiality of infected individuals (employees) and public interest (informing others who have been put at risk);
b. employees while working remotely.
Businesses and any entity processing sensitive data may be facing a dilemma in the light of the spread of COVID-19 in the short future.
One of the questions that may be asked is how e.g. an employer protects the privacy of people (employees) who have been infected by COVID-19, while under a duty to inform those who have been put at risk.
Under Article 9 paragraph 1 of the GDPR:
Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
The above inevitably creates confusion, yet there are explicit exceptions within Article 9 paragraph 2. The most notable one is the following:
(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
Article 9 paragraph 2 (b) is also of relevance to employers as it constitutes an exemption to the prohibition of paragraph 1 above when:
(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
The above exceptions have been ratified into national Greek law by virtue of Article 22 of Law 4624/2019.
Striking a balance between private and public interest in the light of COVID-19
There are cases where striking a balance between confidentiality and protecting public interest (on the grounds of public health) may be a cumbersome task. Lines between one or the other cannot not be clearly drawn. A business or employer may preferably opt for making a company-wide announcement while informing their employees but what happens to small businesses where the employee's data would be more difficult to withhold?
Non-disclosure of Identities:
One may argue that unless it is absolutely & strictly necessary identities (of e.g. infected employees) should not be disclosed.
Only required data should be gathered:
Furthermore one may argue that no more data than what is absolutely required should be collected by employers and data controllers in general.
The Greek Government enacted a Legislative Act on the 12th of March 2020 aiming at - among others - mitigating the spread of COVID-19 in Greece. Under Article 4 paragraph 2 of the Legislative Act (see our Article here >) the employer may decide that work may be carried out by employees remotely.
What are the implications for GDPR in the light of the increasing demand for remote work though?
A useful guide to this end was published by the Data Protection Commission (DPC) of Ireland on the 12th of March 2020 (available here >) providing tips so as to keep personal data safe when working away from the office and can be handy to anyone working remotely.
The following precautions can be taken when working with devices carrying personal data, when using email and/or when accessing cloud services or the web. As the DPC points out:
Valmas Associates are committed to provide periodic newsletters to clients, prospective clients and the general public amidst the outbreak of the now declared pandemic of COVID-19. Contact us if you require professional guidance and assistance.
for Special Editions & Publications see our Publications >
About our Newsletters |
Valmas Associates are committed to providing clients with regular updates on legislative and industry changes in the form of opinions, publications and newsletters.
About the Author |
Ioannis Valmas LLB, LLM, (MSc) is Managing Partner at Valmas Associates and a Greek trial attorney and legal advisor that has represented – almost exclusively – since 2008, overseas clients (from government bodies to private individuals) for their administrative, business and personal legal matters in Greece gaining a stellar reputation abroad. He has lived abroad for almost a decade and earned several degrees from UK Universities. He has attended seminars at US Universities (Harvard and Stanford Law Schools). He has been a member of the Athens Bar Association for over a decade. He is appointed before the Court of Appeals and licensed to practice law throughout the territory of the Hellenic Republic, Greece. His writings on Greek Real Estate Law, Aviation Law and Shipping have been widely published in recent years by publishers in Greece and abroad.