GDPR & COVID-19 Coronavirus

by | Apr 7, 2020

Since the COVID-19 pandemic began everything has been moving at breakneck pace and there has been little time to consider how it impacts the European Union’s General Data Protection Regulation (GDPR).

It is understandable, and perfectly reasonable, to expect that organizations and authorities will be required to process personal data during the crisis as they attempt to assist anyone suffering as best they can. Even though data authorities are expected to be reasonable when it comes to the processing of data and potential breaches of private information, there are a number of key conditions which must be in place at all times.

It is vitally important to ensure that data protection measures do not prevent individuals and groups receiving the appropriate amount of care during the crisis, and data processing will likely need to take place for this to occur. However, all steps and policy decisions made that involve the use of personal data should be necessary, proportionate and formulated using the guidance provided by the appropriate authorities in that specific jurisdiction.

Key GDPR Considerations During COVID-19 Pandemic

1. Legal Basis for Processing Data

There are a number articles in the legislation that allow for processing of personal private data during a crisis such as this. For instance, if a public health authority issues guidance to complete a specific task or provides a specific treatment, then Article 9(2)(i) GDPR and Section 53 of the Data Protection Act 2018 allows for the processing of personal data, including health data.

However, this is only legal if the appropriate security measures are implemented (more on this below). These measures would include:

  • A clear defined period and rules for access to the data
  • Strict time limits for data
  • Training staff to ensure that they are aware of their GDPR obligations

2. Employer Obligations During COVID-19 Pandemic

Employers must allow the processing of personal data if it is to protect their employees – as per the Safety, Health and Welfare at Work Act 2005 and Article 9(2)(b) of GDPR – if it is deemed a necessary and proportionate step.

In tandem with these obligations, all personal data processed must remain confidential to avoid breaches occurring. For example, it should be never be disclosed if a member of staff or their family are currently suffering from coronavirus nor should enough information be provided to allow for the identity to be ascertained.

3. Processing Data in Relation to Incapacitated Individuals

There is a legal basis to processing the private personal data of an individual if it can be shown that this is in their best interests or the best interests of another party. For example, if a person is either physically or legally incapable of providing their consent, then their data may be processed using this basis.

However, this is only acceptable if there is no other legal basis for processing the data and this is only valid in emergency situations.

4. Recording of Data Processing

Anyone processing data (data controllers) must record the decision-making process for implementing data processing steps during the current crisis.  A clear record of this should be maintained so it may be referred to at a later date if any issues are to arise.

This will also allow this process to be 100% transparent. It is crucial to include the purpose of the data processing and state how long the data will be retained for. If there is any query in relation to this then the above can be provided to data subject in a concise, easily accessible and easy to understand way.

5. Confidentiality of Individuals

No one may be made aware of the identity of any impacted individuals unless there is a clear and carefully reasoned basis for doing so. If an identity is disclosed then this must be done in a way that maintains the security of the data.

This is more achievable by ensuring that only smallest amount of data possible is made available to achieved the aim of the disclosure.

More Information

A number of data authorities have made more information available in relation to GDPR during the COVID-19 Coronavirus pandemic. You can read these on the links provided below:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy