Processing of personal data in the context of managing COVID-19

Following its plenary decision No 5/2020, the Authority issued guidelines on processing of personal data in the context of managing COVID-19. These guidelines have specified the legal possibilities for the competent public authorities and private bodies to process data as controllers under the General Data Protection Regulation 2016/679 (hereinafter “GDPR”), Law 4624/2019¹ and other relevant legislation, in the context of the need to tackle the spread of the virus. The Authority, in relation to the processing of personal data by employers for the purpose of containing the spread of COVID-19, among other things, refers to specific issues of lawful processing of employees’ personal data. The Authority has also drawn attention to the rules for the processing of personal data of family members or close friends of persons who have died of COVID-19, as well as the rules for the processing of personal data by the data subjects-coronavirus sufferers themselves. Finally, the Authority has addressed the issue of the processing of personal data for journalistic purposes. See Guidelines here (in Greek).

In view of the above, the Authority points out the following:

1. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, such as the right to life and health.
2. The controller, both in the public and private sector, in taking the necessary measures to prevent the spread of COVID-19, may process personal data in accordance with Articles 5, 6 and 9 of the GDPR. In that case, no measure should in advance be excluded, especially during these critical and unprecedented circumstances.
3. The legislation on the protection of personal data, in the context of measures to protect public health in general and the health of data subjects at workplaces, provides, on the one hand, the appropriate legal bases for the processing of personal data, and enables, on the other hand, national legislators to specify delegated processing operations that are necessary for reasons of public interest including the area of public health and in accordance with the provisions of the GDPR.

¹Law 4624/2019, Hellenic Data Protection Authority, measures for implementing Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, and transposition of Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016, and other provisions.