Slovakia: GDPR in the context of the coronavirus crisis
On 19 March 2020, the European Data Protection Board (EDPB) adopted a formal and broader statement on the processing of personal data in the context of the COVID-19 crisis .
In this statement, EDPB confirmed that, even during a crisis such as the COVID-19 pandemic, the data controller and processor must ensure the protection of the personal data of the data subjects. However, EDPB also acknowledges that emergency is a legal condition which may legitimise restrictions of freedoms, provided these are proportionate and limited to the emergency period only. The statement does not and cannot give clear answers to specific questions, since the legislation of individual EU Member States varies. The EDPB briefly states that:
- personal data, including special categories of data, can be processed by competent public authorities (e.g. public health authorities), assuming that there is a legal mandate of the public authority provided by national legislation according to the conditions enshrined in the GDPR. In addition, data subjects should receive transparent information on the processing activities that are being carried out, and their main features, including the retention period for collected data and the purposes of processing. The information provided should be easily accessible and provided in clear and plain language.
The Slovak Data Protection Authority (Slovak DPA) (Úrad na ochranu osobných údajov) issued a statement related to the processing of temperature data of the data subjects in which it states that such data fall within the scope of a specific category of personal data. GDPR requires the fulfilment of special conditions under Article 9 and the existence of a legal basis under Article 6, i.e. it requires a generally binding legislation laying down appropriate and specific measures to protect the rights and freedoms of the data subjects. According to Slovak DPA, such legal regulation could be set out by Act No 42/1994 Coll. on Civil Protection of the Population, on the basis of which a concrete measure must be issued.
- employers are permitted to process personal data during pandemics such as COVID-19, provided that they have appropriate legal grounds, such as public interest in public health, protection of vital interests (Art. 6 and 9 GDPR) or compliance with another legal obligation.
In the respective statement, EDPB merely repeated its statement from 16 March 2020 regarding processing of personal data in the employment context, but it also tries to answer more detailed questions related to employment relationships.
Furthermore, EDPB underlines the fact that the GDPR principles of proportionality and minimisation must be fulfilled and the employer may process health information only to the extent allowed by the national legislation, which applies also to medical checks of the employees.
As regards the provision of information by employers to employees in case their co-worker is infected with COVID-19, the above mentioned GDPR rules should be taken into consideration, i.e. the employer should not communicate more information than necessary. If it becomes necessary to reveal the name of the employee(s) who contracted the virus, it must be allowed by the national law, the concerned employees (data subjects) shall be informed in advance, and their dignity and integrity shall be protected.
- with respect to the processing of telecom data (such as location data), EDPB clearly states that public authorities should first seek to process location data in an anonymous way (i.e. processing data aggregated in a way that individuals cannot be re-identified) which could enable generating reports on the concentration of mobile devices at a certain location (“cartography”).
When it is not possible to process only anonymous data, individual EU Member States can introduce legislative measures on grounds of national and public security provided it constitutes a necessary, appropriate and proportionate measure within a democratic society.
The EDPB statement comes at a time when the questions related to obtaining personal data are crucial for many employers seeking protection for their employees amidst COVID-19 outbreak.
In general, employers are allowed to measure the temperature of their employees or visitors in order to protect health environment of the workplace, but they must do it in such way that the legal definition of personal data processing is not met. For example, if the temperature of employees or visitors has to be measured before entering the workplace, the outcome of the measurement can be either allowing or denying entrance in the workplace without further storage of such data or even attributing the data to the individual.
Legal update: As an emergency measure, the Slovak government introduced mandatory temperature measuring before entering selected areas, including shops. It is expected that this measure will be effective immediately. We will provide further details once available.
Employers cannot require their employees to fill out compulsory medical questionnaires about their health history as these data are considered a specific category of personal data and the employers do not have the legal title for their processing.
The employers should also not “track down” their employees even if they are processing data from their business cars or localisation data in their mobile devices. These data are usually being processed on other grounds and purposes as is the protection from virulent diseases. If the employer finds necessity of processing these data to protect its employees from COVID-19, all GDPR rules must be maintained.
Legal update: As an emergency measure, the Slovak government introduced limited use of localisation data, protected otherwise by telecommunication privacy laws, by selected healthcare authorities. The proposed action is envisaged as temporary measure, with the respective period to expire on 30 April 2020. It is expected that this measure will be adopted by the Parliament through accelerated legislative procedures.
On 21 March 2020, the Slovak government issued series of new measures related to the COVID-19 pandemic, including suspension of GDPR in the interest of providing operational information on confirmed cases and persons in close contact with high risk of exposure, in accordance with the Guideline No OE/791/84737/2020 of the Chief Health Officer of the Slovak Republic of 9 March 2020, for businesses to be able to declare quarantine situations and ensure production.