EDPB outlines GDPR rules for COVID-19 data processing

The EDPB clarified that GDPR provides legal grounds—such as public interest in public health and vital interests—for processing personal data during COVID-19. It reminded controllers that emergency measures must respect necessity and proportionality and include safeguards like transparency and data minimization.

Why it matters

• Organizations assisting public health authorities need clear legal bases for handling health and location data.
• The statement underscores that GDPR is flexible during emergencies but still requires purpose limitation, data minimization, and transparency to data subjects.
• Employers collecting employee health status or travel history must apply appropriate legal grounds and safeguards.

Operator actions

• Document the legal basis (for example, public interest in public health, vital interests, employment law obligations) for any COVID-19 data collection.
• Limit collection to necessary data, set retention schedules, and inform data subjects about processing purposes and rights.
• Engage DPOs to review emergency measures and ensure DPIAs are updated where high-risk processing is introduced.

Legal Bases for Pandemic Data Processing

The EDPB clarified that several GDPR legal bases support COVID-19 data processing depending on the context. Public interest in public health (Article 9(2)(i)) permits health authorities to process health data for disease surveillance, contact tracing, and pandemic response. This basis requires Member State law authorizing such processing with appropriate safeguards.

Vital interests (Article 6(1)(d) and Article 9(2)(c)) apply when processing needs to protect someone's life. This basis supports emergency medical treatment and immediate public health responses but should not be the default choice when other bases are available and processing can be planned.

Employer obligations under national employment law may require processing employee health data to ensure workplace safety. Organizations must verify that national law explicitly authorizes such processing and implement appropriate safeguards including confidentiality and data minimization.

Proportionality Requirements

Emergency measures must remain proportional to the public health objective. Data minimization requires collecting only data necessary for the specific purpose—broad health questionnaires that gather more information than needed violate this principle even during emergencies.

Purpose limitation restricts use of COVID-19 data to pandemic response purposes. Data collected for contact tracing should not be repurposed for employment decisions, insurance underwriting, or law enforcement without explicit legal basis. Document the specific purposes and enforce access controls as needed.

Storage limitation requires deleting pandemic-related personal data when no longer necessary. Establish retention schedules aligned with public health guidance and delete data as soon as the specific purpose is fulfilled. Avoid indefinite retention justified only by potential future pandemics.

Transparency and Data Subject Rights

Data subjects must be informed about pandemic-related processing. Privacy notices should explain what health data is collected, the legal basis, retention periods, and recipients including public health authorities. Emergency conditions do not exempt controllers from transparency obligations.

Rights exercise continues during pandemics. Data subjects retain access, rectification, and erasure rights subject to applicable limitations. If you are affected, prepare for increased rights requests as individuals seek to understand what pandemic-related data is held about them.

Automated decision-making restrictions apply to pandemic measures. Algorithmic risk scoring or automated access restrictions based on health data require human oversight and the ability to contest decisions. Implement review processes for automated pandemic-related decisions.

Cross-Border Data Transfers

International pandemic response may require data sharing across borders. Adequacy decisions and standard contractual clauses remain the primary transfer mechanisms. Emergency conditions do not create new legal bases for transfers to countries without adequate protection.

Sharing with international health organizations requires assessment of the recipient's data protection practices. Document the necessity of international transfers and implement supplementary measures where recipient country protections are inadequate.

Post-Pandemic Obligations

The EDPB emphasized that emergency measures should be temporary. Organizations must plan for data deletion when pandemic conditions end, including verifying that processors and sub-processors also delete transferred data.

Documentation retention may be appropriate for compliance evidence even after deleting personal data. Maintain records of processing activities, legal basis determinations, and proportionality assessments for potential regulatory inquiry without retaining the underlying personal data.

Conduct post-emergency reviews of pandemic data processing practices. Identify lessons learned, document any compliance gaps addressed during the emergency, and update DPIAs and policies to reflect improved practices for future scenarios.

See also

Selected articles on related subjects.

Compliance · Credibility 91/100 · March 18, 2020

PCI SSC permits remote assessments during COVID-19 disruptions

PCI SSC released guidance for remote assessments in March 2020—a pandemic necessity. QSAs could do evidence collection remotely with proper controls. This changed how compliance audits work.

Compliance · Credibility 73/100 · March 17, 2020

HHS OCR eases HIPAA enforcement for telehealth

OCR announced it will not penalize healthcare providers for using non-HIPAA-compliant telehealth platforms during COVID-19. This is a temporary enforcement discretion, not a rule change—but it is letting doctors use Zoom…

Compliance · Credibility 86/100 · March 16, 2020

FinCEN outlines BSA expectations during COVID-19 disruptions

FinCEN issued a COVID-19 statement on 16 March 2020 clarifying that Bank Secrecy Act obligations remain in effect, encouraging institutions to maintain AML programs, notify regulators of any delays, and report…

Compliance · Credibility 73/100 · March 15, 2020

HHS issues limited HIPAA waiver during COVID-19 emergency

HHS waived certain HIPAA penalties for good-faith telehealth during COVID-19. Healthcare providers can use FaceTime, Skype, and similar platforms without the usual business associate agreement requirements.

Compliance · Credibility 91/100 · March 27, 2020

CARES Act signed into law to counter COVID-19

The CARES Act passed on March 27, 2020—$2.2 trillion in pandemic relief including PPP loans, stimulus checks, and expanded unemployment. If you ran a business through COVID, you know this one. Lots of compliance strings…

Continue in the Compliance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Third-Party Risk Oversight Playbook

  Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.

• Compliance Operations Control Room

  Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.

• ESG Assurance Operating Guide

  Deploy credible ESG assurance across CSRD, SEC climate disclosure, and ISSA 5000 requirements with regulator-aligned controls, data governance, and audit-ready evidence.

Coverage intelligence

Published

March 19, 2020

Coverage pillar

Compliance

Source credibility

73/100 — medium confidence

Topics

GDPR · COVID-19 · EDPB

Sources cited

3 sources (edpb.europa.eu, iso.org)

Reading time

6 min

Cited sources

1. Statement on the processing of personal data in the context of the COVID-19 outbreak — European Data Protection Board
2. EDPB Chair on processing personal data in COVID-19 context — European Data Protection Board
3. ISO 37301:2021 — Compliance Management Systems — International Organization for Standardization