EDPB outlines GDPR rules for COVID-19 data processing

Executive briefing: The EDPB clarified that GDPR provides legal grounds—such as public interest in public health and vital interests—for processing personal data during COVID-19. It reminded controllers that emergency measures must respect necessity and proportionality and include safeguards like transparency and data minimization.

Why it matters

• Organizations assisting public health authorities need clear legal bases for handling health and location data.
• The statement underscores that GDPR is flexible during emergencies but still requires purpose limitation, data minimization, and transparency to data subjects.
• Employers collecting employee health status or travel history must apply appropriate legal grounds and safeguards.

Operator actions

• Document the legal basis (e.g., public interest in public health, vital interests, employment law obligations) for any COVID-19 data collection.
• Limit collection to necessary data, set retention schedules, and inform data subjects about processing purposes and rights.
• Engage DPOs to review emergency measures and ensure DPIAs are updated where high-risk processing is introduced.

Key sources

• EDPB Statement on processing personal data in the context of COVID-19 (lays out legal bases and proportionality requirements).
• EDPB news release (summarizes controller obligations and key safeguards).