Governance Briefing — EDPB clarifies COVID-19 workplace and health data rules

Executive briefing: On 21 April 2020 the European Data Protection Board reiterated GDPR obligations when processing health and location data during the pandemic. The guidance confirms that public health authorities and employers must choose appropriate lawful bases, limit collection to what is necessary, and keep workers informed about screening, contact-tracing, or telework monitoring.

What changed

• Supervisory authorities may authorize emergency processing, but employers still need clear legal grounds such as legal obligations or substantial public interest.
• Data minimization and storage limitation remain mandatory; broad symptom logs or open-ended retention were discouraged.
• Employees retain rights to information and access, and employers should avoid widespread disclosure of infected individuals’ identities.

Why it matters

• Many organizations rolled out health attestations and contact tracing hastily; the EDPB set boundaries to reduce over-collection and discrimination risk.
• Non-compliant screening programs could violate GDPR and labor law, triggering enforcement or employee grievances.
• The statement establishes a precedent for balancing emergency response with fundamental rights during future crises.

Action items for operators

• Document lawful bases for each COVID-19 measure (temperature checks, symptom surveys, proximity monitoring) and map retention periods.
• Restrict access to health data to trained personnel, using aggregated reporting where possible to inform workplace decisions.
• Update privacy notices to explain COVID-19 processing and routes for employees to exercise their rights.