EU: EDPB issues statement on Coronavirus
The European Data Protection Board ('EDPB') issued, on 16 March 2020, a statement ('the Statement') on data protection in light of COVID-19 ('Coronavirus'). In particular, the Statement outlines that the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') provides for the legal grounds to enable employers and competent public health authorities to process personal data in the context of epidemics without the need to obtain the consent of the data subject, such as when the processing of personal data is necessary for the employers for reasons of public interest in the area of public health or to protect vital interests, under Articles 6 and 9 of the GDPR.
Furthermore, the Statement finds that, in relation to the processing of location data under the Directive on Privacy and Electronic Communications (Directive 2002/58/EC) ('the ePrivacy Directive'), Article 15 of the ePrivacy Directive enables Member States to introduce legislative measures pursuing national security and public security. In this context, the Statement notes that safeguarding public health may fall under the national and/or public security exception.
You can read the Statement here.