What happens to the obligations arising under the General Data Protection Regulation during the pandemic period?

The applicable data protection obligations remain in force regardless of epidemics, pandemics, or any other type of outbreaks, cautionary, contingency or disaster situations, whether declared or not by the public authorities, and the state of emergency.

Therefore, the rules arising from the General Data Protection Regulation (GDPR) and other applicable personal data legislation must continue to be observed.

 

Can social organisations collect personal data within the context of the implementation of their COVID-19 contingency plan?

For more information, please refer to our website here.

 

Can social organisations collect personal health data regarding COVID-19 and keep a record of this data?

If an organisation intends to collect health data (which is classified as “special” data), the legal requirements are more stringent given that the collection of such personal data is forbidden, as a rule. However, the GDPR foresees a few exceptional instances where health data may be processed – notably, (i) consent, (ii) the need to process data to comply with labour obligations and to exercise labour-related rights, (iii) the provision of healthcare, medical treatments or social care; and (iv) the need to process data for reasons of public interest in the field of public health.

Regarding data holders such as volunteers, service providers and the beneficiaries of such services, the grounds for the collection of personal data may, depending on the specific case, be based on the consent of the data holders. However, this may entail operational challenges – from the outset, in the implementation of the provision of information to volunteers and beneficiaries, as well as in the collection of data holders’ consent, considering that the population is currently in a situation of social isolation. In the case of employees, the collection of consent is not the most appropriate condition, given the imbalance between employer and employee (which calls into question the freedom of consent).

As such, the organisation will have to carefully evaluate which condition of lawfulness best suits the specific case at hand, taking care to document any assessment undertaken and decision adopted in this regard, and always ensuring and demonstrating that the rules for the protection of personal data have been duly complied with and that the least intrusive measures, from a privacy standpoint, were adopted.

Furthermore, considering the principle of limited processing of data (i.e. the collection of data is linked to the adoption of a COVID-19 contingency plan), it must be ensured that, at the end of this period, the data will be deleted by the organisation and will not be used for any other purpose.

 

Can social organisations share data collected in the context of their social activities with public authorities on public health grounds?

Depending on the circumstances of the case, organisations may share personal data related to their social action with public authorities on public health grounds, provided that this obligation arises from the law and/or from the regulations applicable to the sector in question, or if there is any other legal basis for the sharing of data.

 

What other precautions should be taken by social organisations?

Social organisations must, in any case, including in the context of actions developed in response to Covid-19-related social necessities, provide information on the terms under which the data will be processed, according to Articles 13 and 14 of the General Data Protection Regulation, identifying, from the outset, the purposes for which the data will be used. This information should be provided through easily accessible means and in clear and simple language.

Since the majority of the population is currently in social isolation and not everyone has access to electronic or digital means of communication (especially the older population), it may be necessary to resort to innovative solutions in the provision of information on data processing, as well as in the collection of consent where required, in order to ensure that organisations can demonstrate their fulfilment of the applicable obligations in this regard.

Given the sensitivity of the data, organisations must always determine who, within the organisation, will have access to this information and, as a result, be bound to a duty of confidentiality. Appropriate technical and organisational security measures shall also be taken to ensure the confidentiality of the data.

These measures must also be taken with respect to teleworking and the internal and external communication systems adopted by organisations.

 

Has the Portuguese Commission for Personal Data Protection (CNPD) commented on the matter?

For further information on this, please see our website here.

 

 

 

__________________________

This information is being updated on a regular basis.

All information contained herein and all opinions expressed are of a general nature and are not intended to substitute recourse to expert legal advice for the resolution of real cases.