Processing Data During the COVID-19

On 19 March 2020, the European Data Protection Board (“EDPB”) released a statement on the processing of personal data in the context of the COVID-19 outbreak. The main message of the statement is that EU data protection law (in particular, the EU General Data Protection Regulation (“GDPR”)) does not stand in the way of fighting against COVID-19. However, the measures adopted need to be necessary, proportionate and consistent with safeguards required under EU member state laws. Emergency is a legal condition which may legitimize restrictions of individual freedoms, when certain criteria is met.

The GDPR already allows competent public health authorities and employers to process personal data in the context of an epidemic. Processing can be necessary for reasons of substantial public interest in the area of public health. The other relevant legal grounds include personal data processing to protect an individual’s vital interests, or to comply with another legal obligation. In these situations, there is no need to rely on consent of individuals.


In the employment context, certain personal data processing may be necessary for an employer to comply with legal obligations, including those related to workplace health and safety or the public interest. However, these measures need to be made in accordance with national laws.

Requiring health information from visitors and employees can be made if applicable national law permits that. An employer can perform medical check-ups on employees if the applicable national employment law or relevant health and safety law allows for it.

In addition to following national laws, employers need to take steps to minimise the amount of information collected and make sure the collecting is done in a proportionate manner.


The EDPB sums up that personal data processed for a particular objective should only be processed for “specific and explicit purposes”.

Individuals should receive transparent information on the processing activities that are being carried out and their main features, including the retention period for collected data and the purposes of the processing. The information should be easy to access and provided in clear and plain language.

It is important to pay attention to adequate security measures and confidentiality policies ensuring that personal data are not disclosed to unauthorised parties. These measures should be appropriately documented.


As a means to monitor, contain or mitigate the spread of COVID-19, some governments in member states may use mobile location data to geolocate or send public health messages to individuals. In these situations, the public authorities should first try to anonymise location data (e.g., by aggregation) or, alternatively, obtain the consent of individuals to process such data.

When it is not possible to process anonymous location data, Art. 15 of the ePrivacy Directive enables Member States to introduce legislative measures to safeguard public security. Such exceptional legislation is only possible if itconstitutes a necessary, appropriate and proportionate measure within a democratic society. Member State is obliged to put in place adequate safeguards, such as providing individuals of electronic communication services the right to a judicial remedy.


The proportionality principle means that the least intrusive solutions should always be preferred, taking into account the specific purpose to be achieved. Invasive measures, such as the “tracking” of individuals could be considered proportional under exceptional circumstances and depending on the concrete modalities of the processing. However, it should be intensively examined and have safeguards to ensure the respect of data protection principles.


If you need advice on processing data, do not hesitate to contact us or book a free consultation.

Schrems II and the Invalidating of Privacy Shield

We want to inform our clients about this recent CJEU ruling that invalidated the Privacy Shield mechanism.

The central question in the Schrems II case was can personal data from the EU be transferred to and stored in the US while guaranteed an adequate level of data protection as that under the GDPR?

Data Protection Commissioner v Facebook Ireland and Maximillian Schrems

The EU Court of Justice (CJEU) delivered on Thursday July 16, 2020 a ruling in the case Schrems II (C-3111/18), in which the mechanisms for personal data transfers between the EU and US was challenged based on the argument that US law cannot adequately ensure protection of EU personal data.

In a landmark decision, the CJEU struck down the Privacy Shield, one of the most widely used mechanisms allowing US commercial companies to transfer and store EU personal data in the US.

The decision by the CJEU to rule the Privacy Shield invalid renders the US a non-adequate country without any special access to Europe’s personal data streams.

Next, the CJEU considered the Standard Contractual Clauses (SCCs) valid, another commonly used mechanism for transatlantic data transfers, saying that this mechanism does make it possible in practice to ensure compliance with the level of protection required by EU law.

However, the decision requires data controllers to assess the level of data protection in the data recipient’s country and to suspend transfer if deemed non-adequate. It also underlines the strong obligation of each data protection authority in all EU member states to suspend the transfer of personal data if they deem them unsafe according to EU data protection requirements.​

You can read the official press release on the ruling here.

What is the Schrems II case about?

Named after Austrian lawyer and data privacy activist Max Schrems, the Schrems II case challenged two of the most widely used mechanisms for transferring personal data from the EU to the US, namely the Standard Contractual Clauses (SCCs) and the Privacy Shield framework.

The EU’s General Data Protection Regulation (GDPR) requires a country to have an adequate level of data protection before personal data can be transferred to it from the EU. Adequacy decisions made by the EU Commission determine whether personal data can legally be sent to a country outside the EU.

The United States is not recognized by the EU as having an adequate level of data protection, but several transfer mechanisms allow commercial companies and organizations in the US to engage in transfers of personal data from the EU to the US where it is then stored.

These include the Standard Contractual Clauses (SCCs), Privacy Shield and Binding Corporate Rules (BCRs).

Is EU personal data protected adequately after transfer to the US?

The Schrems II case made its way to the CJEU from a request in 2015 by Max Schrems to the Irish Data Protection Commissioner to order Facebook to suspend its data transfers from the EU to the US.

Facebook’s practices of transferring personal data out of the EU via their servers in Ireland to their headquarters in the US relies on the SCCs.

The CJEU ruling in the Schrems II case on July 16, 2020 sided in large part with Max Schrems, invalidating the Privacy Shield as a mechanism for EU-US personal data transfer and imposing strong obligations on data controllers and data protection authorities in each EU member state to ensure adequate protection for personal data transfers when using Standard Contractual Clauses as a mechanism.

How can Vedinor help you?

If you need assistance in implementing this ruling into your business, you can contact us. Call us +358931546648 or schedule a free consultation to discuss your situation further.