Malta's Information and Data Protection Commission has released a statement encouraging data controllers to adhere to public health authorities' instructions to prevent the spread of the coronavirus, including where this involves personal data processing that may be necessary in compliance with national law.
"It is well known that public and private organisations are taking the necessary measures to contain and mitigate the dramatic effects of the coronavirus. These measures are likely to require the processing of different types of personal data, including health data, which is a special category of data under the GDPR," the Commission said in a statement released on 20th March.
Companies processing special categories of personal data, such as employee health data, in connection with the ongoing COVID-19 situation, may rely on the provisions of the GDPR for an appropriate legal basis to process such data. Obtaining consent from the data subject is not required.
The statement assured local organisations that in terms of Article 9 of the GDPR, controllers may refer to the exceptions set out in Article 9 of the GDPR, which legitimises the processing of special categories of personal data in particular, where the "processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health".
However, companies remain data controllers and are still required to ensure that personal data is processed lawfully. The Commission urged companies processing personal data in connection with COVID 19 (such as employee health data) to apply the appropriate measures to ensure personal data is processed safely, striking a balance between necessity and data subjects' rights.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.