Covid-19 & GDPR

The impact of Covid-19  

Covid-19, or Coronavirus, has spread like wildfire, eliciting profound and decisive action from national governments across the globe. The so-called lockdown measures, imposed by the UK government to contain the virus, have impacted every aspect of life, including business. Businesses nationwide are grappling with previously unforeseen and uncontemplated legal issues, as they try to do their bit to manage the outbreak.  

One issue businesses may be considering is their GDPR obligations.

In this article, we take a look at just one of many data protection issues raised by the Covid-19 outbreak and bring you up to date on the latest guidance for businesses striving to remain compliant in such unusual circumstances.

The legal issue

For public health reasons, it is incredibly important for people potentially exposed to the virus, to be made aware of that potential exposure. However, businesses that receive information regarding Covid-19 from employees, will still be subject to their data protection obligations when processing or disseminating this information. The question is, are businesses processing this sensitive information legally?

The law

Information about an individual’s health is a special category of sensitive information under Article 9 of the GDPR. In order to process the information legally, a business must (amongst other things) ensure that there is a lawful basis for the processing. These include processing for:

  • Public interest in public health;
  • Protection of vital interests; or  
  • Carrying out obligations in the field of employment or social protection law

In the UK, employers should be able to rely on the last of these exemptions, because UK companies must take reasonable steps to look after the health, safety and welfare of their employees. This obligation is likely to justify and provide a legal basis for collecting information about their employees’ health (such as any confirmed diagnoses of Covid-19).  

The latest developments

On 20th March, the European Data Protection Board released a statement on the processing of personal data, in light of the Covid-19 outbreak. This is available here:

Broadly speaking, this confirmed that employers will be able to process personal information regarding Covid-19, provided they can rely on appropriate legal grounds, such as the reasons of public interest in the public health, or to protect vital interests. If this can be established, the consent of the data subject will not be required to process the personal information.

Why comply?

Failure to comply with the principles of data protection in the GDPR may leave your business open to substantial fines. Article 83 of the GDPR, states that infringements of the basic principles for processing personal data are subject to the highest tier fines. This could be a fine of up to the equivalent of 20 million euros or an amount equivalent to 4% of your business’s annual turnover; whichever is higher.

Contact us

Here at Berry Smith, we advise businesses on their GDPR obligations on a daily basis. If you need advice on your GDPR or data protection obligations, please contact Dan Dowen on or call 029 2034 5511 and ask for the Commercial team.