Personal Data Protection and Coronavirus COVID-19


2020 03 16

Coronavirus .png

The State Data Protection Inspectorate of the Republic of Lithuania informs that the processing of certain personal data related to the current situation due to coronavirus (COVID-19) is compatible with the General Data Protection Regulation (hereinafter – GDPR). This information is relevant to employers, educational institutions, and other public and private sector organizations.

What personal data can be processed?

In order to ensure that processing of personal data shall not violate the principle of reducing the amount of data set out in the GDPR, it is possible to process internal sets of personal data about employees, apprentices, etc. by including the following information:
•    Whether the person was traveling to a ‘country of risk’,
•    Whether the person was in contact with a person traveling to a ‘country of risk’ or suffering from COVID-19,
•    Whether the person is at home due to quarantine (without giving a reason) and the quarantine period,
•    Whether the person is ill (without specifying a specific disease or other reason).
Please be advised that an employer or other data controller shall have the right to ask their employees or visitors whether they have symptoms of COVID-19 or whether they have been diagnosed with COVID-19. This information is important for the employer in assessing whether additional protective measures are needed, such as obliging employees, who have worked with or contacted a sick person (having symptoms), to undergo quarantine, to provide conditions for remote work or health checks, and so on. However, it should be emphasized that the right of access to this information does not imply that employers or other data controllers can document the information received or compile relevant data files.
Employers may also process such personal data related to the employee as the fact of opting for telework and other restrictions on the employee’s work.

Can processed lists (other personal data) be disclosed to public authorities for public health purposes?

Even in a pandemic situation, the protection of personal data should not be overlooked. Any personal data processed by employers or other data controllers must be provided to public authorities for public health purposes in accordance with GDPR requirements.
Please note that requests for personal data must be assessed on a case-by-case basis, for example, where statistics are requested, the controller (data processor) should not provide data identifying the particular data subject.
We recommend documenting each case of personal data submission to ensure later implementation of the accountability principle.

Are public authorities’ notifications direct marketing?

No, sending notifications and reminders of potential threats, areas to be avoided, necessary safeguards, or other actions required for persons who have gone to foreign countries, persons returning or who have recently returned from foreign countries, as well as sending other important notifications to residents of Lithuania or persons visiting Lithuania is not considered direct marketing.

What actions should be avoided?

Where global measures to control the current situation such as restriction of missions and meetings, cancellation  of events, ensuring certain hygiene requirements are in place, data controllers should not violate the right of their employees or other data subjects to the protection of personal data, for example, they should not be required to provide personal data which are not necessary to ensure the execution of the procedure established.
It should be emphasized that data controllers should refrain from collecting temperature readings of staff or visitors, medical records, or other. This cannot be considered as an obligation on the employer.
The controller should take active steps to inform data subjects about symptoms, potential risks, ways of managing them, measures to be taken, opportunities for teleworking, the duty of employees to report on COVID-19 or similar symptoms, etc.

Where can I get additional information?

We recommend contacting the National Labour Inspectorate under the Ministry of Social Security and Labour and the Ministry of Health of the Republic of Lithuania for information on other employers’ obligations arising from a pandemic declared.
Please also be informed that the European Data Protection Board (EDPB) has provided a separate notification on the processing of personal data in the situation when the COVID-19 virus.

Information from EU member states and other countries on data protection and COVID-19