[导读：2020年3月16日，欧洲数据保护委员会（EuropeanData Protection Board, “EDPB”）主席Andrea Jelinek发表了《关于在新冠肺炎疫情期间处理个人数据的声明》。该声明指出，包括GDPR在内的欧盟数据保护法，与为对抗疫情而采取的措施并不矛盾，包括：（1）在法律依据方面，GDPR提供了若干允许雇主和公共卫生主管部门可以在流行病情下处理个人数据、而无需征得数据主体同意的法律依据；（2）在电子通信数据（例如，位置数据）的处理方面，《电子隐私指令》（e-privacy）规定，只有当数据被匿名化处理（例如，通过汇总）或征得数据主体同意的情况下，相关服务提供商才能使用此类数据，这将使公共机构通常可以基于数据汇总来生成有关某个位置的移动设备集中度的报告；（3）若数据无法进行匿名化处理，则《电子隐私指令》第15条允许欧盟成员国采取紧急立法权，即允许其在未征得数据主体同意的情况下，对可识别的电子通信数据进行处理。但如果采取此类措施，则成员国有义务采取适当的保障措施，例如授予个人司法救济权等。需要注意的是，该声明同时强调，数据控制者（包括雇主）以及政府仍应当考虑多种因素，以确保合法处理个人数据。（本文源自欧洲数据保护委员会官网。导读系本公众号原创，转载请注明文字出自本公众号。）] 1周前
Statement of the EDPB Chair
on the processing of personal data in the context of the COVID-19 outbreak
Brussels, 16 March 2020 – Governments, public and private organisations throughout Europe are taking measures to contain and mitigate COVID-19. This can involve the processing of different types of personal data.
Andrea Jelinek, Chair of the European Data Protection Board (EDPB), said: “Data protection rules (such as GDPR) do not hinder measures taken in the fightagainst the coronavirus pandemic. However, I would like to underline that, even in these exceptional times, the data controller must ensure the protection of the personal data of the data subjects. Therefore, a number of considerations should be taken into account to guarantee the lawful processing of personal data.”
The GDPR is a broad legislation and also provides for the rules to apply to the processing of personal data in a context such as the one relating to COVID-19. Indeed, the GDPR provides for the legal grounds to enable the employers and the competent public health authorities to process personal datain the context of epidemics, without the need to obtain the consent of the data subject. This applies for instance when the processing of personal data isnecessary for the employers for reasons of public interest in the area of public health or to protect vital interests (Art. 6 and 9 of the GDPR) or to comply with another legal obligation.
For the processing of electronic communication data, such as mobile location data, additional rules apply. The national laws implementing the ePrivacy Directive provide for the principle that the location data can only be used by the operator when they are made anonymous, or with the consent of the individuals. The public authorities should first aim for the processing of location data in an anonymous way (i.e. processing data aggregated in a way that it cannot be reversed to personal data). This could enable to generate reports on the concentration of mobile devices at a certain location (“cartography”).
When it is not possible to only process anonymous data, Art. 15 of the ePrivacy Directive enables the member states to introduce legislative measures pursuing national security and public security. This emergency legislation ispossible under the condition that it constitutes a necessary, appropriate and proportionate measure within a democratic society. If such measures are introduced, a Member State is obliged to put in place adequate safeguards, suchas granting individuals the right to judicial remedy.