COVID-19: Some relevant aspects from the data protection perspective
Because of the global pandemic COVID-19, find below some questions and answers that, from the data protection perspective may be useful at this time.
1. Have the local authorities issued any regulation related with the handling of personal data due to the COVID-19?
To date, no regulation has been issued that directly affects or specifically regulates personal data handling activities. Therefore, for the handling of personal data, the provisions of the general regime of personal data must continue to be applied. In the case of information that is required to be shared due to the sanitary emergency, it is important to note that such information may be handled and shared with the relevant authorities, without requiring express authorization for this purpose, which does not prevent the implementation of security and retention measures in the handling of information, due to its sensitive nature.
2. Is it possible to obtain health information from employees if related to COVID-19?
Yes. In this regard, note that in general, information related to health issues is sensitive information, and therefore in order to perform its handling it is important to implement stricter security measures, as well as measures on the restriction on circulation of information.
Insofar as the information required is health information related to a medical or sanitary emergency, only for the relevant purposes, including sharing it with the competent authorities, the authorization from the data subject will not be necessary. Note that this would not allow the company to share the information with other employees or to make public the information of a relevant data subject.
However, taking into account that this information could be used by the company for internal reports, carrying out internal and preventive activities, internal control, among others, it is recommended to obtain the authorization/consent from the data subject, in which the data is clearly identified and all the purposes for the data handling are established, aiming at all times for the collection of adequate information for the fulfillment of the purpose, and bearing in mind that the data subject is not obliged to authorized the data handling, as it is established in the applicable law.
Also, it is important to mention that if the information is not provided voluntarily by a data subject (e.g. The employee informs that suspects or has been diagnosed), but the company decides to require random information such as information related with recent travels, contact with third parties, symptoms; we recommend to obtain a specific consent, specially because of the handling of sensitive information.
3. Due to the current situation, is it possible to contact people included in a data base to send commercial or interesting information via WhatsApp, SMS, phone, etc.?
It will be important to review how the initial consent or authorization was granted by the data subject. As long as the data subject has authorized to be contacted through the different means, and authorized to receive the kind of information that you are going to be sharing, it is possible to proceed that way; if the authorization is not sufficiently clear we recommend to obtain an specific consent for this matters. For example if the data subject authorized to be contacted in order to receive invoices or to perform payments, there is no authorization to contact that specific data subject for the purpose of sending commercial information, and therefore a specific authorization will be required. Similarly, sending information directly to a data subject in a social network would not be possible unless there is specific authorization.
4. The due date to update the National Data Base Registry is March 31st, 2020, is this still the deadline?
Yes. Until now the Superintendence of Industry and Commerce has not extended the said term. We understand that this is because the registry may be performed online, and since the crisis does not affect online services such update may be performed
5. If the company performs the handling of personal data regulated by GDPR, is there specific aspect to be aware in the handling of personal information related to COVID-19?
In general terms the handling of information related with public interest situations, including those of public health and to protect vital interests may be included within the exception of obtaining authorization or consent. Note that the Chair of the European Data Protection Board recently commented that “Data protection rules (such as GDPR) do not hinder measures taken in the fight against the coronavirus pandemic”, and highlighted the need on applying strict security measures and on the handling of personal information in order to warrant the adequate handling of personal data. The above is clear since this information would be sensitive and requires more specific and clear security measures when being handled.
Please do not hesitate in contacting us in case you require additional information on the above mentioned matters, or in other matters in relation with personal data handling at this time of crisis.