To meet your questions and concerns related to maintaining the principles of personal data protection in the face of the global COVID-19 pandemic, we have prepared a short guide to the key legal regulations and guidelines of authorities that you should keep in mind not only when conducting business and professional activity but also in everyday life.
1. COVID-19 Act
Decisions, orders, recommendations and guidelines addressed to legal entities and entrepreneurs
The Act of 2 March 2020 on special solutions related to the prevention, counteracting and combating of COVID-19, other infectious diseases and emergencies caused by them (hereinafter the “COVID-19 Act”) makes it possible to issue: (i) orders by the Prime Minister in the form of decisions which have immediate effect upon their delivery or announcement to legal entities, organizational units without legal personality and entrepreneurs; (ii) decisions by the Chief Sanitary Inspector or the state voivodship sanitary inspector acting under the authority of the Chief Sanitary Inspector, imposing on legal entities, natural persons and organizational units without legal personality, including employers, among others, the obligation to take specific preventive or control measures and deliver specific information, as well as (iii) recommendations and (iv) guidelines issued by the Chief Sanitary Inspector.
In the context of data protection it means that legal entities, entrepreneurs and organizational units, in particular employers, may be subject to specific obligations, the performance of which may require the collection or disclosure of personal data, especially, health data, which should not be collected and disclosed when there is no epidemic threat, for instance, taking a measurement of the employee’s body temperature.
We also note that works on the amendments to COVID-19 Act are underway. We will keep you posted on any key changes to this Act.
2. Regulation on the state of epidemic threat
Mandatory quarantine and collection of personal data by the Border Guard
The Regulation of the Minister of Health of 13 March 2020 regarding the announcement of the state of epidemic threat in the territory of the Republic of Poland amended by the Regulation of 16 March 2020, suspends the movement of passengers crossing the border of the Republic of Poland in rail transport. Therefore, from March 15, 2020, any person who crosses the border must undergo a mandatory quarantine lasting 14 days from the day after crossing the border and is required to provide the Border Guard officer with information about: (i) an address of residence or stay, where he or she will be subject to mandatory quarantine, as well as (ii) a phone number for contacting this person. Personal data obtained as part of the inspection will be disclosed by the Border Guard to the bodies of the State Sanitary Inspection. The quarantine obligation does not apply when crossing the Polish border takes place as a part of performing professional activities in a neighbouring country.
3. Statement and guidelines of the President of PDPO in connection with the COVID-19 threat
The statement on the lack of conflict between actions taken in the event of COVID-19 threat and the principles of personal data protection
The President of the Personal Data Protection Office (hereinafter the “President of PDPO“) in his statement of 12 March 2020 declares that the provisions on personal data protection cannot be an obstacle to conducting the activities with regard to the fight against the coronavirus and any regulations being currently enacted do not conflict with the principles of data protection expressed in the general data protection regulation, i.e. GDPR. The President of PDPO noted that the provisions of the GDPR provide for the situations related to the protection of health and prevention of spread of infectious diseases and they indicate that the data processing should be seen as lawful where it is necessary to protect an interest which is essential for the life of data subjects, for example where the processing is necessary for humanitarian purposes, including monitoring epidemics and their spread.
The full content of the statement is available at: https://uodo.gov.pl/en/553/1103
The guidelines for personal data protection during remote work
The President of the Personal Data Protection Office (hereinafter the “President of PDPO“) issued a short guide on how to protect personal data while working remotely. Below are the most important tips:
(a) Devices and software that are used during remote work should be properly updated and secured by an anti-virus system; applications and software that are incompatible with the security policies applied by a given entity should not be installed;
(b) The space in which the work is performed should be appropriately separated, and the equipment used for work should be protected against unauthorized access by unauthorized persons;
(c) Business correspondence should be send from official e-mail accounts, and if this is not possible, the content of messages and attachments should be encrypted;
(d) Special attention should be paid to the recipient and sender of the message in order to avoid sending personal data to unauthorized persons, as well as to protect against hacker attacks;
(e) Trusted access to networks or so-called “cloud” services should be used; also one should comply with all the rules of secure data sharing and archiving.
The full content of the guide is available at: https://uodo.gov.pl/pl/138/1459 (in Polish only).
4. Statement of the Chair of the European Data Protection Board (EDPB)
The Chair of the European Data Protection Board (hereinafter “EDPB“) in her statement of 16 March 2020 claims similarly to the President of PDPO that data protection rules do not hinder measures taken in the fight against the pandemic. She stressed however that the data controller must guarantee the lawful processing of personal data. In the statement she noted also that the GDPR provides for the grounds to enable the employers and the competent public health authorities to process personal data without the need to obtain the consent of the data subject when the processing of personal data is necessary for the employers for reasons of public interest in the area of public health or to protect vital interests or to comply with another legal obligation. She also mentioned the question of the processing of the location data by public authorities, which should be in the first place processed in an anonymous way.
Proportional actions taken in the scope of counteracting an epidemic threat are in accordance with applicable provisions on the personal data protection. Such actions may include, in particular, processing by the employer of data on the employee’s state of health in the event of suspected or confirmed COVID-19 symptoms. However, one should bear in mind the principle of data minimization, resulting from the GDPR, which requires the collection and processing of only such data that is adequate, relevant and limited to what is necessary to achieve the purpose, in this case, to prevent the spread of the virus. The employer should also respect the privacy of the employee and limit the disclosure of data about his or her health only to authorized personnel, e.g. the HR department.