Data protection regulations and COVID-19

The world is facing an extraordinary situation caused by the COVID-19 pandemic. Governments and private institutions around the world are fighting to alleviate the spread of the virus by implementing care measures which can include personal data processing.


European Commission evaluation report

The evaluation report published by the European Commission demonstrates how GDPR (The General Data Protection Regulation) has successfully met its objectives by offering individuals the possibility to protect their privacy through new rights and regulations.

GDPR has proven to be flexible in offering digital solutions in the pandemic crisis of COVID-19, giving citizens more control and transparency regarding what is happening to their data in the digital transition.

Vice-President for Values and Transparency, Věra Jourová, said:”This is the first global crisis where we can deploy the full power of technology to offer efficient solutions and support the exit strategies from the pandemic. Trust of Europeans will be key to success of the tracing mobile apps. Respecting the EU data protection rules will help ensure that our privacy and fundamental rights will be upheld and that the European approach will be transparent and proportional.”


Commissioner for Justice, Didier Reynders, said: “The use of mobile phone apps have the potential to really help in the fight against coronavirus, for example by helping users to diagnose themselves, as a safe communication channel between doctors and patients, by alerting users who are at risk of catching the virus, and to help us lift confinement measures. At the same time, we are talking about very sensitive data being collected on the health of our citizens, which we are duty-bound to protect. Our guidance supports the safe development of apps and protect our citizens’ personal data, in line with the EU’s strong data protection rules. We will get out of the sanitary crisis, while keeping our fundamental rights intact.



Guidance through the pandemic crisis


During the pandemic, the Privacy Enforcement Authorities (PEAs) have published guidance for the data controllers and processors with regards to the application of the data protection laws. PEAs clarified that respecting the fundamental rights of individuals with regards to data confidentiality does not preclude the application of security measures taken in the battle against COVID-19.

“The European Data Protection Board and the Council of Europe have released similar statements explaining that the General Data Protection Regulation (GDPR) and Convention 108 do not hinder measures taken in the fight against the pandemic, but do require that emergency restrictions on freedoms be proportionate and limited to the emergency PERIOD.”


The published report on how to ensure data privacy in the battle with COVID-19, OECD (The Organisation for Economic Co-operation and Development)  have underlined some key recommendations to guide those data collection and sharing practices.


  • Governments need to promote the responsible use of personal data.
  • Governments should consult PEAs before introducing measures that risk infringing on established privacy and data protection principles.
  • PEAs should address regulatory uncertainties
  • Governments should support national and international co-operation in collecting, processing and sharing personal health data for research, statistics and other health-related purposes in managing the COVID-19 crisis.
  • Governments and data controllers should be transparent and accountable for all actions they take in response to the crisis.


Regardless of the pandemic context and the possible derogation from the rights of data subjects during the state of emergency, the individuals still benefit from the rights established within GDPR, respectively the right to be informed regarding the contact details of the data controller, the storage period, the right of access and rectification and the right to submit a complaint to a supervisory authority. The obligation to inform data subjects about these rights may be fulfilled by the data controller by publishing this information in a transparent manner and a clear and simple language.


Need help?

Find out how Sovy COVID-19 Knowledge Portal can help you. Get in touch to find out more information.