The spread of COVID-19 raises many challenges for companies with regard to the processing of personal data, including employees, service providers, customers or visitors who are granted access to corporate facilities for one reason or other.
In this context, companies have implemented various methods and forms of collecting personal data in order to comply with the contingency plans that have been adopted in their organisations, aimed at preventing and containing the spread of COVID-19 by ensuring the necessary hygiene, health and safety requirements.
Abreu Advogados Intellectual Property and Information Technology practice area shares are some useful recommendations and information regarding the protection of personal data in the context of COVID-19:
• Companies should adopt data and/or information collection means that do not identify or make identifiable the data subjects (in particular through the use of forms or anonymous surveys), where such means are compatible with the purposes of the data collection, for example to control entries to their premises.
• Where this is not practicable, companies must ensure that the personal data processed is adequate, relevant, necessary and limited having regard to the purposes for which it was collected.
• In the event that companies wish to collect personal data that they consider relevant for their contingency plans, such as information about travel and visits to certain countries or places, contacts with persons infected with COVID-19 or the existence of symptoms associa0ted with this disease, they should pay particular attention to the different levels of protection that the law provides for the data concerned.
• The processing of personal data in this context, which are not health data or do not fall under other special categories of personal data, may be justified by the legitimate interests of the companies or third parties and by the need to protect the vital interests of the data subject or third party.
• On the other hand, the law provides for a number of exceptions to the prohibition involved in the collection and processing of personal health data.
• In this context, companies may base the processing of personal health data on grounds of public interest in the field of public health or the need to process data to fulfil obligations and exercise rights under employment law, social security and social protection, in particular where the purpose is to ensure the safety and health of workers in companies and to prevent the spread of COVID-19.
• Alternatively, companies may justify the further processing of health data by obtaining the consent of the data subjects, except in the case of workers' health data.
• Health data processing should be carried out by a person subject to an obligation of secrecy and, in certain cases, by a professional bound by secrecy or subject to a confidentiality duty. The appropriate information security measures must be guaranteed.
• Personal data processed in this context should be eliminated or rendered anonymous as soon as the purposes for which the personal data may be processed no longer exist.
The European Supervisory Authorities are looking into the processing of personal data in response to the spread of COVID-19, while the Portuguese Data Protection Committee has not yet issued any guidelines on this subject.