One of the questions frequently asked by the companies these days is has anything changed concerning data protection under the legal and business “framework” established due to COVID-19 outbreak. On April 1, 2020, the Commissioner for Personal Data Protection came out with a statement on acting under COVID-19 circumstances.
The Commissioner explained that state of emergency, which limited human rights concerning freedom of movement and gathering, does not apply to rights and duties pertaining to data protection, so the data controllers and processors are to continue to follow the rules of the Personal Data Protection Law.
Since most of the issues concern health data, the Commissioner reiterated their special status, the processing of which is generally prohibited save under restrictive terms under the Article 17 of the Personal Data Protection Law. Therefore, the companies would have to apply all legal conditions as set by the respective law the same as before the outbreak. The novelty is that the legal basis for processing extended to decisions adopted by the state authorities during the state of emergency. The Commissioner explained that employers may process data concerning potential COVID-19 symptoms of the employees, candidates and other persons entering business premises of the employer, in line with the decisions of competent authorities relating to combating the actual pandemics, under the principles of processing of the Article 5 of the Data Protection Law. It is clear that this applies only to COVID-19 and not to other diseases. The Commissioner also pointed to appropriately including the data protection officer in all matters involving data protection.
In case of remote work involving data processing, controllers and processors are required to provide for adequate data protection, which includes safety checks on connection and correspondence via company e-mails etc. Processors are not allowed to make independent decisions on the manner in which they will continue processing the data due to altered state of affairs but have to comply with the instructions of the controllers.
Companies could not call on scientific research reasons for data processing on infected or sick from COVID-19, if not registered for scientific researches under the respective law and if not responsible for acting under the Personal Data Protection Law.
As to the execution of the rights of data subjects, the Commissioner pointed to the real obstacles of the controllers to respond to the requests of the data subjects within legal deadlines due to altered regime of business operations. He noted the possibility of using the extended deadline from the Law on Personal Data Protection (if such is necessary, due to complexity and number of requests). This would also mean that simply calling upon COVID-19 situation would not suffice. However, controllers are not exempted from their duty to respond to requests of data subjects under the Act.
Lastly, the Commissioner stated that it will continue to act upon the complaints of data subjects, but in the manner adapted to the Government and state authorities’ measures regarding COVID-19. Since Commissioner acts under the laws on administrative procedure, respective government regulation on deadlines in administrative procedures would apply accordingly.
