June 8, 2020
During its 30th plenary, the EDPB recalled that even in these exceptional times the protection of personal data must be upheld in all emergency measures, thus contributing to the respect of the overarching values of democracy, rule of law and fundamental rights on which the Union is founded.
In the statement, the EDPB reiterated that the GDPR remains applicable and allows for an efficient response to the pandemic, while at the same time protecting fundamental rights and freedoms. Data protection law already enables data processing operations necessary to contribute to the fight against the COVID-19 pandemic.
The statement recalls the main principles related to the restrictions on data subject rights in connection to the state of emergency in Member States:
- restrictions that are general, extensive or intrusive to the extent that they void a fundamental right of its basic content cannot be justified;
- under specific conditions, Article 23 GDPR allows national legislators to restrict the scope of controllers’ and processors’ obligations and the rights of data subjects when such restrictions respect the essence of the fundamental rights and freedoms and are a necessary and proportionate measure in a democratic society to safeguard important objectives of general public interest of the Union or of a Member State, such as public health;
- data subject rights are at the core of the fundamental right to data protection and Article 23 GDPR should be interpreted and read bearing in mind that their application should be the general rule. As restrictions are exceptions to the general rule, they should only be applied in limited circumstances;
- restrictions must be provided for by law, which should be sufficiently clear so as to allow citizens to understand the conditions in which controllers are empowered to resort to them. Additionally, restrictions must be foreseeable for persons subject to them. Restrictions imposed for a duration not precisely limited in time, which apply retroactively, or are subject to undefined conditions, do not meet the foreseeability criterion;
- the mere existence of a pandemic or any other emergency situation alone is not sufficient reason to provide for any kind of restriction on the rights of data subjects; rather, any restriction must clearly contribute to the safeguard of an important objective of general public interest of the EU or of a Member State;
- the emergency state, adopted in a pandemic context, is a legal condition, which may legitimise restrictions of data subject rights, provided these restrictions only apply insofar as is strictly necessary and proportionate in order to safeguard the public health objective. Therefore, restrictions must be strictly limited in scope and in time, since data subject rights can be restricted but not denied. Additionally, the guarantees provided for under Article 23(2) GDPR must apply in full; and
- restrictions adopted in the context of a state of emergency suspending or postponing the application of data subject rights and the obligations of data controllers and processors, without any clear limitation in time, would equate to a de facto blanket suspension of those rights and would not be compatible with the essence of the fundamental rights and freedoms.
The EDPB also announced that it will issue guidelines on the implementation of Article 23 of the GDPR in the coming months. To read the EDPB’s press release in full and for a link to the statement, click here.