The EDPB has adopted a statement on data subject rights in relation to the Covid-19 state of emergency. The statement was adopted in response to a letter from Civil Liberties Union for Europe, Access Now and the Hungarian Civil Liberties Union about the Hungarian Government’s Decree 179/2020 of 4 May, which suspends the GDPR in relation to dealing with the pandemic.
The EDPB states that even in exceptional times, the protection of personal data must be upheld in all emergency measures. This is based on the overarching values of democracy, rule of law and fundamental rights on which the EU is founded.
The EDPB reiterates that the GDPR remains in force and permits an efficient response to the pandemic, while at the same time protecting fundamental rights and freedoms. Data protection law already enables data-processing required to contribute to the fight against the COVID-19 pandemic.
The following applies in relation to the restrictions on data subject rights in connection to the state of emergency:
- Restrictions which are general, extensive or intrusive to the extent that they void a fundamental right of its basic content cannot be justified.
- Under specific conditions, Article 23 GDPR allows national legislators to restrict via a legislative measure the scope of the obligations of controllers and processors and the rights of data subjects when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard important objectives of general public interest of the EU or of a member state, such as, in particular, public health.
- Data subject rights are at the core of the fundamental right to data protection and Article 23 GDPR should be interpreted and read bearing in mind that their application should be the general rule. As restrictions are exceptions to the general rule, they should only be applied in limited circumstances.
- Restrictions must be provided for by law, and the law establishing restrictions should be sufficiently clear as to allow individuals to understand the conditions in which controllers are empowered to resort to them. Additionally, restrictions must be foreseeable for persons subject to them. Restrictions imposed for a duration not precisely limited in time, which apply retroactively or are subject to undefined conditions, do not meet the foreseeability criterion.
- The mere existence of a pandemic or any other emergency situation alone is not a sufficient reason to provide for any kind of restriction on the rights of data subjects. Rather, any restriction must clearly contribute to the safeguard of an important objective of general public interest of the EU or of a member state.
- The emergency state, adopted in a pandemic context, is a legal condition, which may legitimise restrictions of data subject rights, provided these restrictions only apply insofar as it is strictly necessary and proportionate in order to safeguard the public health objective. As a result, restrictions must be strictly limited in scope and in time, since data subject rights can be restricted but not denied. Additionally, the guarantees provided for under Article 23(2) GDPR must fully apply.
- Restrictions adopted in the context of a state of emergency suspending or postponing the application of data subject rights and the obligations incumbent to data controllers and processors, without any clear limitation in time, would equate to a de facto blanket suspension of those rights and would not be compatible with the essence of the fundamental rights and freedoms.
The EDPB has also announced it will issue guidelines on the implementation of Article 23 of the GDPR in the coming months.