COVID-19: summary of relevant lawful bases for processing of personal data | Practical Law

COVID-19: summary of relevant lawful bases for processing of personal data | Practical Law

Summary tables showing the potential lawful bases under EU and UK law for the processing of personal data in the context of the COVID-19 pandemic.

COVID-19: summary of relevant lawful bases for processing of personal data

Practical Law UK Articles w-025-3306 (Approx. 5 pages)

COVID-19: summary of relevant lawful bases for processing of personal data

by Oran Kiazim, Bird & Bird LLP
Law stated as at 04 May 2020European Union, United Kingdom
Summary tables showing the potential lawful bases under EU and UK law for the processing of personal data in the context of the COVID-19 pandemic.

Employee and worker data

Context
EU data protection law
UK data protection law
Processing data to comply with health and safety obligations
Article 6(1)(c) General Data Protection Regulation (GDPR);
Article 9(2)(b) GDPR.
Section 10(2) Data Protection Act 2018 (DPA 2018)
Paragraph 1, Schedule 1, DPA 2018. 
(An appropriate policy document and extended records of processing is required to comply with this condition; see Standard document, Appropriate policy document (special categories of personal data and criminal convictions data) (GDPR and DPA 2018) (UK).)
Processing to protect the vital interests of employees
Article 6(1)(d) GDPR;
Article 9(2)(c) GDPR.
GDPR provisions.
Sharing employee data with public health authorities
Article 9(2)(i) GDPR.
Section 10(2) DPA 2018;
Paragraph 3, Schedule 1, DPA 2018.

Patient data

Context
EU data protection law
UK data protection law
Processing for the provision of health and social care
Article 9(2)(h) GDPR;
Article 9(3) GDPR.
Section 10(2) DPA 2018;
Section 11(1) DPA 2018;
Paragraph 2, Schedule 1, DPA 2018.
Processing for reasons of public interest in the area of public health
Article 9(2)(i) GDPR.
Section 10(2) DPA 2018;
Paragraph 3, Schedule 1, DPA 2018.
Processing for the purposes of research
Article 9(2)(j) GDPR
Section 10(2) DPA 2018;
Paragraph 4, Schedule 1, DPA 2018.

Contact tracing (by public bodies)

Context
EU data protection law
UK data protection law
Processing location data
Article 6(1)(e) GDPR;
Article 9(2)(g) GDPR;
Article 9(2)(i) GDPR;
Article 9(2)(j) GDPR;
Article 6 ePrivacy Directive;
Article 9 ePrivacy Directive.
Section 8 DPA 2018;
Section 10(2) DPA 2018;
Paragraph 3, Schedule 1, DPA 2018;
Paragraph 4 , Schedule 1, DPA 2018;
Paragraph 6, Schedule 1, DPA 2018;
Regulation 7 Privacy and Electronic Communications Regulations 2003 (PECR 2003);
Regulation 14 PECR 2003.
Use of cookies, SDKs and similar technology
Article  5(3) ePrivacy Directive 
Article 6(1)(a) GDPR
Article 6(1)(f) GDPR
[If special category personal data is processed:
Article 9(2)(a) GDPR;
Article 9(2)(i) GDPR]
GDPR provisions;
Section 10(2) DPA 2018;
Regulation 6 PECR;
Regulation 14 PECR;
[If special category personal data is processed:
Section 10(2) DPA 2018;
Paragraph 3, Schedule 1, DPA 2018]