It is obvious that the protection of the population enjoys priority when it comes to measures to contain the corona pandemic and that other fundamental rights – including those relating to data protection – may be restricted to some extent. Even if data protection is not likely to be the main concern at present, both companies and their employees should bear in mind that restrictions of data protection and data security are only admissible if the measures are absolutely necessary and are limited to the duration of the exceptional situation.
According to the opinion of German data protection supervisory authorities, legal deadlines of the GDPR continue to apply in unchanged form (https://datenschutz-hamburg.de/assets/pdf/Corona-FAQ.pdf). Even in the times of Covid-19, however, data subjects obviously have the right to receive information from data controllers about personal data stored about them within one month. Even in times of crisis, extensions of that period in accordance with Article 12(3) sentence 2 GDPR are only possible where such extensions are necessary due to the complexity and number of requests. It is welcome to note that the Hamburg Commissioner for Data Protection and Freedom of Information, for example, argues that infringements will not be prosecuted if the statutory deadlines are exceeded, if it can be proven that the data controller’s ability to work is severely restricted due to the corona crisis. As part of the competent data protection supervisory authority’s discretionary decision, the length of the delay and the size of the relevant company will be of material importance in each individual case.
Even in times of crisis, of course, notifications of data protection breaches must be made to the competent data protection supervisory authority in accordance with Article 33(1) GDPR without delay and, wherever possible, within 72 hours. Pandemic-related restrictions on companies’ ability to work may, however, also be taken into account in these cases if necessary. It is important, though, that even when working from the home office, employees report any data protection breaches to the company’s data protection team without delay because criminals are exploiting the current exceptional situation for their own purposes, and cyberattacks are increasing almost on a daily basis (https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2020/Cyber-Kriminell_02042020.html).
Tip for use in practice: Precautions need to be taken for work from the home office, taking into account – to the extent possible – the data protection rights both of employees and of other data subjects. These measures include provisions to guarantee the rights of data subjects (such as to information and erasure of data) and the reporting of any data protection breaches. Employees need to be made aware of these requirements and, where possible, should sign written commitments to comply with data protection measures.
Status: April 6, 2020