In the context of the crisis generated by the COVID-19 global widespread, the European Data Protection Board (EDPB) has published a Statement on the processing of personal data in the context of the COVID-19 outbreak, which may be accessed here.

The main guidelines the Board established refer to the following aspects:

  • data controllers shall continue to ensure adequate measures are taken, in order for  personal data to be processed in a lawful manner, in compliance with the principles of the GDPR and the data subjects rights;
  • in the context of epidemics, employers will be able to process personal data, including health data, without the need to obtain the consent of the data subject, based on other legal grounds provided under Art. 6 and Art. 9 GDPR (such as the public interest or the protection of the vital interests of the data subjects or other individuals);
  • in principle, electronic communication data, such as mobile location data, shall be processed by the controller only in an anonymized form, or with the consent of the data subject. 

However, in exceptional situations, such as the one generated by the COVID-19 outbreak, the member states may introduce legislative measures allowing derogations from the rules of processing such data.

So far, Romania has not adopted such derogatory measures.

We will keep you updated on any further developments on

Across Europe, the processing of personal data in the context of the COVID-19 outbreak is approached differently by the Supervisory Authorities in the Member States. However, the tendency is to limit or even prohibit the processing of personal data by employers, in relation to the health status and/or travel itinerary of the employees or visitors, prior the pandemic outbreak. 

Locally, the National Supervisory Authority for Personal Data Processing (ANSPDCP) issued, on March 18, 2020, the following recommendations on the processing of health data:


  • the processing of health data can only be carried out under certain conditions, provided under Art. 9 GDPR. Thus, this type of personal data shall be processed, based on one or more legal grounds established under Art. 9 GDPR, namely: 


      • the consent of the data subject,
      • carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law,
      • for purposes related to preventive medicine, medical diagnosis, provision of health treatment or


  • for reasons of public interest in the area of public health, such as protection against serious cross-border threats to health;
  • the disclosure to the public of the name and health status of an individual can be done only with the consent of the person concerned;
  • personal data which are not considered special category data, may be further processed, in compliance with the provisions of Art. 6 GDPR;
  • the obligation to inform the data subjects remains applicable to the data controllers.


In case of specific processing activities carried out in the context of the COVID-19 outbreak, especially in case of processing health data of employees, the employer must provide information, in a concise, transparent, intelligible and easily accessible manner, both to the employees, as well as to any other person whose data is being processed in this context; 

  • appropriate technical and organizational measures will be implemented, in order to ensure an appropriate level of security.

The Musat & Asociatii team supports its clients with swift and feasible legal solutions, adapted to the exceptional situation generated by the global spread of COVID-19, so as they can benefit from the most effective legal remedies to overcome this crisis situation. You can contact our colleagues specialized in this area of practice:

Print Friendly, PDF & Email