March 31, 2020

Covid-19: Data protection and privacy

With thousands of lives lost or at stake, rising unemployment levels, mobility restrictions and stumbling oil prices, we are now also in a global economic downturn. Governments and banks have announced various support schemes for households and businesses. Entrepreneurs, directors and management teams must set the overall operational strategy to combat the effects of the virus. They must consider their businesses’ supply chain and, if not already, contact their suppliers and enquire about their risk exposure and contingency plans, in case of supply disruptions.

The impact will be significantly different according to the industry or sector concerned. For instance, a substantially harder hit should be further expected particularly in the foreseeable future by businesses in the tourism, leisure, accommodation, and food and beverages sectors. Individuals and organisations alike need to swiftly assess and mitigate losses as well as risk, and consistently evaluate decision-making to progress their business. It is crucially important however particularly during this crisis that sustainable initiatives are taken across all levels.

Data Protection

The EU General Data Protection Regulation (“GDPR”) substantially changed data privacy rules. By now organisations in the EU or organisations outside the EU which process personal data of EU residents should be in a position to demonstrate that they fulfill the necessary requirements for compliance.

Key issues and practical considerations arise which impact the majority of organisations and address gaps in compliance. For instance, organisations should assess any non-EU entities that process personal data of EU residents, third party processors, determine their “main establishment” if they have establishments in more than one EU Member State and implement effective internal systems, safety controls and technical measures that comply with the GDPR, as well as a privacy policy.

Covid-19 and GDPR

We are already witnessing an unprecedented processing of different types of personal data including sensitive data by public authorities and private organisations due to the coronavirus outbreak.

It is noteworthy that normally under GDPR consent would be required for the purpose of processing sensitive data, however exceptions are provided, as set out below.

Therefore, data controllers and processors must ensure the protection of the personal information of the data subjects.

“Personal Information” means any information that can be used to identify an individual or that we can connect to a person. Such Personal Information does not consist of anonymous data.

European Data Protection Board Statement

On 19 March 2020 the European Data Protection Board adopted its statement on the processing of personal data in the context of the Covid-19 outbreak.

By way of summary, please note as follows:

  1. Lawfulness of processing
    In accordance with the EU General Data Protection Regulation (GDPR) and national legislation, competent public health authorities and employers can process personal data, due to the coronavirus outbreak, for instance where required by reason of a substantial public interest in the context of public healthcare or legal obligation, respectively.
  2. Core principles relating to the processing of personal data
    It is of utmost importance that data subjects should receive transparent information on the processing activities carried out in clear and plain language.
  3. ePrivacy Directive
    The ePrivacy Directive is also of particular importance in relation to the processing of anonymous data (i.e. aggregated in a way that individuals cannot be reidentified)

You can find the full version of the EDPB announcement at https://bit.ly/3dGqxxf.

Given the focus of the GDPR on accountability, a Data Privacy Impact Assessment should be carried out by organisations in certain circumstances in order to evaluate if specific processing may entail a high risk for the rights and freedoms of individuals.

It is particularly important for organisations to increase awareness through training of all stakeholders involved and to assess if they should appoint a Data Protection Officer (“DPO”) and set up a Privacy Office. The DPO should be able to provide to the organisation day-to-day independent advice in relation to the GDPR.

Of course the competent regulatory authority plays a crucial role in implementation and enforcement of the GDPR and corresponding national legislation as well as respective guidelines, and should be consulted as appropriate.



Our firm helps SMEs and large organisations in a wide range of sectors to comply with the GDPR and national legislation.

Our associates focus on technology and cybersecurity aspects to cover all angles of the necessary exercises, in line with the rapid shifts in technological disruption.

  • Data Protection & Privacy
  • GDPR Assessment & Implementation
  • Privacy Policy
  • Data Privacy Impact Assessment
  • Data Protection Officer
  • Data Security and Privacy Management
  • Technology
  • Cybersecurity

Please do not hesitate to contact us if you require further information or support on such matters.

Data Protection Law Firm of the Year in Cyprus: 2020 Global Law Experts 11th Annual Awards

Copyright © 2020 K. A. Kourtellos & Co LLC
K. A. Kourtellos & Co LLC is regulated by the Cyprus Bar Association
magnifiercrossmenuarrow-up linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram