Over the past few weeks, we have witnessed governments, public authorities as well as private organizations and companies within the EU, taking measures to contain the pandemic outbreak of Covid-19. Such measures have inevitably affected the processing of special categories of personal data especially with the context of employment.

The European Data Protection Board (the “EDPB”) in its statement of 20th of March 2020 has stated that:

Data protection rules (such as the GDPR) do not hinder measures taken in the fight against the coronavirus pandemic. A number of considerations should be taken into account to guarantee the lawful processing of personal data and in all cases it should be recalled that any measure taken in this context must respect the general principles of law and must not be irreversible. Emergency is a legal condition which may legitimise restrictions of freedoms provided these restrictions are proportionate and limited to the emergency period”.

It is therefore essential that data controllers and processors ensure the lawful processing of the personal data of data subjects and the protection of such data.

Public health authorities and employers are allowed under the GDPR to process personal data in the context of an epidemic, in accordance with national laws and within the conditions set therein.

The employment sector is one of the sectors that has been seriously affected in terms of compliance with data protection rules in view of the COVID-19 outbreak. Employers may need to request their employees to disclose data in relation to their trips, health etc. Employers need to be very careful when collecting and processing personal data so as to respect the general principles of law and simultaneously honour their legal obligations as well as the integrity and privacy of their employees.


In order to lawfully process a special category data, the so-called sensitive data, which include health data, one needs to identify both a lawful basis under Article 6 of the GDPR and a separate condition for processing under Article 9.

  • Article 9:

The general restriction under Article 9 of the GDPR states that the processing of data concerning health shall be prohibited. The consent of the data subject is usually required as a derogation to the general rule.

However, the consent of the data subject is not the only derogation. The GDPR provides for legal grounds as exceptions that allow for the processing of personal data without consent of data subjects if it’s “necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or where there is the need to protect the vital interests of the data subject”.

  • Article 6:

As also mentioned in the statement of the EDPB, in the context of employment, the employer has a legal obligation relating to health and safety at the workplace and may thus be required to process data to this respect. The processing of data by the employer may also be required for matters of public interest, such as the control of diseases and other threats to health. Processing under Article 6 may also be lawful if it is necessary in order to protect the vital interests of the data subject or of another natural person.


Employers should only require health information to the extent that national laws allow it and the principle of proportionality and data minimization is relevant. Employers should be really careful in disclosing information and data that may not be required.

At the same time, they should update their internal procedures with regards to the purposes of processing of these additional sensitive data as well as update their record retention policy to ensure that provision is made for the period of retention of these additional data. Further security measures and mechanisms must be put in place that ensure protection of the data (i.e. limited/secured access).

WORKING FROM HOME:                   

The new reality has forced employers to ensure that a business continuity plan is put in place, which allows employees to work from home. The provisions of GDPR do not impose a barrier to this.

The employer shall need to ensure that it has implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed. Such measures include pseudonymization and encryption measures which ensure confidentiality and the use of systems that allow the remote access of employees to the network and firewall of the office/company (i.e. VPN). Procedures will also have to be put in place regulating the employee’s use of hardcopies and they should also be educated with regards to the steps that need to be taken in case of a breach.


Employers should:

  • take appropriate care to require from their employees and visitors, information that relate to sensitive data only to the extent that national laws allow it while at the same time it honour the principle of proportionality and data minimization;


  • inform their personnel about any COVID-19 related incidents and take protective measures. At the same time, they need to ensure that they do not reveal any unnecessary information and ensure that the dignity and integrity of the affected employee are secured;


  • ensure that security measures are increased and procedures are updated when it comes to the processing of sensitive data and working from home. They should at all times ensure that the personal data of the data subjects are secured.    


This publication has been prepared as a general guide and for information purposes only. It is not a substitution for professional advice. One must not rely on it without receiving independent advice based on the particular facts of his/her own case.  No responsibility can be accepted by the authors or the publishers for any loss occasioned by acting or refraining from acting on the basis of this publication.


April 2020




Senior Associate Lawyer




We are a Law Firm with offices in Cyprus and Malta and a representative office in Shanghai China comprising of more than 70 lawyers, accountants and other professionals who advise, international and local clients.

The Firm has been offering legal and consulting services since 1983 evolving from a traditional law firm to an innovative cutting-edge multidisciplinary law firm combining exceptional expertise in law, tax, vat and accounting.

From its establishment the Firm’s focus has been heavily business oriented and always abreast with the latest global developments and innovations. Drawing from our pool of experienced professionals we provide our clients’ businesses full legal and accounting support on an everyday basis as well as customized solutions in today’s global financial and legal challenges.

We consider ourselves as ‘traditional pioneers’ and our motto is to foresee and anticipate any issues that may potentially impact our clients’ business and to offer effective advice and solutions proactively.


Kinanis LLC

Lawyers’ Limited Company
12 Egypt Street, 1097, Nicosia
P.O. Box 22303, 1520 Nicosia, Cyprus
Tel: + 357 22 55 88 88 – Fax: + 357 22 66 25 00
E-mail: KinanisLLC@kinanis.com – Web site: www.kinanis.com



Civil Partnership, Law Firm
Kinanis Fiduciaries Limited
Suite 20, The Penthouse, 4th Floor, Ewropa Business Centre,
Dun Karm Street, Birkirkara, BKR 9034, Malta
Tel: + 356 27 54 00 24, Fax: + 356 27 54 00 25
E-mail: malta@kinanis.com Website: www.kinanis.com


Kinanis (China) Limited

China Representative Office
Unit 661, 6/F CIROS PLAZA,
388 Nanjing West Road, Huangpu District,
Shanghai City, 200003, China
Tel: + 86 18 410 072 690
E-mail: china@kinanis.com Website: www.kinanis.com