Does the GDPR not apply during the COVID-19 state of emergency?

In the last few months, we have seen organisations across Europe imposing various obligations on their employees, visitors and customers to fight against the spread of the COVID-19 virus. The underlying measures started with the completion of questionnaires on health conditions and have progressed to requiring temperature checks of people entering premises and installing thermal cameras at office entrances. Today, some employees whose presence is essential for business continuity receive regular blood tests. But some countries are going even further to change data protection rules during these extraordinary times. 

In Hungary, a Government Decree (No. 179/2020) issued on 4 May was introduced to restrict the protection and rights of data subjects for the purpose of preventing, recognising and investigating COVID-19 and stopping its spread until the termination of the state of emergency. Firstly, it has temporarily suspended Articles 15 to 22 of the GDPR that relate to the processing of personal data, if this is being done to prevent the spread of the virus, until the end of the country’s state of emergency. Secondly, the decree has stated that data controllers, i.e. hospitals and government bodies among other institutions that are holding data, do not have to deal with any requests to access or erase personal data until the state of emergency is over, and the courts need only start any proceedings relating to these requests on the first day after this declaration.

The European Data Protection Board (EDPB) subsequently investigated the restrictions and issued a statement on 2 June 2020, declaring that:

  • The restrictions cannot be general, extensive or intrusive;
  • The domestic law must be sufficiently clear and foreseeable, including the duration in time;
  • The mere existence of a pandemic or any other emergency alone is not a sufficient reason to provide for any kind of restriction on the rights of data subjects.

The Hungarian Government will likely declare the state of emergency to be over by mid-June, which would restore individual data protection rights. However, if there is a second wave of infections, legislators must consider the above recommendations of the EDPB. 

Namely, it will have to be proven that fulfilling a subject’s access requests during a pandemic would actually hinder public health efforts. This may be the case when a hospital or a municipality is under-resourced and has had to divert those who usually deal with data protection matters to other pandemic-related tasks, but this must be assessed on a case-by-case basis. For example, private companies usually have dedicated privacy-related resources that regularly handle access requests, often via automated processes, so dealing with requests might not require unreasonable additional effort from their side. 

It is likely that the EDPB will find that suspending the exercise of all types of data protection rights, in all sectors, for an indefinite period of the state of emergency is not proportionate or necessary. Trust and transparency regarding data processing play a key role in the operation of an organisation, in particular during the COVID-19 pandemic, and these principles greatly depend on the fulfilment of a subject’s access rights.

Given the EDPB’s response, it is doubtful that further member states will now attempt to circumnavigate data protection laws as Hungary have. However, the EDPB has stated that it is developing further guidance that allows national authorities to restrict data rights “by way of a legislative measure”, leaving interesting questions open as to future developments in this area of data protection.

By  Márton Domokos, a senior counsel within the commercial team at global law firm CMS’ Budapest office, and Co-ordinator of the CEE Data Protection Practice (CMNO).


Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.