COVID-19 and Data Protection: Sample Privacy Policy
April, 2020 - Sarmis Spilbergs, Mikijs Zimecs
Associate Partner Sarmis Spilbergs and Associate Mikijs Zimecs have prepared a sample of a Privacy Policy that may help employees to process data related to COVID-19 in accordance with the requirements of the General Data Protection Regulation. Sample in Latvian mentioned above is available below:
COVID-19 Data Processing Notice
Supplement to the Privacy Policy of SIA “[Name]”
This data processing notice has been issued considering the emergency situation declared in Latvia and possible processing of your personal data with respect to COVID-19 virus. These rules represent a supplement to the already existing privacy policy of (“Privacy Policy”) of SIA “[Firm name]”, available here: [link to the Privacy Policy] or in the HR Department. Data processing specified in this notice will be carried out in accordance with the Privacy Policy, insofar as not stated otherwise in this notice.
1. For what purpose and what personal data will be processed?
To ensure the protection of health of our clients and employees, to take protective measures against the risk of disease to other employees and clients, as well as, if necessary, to provide you with the possibility to work from home, we will process information that you would have provided to us, for example:
- Have you been abroad for the period of the last 14 days or have you been a contact person of such person?
- Do you have COVID-19 virus symptoms, or have you been a contact person of a person having virus symptoms?
- Have you been diagnosed with COVID-19 virus or have you been a contact person of such person?
2. Legal basis for data processing
Considering the risks of spread of COVID-19 and the hazards thereof, we are entitled to process personal data specified in this notice, based on the following legal bases in accordance with the General Data Protection Regulation (“GDPR”):
- Article 6.1(c) of the GDPR – processing is necessary for compliance with a legal obligation to which the controller is subject (we as the employer have the obligation to ensure the safety of the employed pursuant to the Labor Protection Act);
- Article 6.1(d) of the GDPR - processing is necessary in order to protect vital interests of the data subject or of another natural person;
- Article 6.1(f) of the GDPR - processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (to achieve the purposes referred to in Clause1 herein above).
With respect to data that can be considered to be personal data of a special category (data that may reveal your health condition), we will carry out data processing, based on Cabinet Regulation No103 On Declaration of the Emergency Situation, in interrelation with:
- Article 9.2(g) of the GDPR – processing is necessary for reasons of substantial public interest; and
- Article 9.2(i) of the GDPR - processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health.
3. How long will we retain such information?
We will retain information referred to herein till the achievement of the purposes thereof, however no longer than for the period of [number of days] days.
4. With whom can we share your personal data?
To achieve data processing purposes stated herein, we will disclose your personal data only to the persons, whom it is necessary for the achievement of data processing purposes. Inter alia, such persons may include:
- Center for Disease Control and Prevention (CDCP), State Police and other public authorities;
- other employees, without mentioning your identity.
Should you have any questions regarding this notice or data processing referred to herein, please contact the responsible person in the HR Department: [name, surname, contact details].
These rules are approved by the [date] decision of the Management Board of SIA “[Firm name]”.
Riga, 30 March 2020
This template is intended for commercial use only.Ellex Klavins is not liable for the content of this notice and the compliance thereof with your data processing activities.
Link to article