COVID-19 Update: Tozers is providing our usual client services while maintaining the safety of our clients and colleagues. Full update here

Complete the form below to ask us a question or make an enquiry. We’ll get back to you via phone or email as soon as possible.


Data protection: European Data Protection Board issues statement that may inform the ICO’s approach during the coronavirus pandemic

Posted on 31st March 2020 in Intellectual Property, Employment, Coronavirus Pandemic

Posted by

Dan Griffin

Associate and Solicitor
Data protection: European Data Protection Board issues statement that may inform the ICO’s approach during the coronavirus pandemic

On 20 March the EDPB made a statement on processing of personal data in the context of coronavirus. The European Data Protection Board (EDPB) is the European body tasked with providing guidance aimed at ensuring consistent application of data protection regulations throughout member states.

During the Brexit transition period and likely afterward, EDPB statements will inform the Information Commissioner’s Office (ICO) approach. While the ICO have already provided some detail on their own website, the EDBP statement provides useful additional detail for businesses and organisations unsure of their data protection obligations during the pandemic.

The EDPB acknowledged that tackling the disease should be supported but said that controllers and processors must still process personal data lawfully.

With regard to restricting data subjects’ rights (i.e. allowing data controllers to do things otherwise not usually permitted) emergency is a legal condition which may legitimise restrictions provided they are proportionate and limited to the emergency.

The EDPB highlighted that the GDPR already allows authorities and employers to process personal data in an emergency without consent. For example where they have lawful authority, where it is necessary for reasons of substantial public interest in the area of public health and to protect an individual's vital interests. The GDPR specifically refers to the control of an epidemic at recital 46.

In an employment context, processing may also be necessary for compliance with a legal obligation such as health and safety or in the public interest (to counter threats to health).

The EDPB remind data controllers that the law must still be adhered to, so personal data should be processed for specified and explicit purposes and privacy notices need to inform data subjects about how the pandemic may change how their personal data is processed. Data protection policies should still prohibit data from being unlawfully disclosed. If decisions are taken to process data as a consequence of the epidemic these should be documented.

A copy of the EDPB statement can be viewed here

The ICO’s guidance can be viewed here

Company & Industry

Related Insights


Unclaimed estates totalling £1.744bn from those without Wills

Posted on 02nd October 2020 in Probate & Wills

It has been reported by a north-east property developer that there are approximately 7,991 estates currently left unclaimed in England and Wales. The total value of which is estimated at £1.744bn, equating to £218,300 per estate. They report that the majority of these estates have been left by single people who have not made a Will.

Posted by

Sue Halfyard

Associate and Chartered Legal Executive

Q&A with Karen Hillyer Chair of the Erb’s Palsy Group

Posted on 02nd October 2020 in Medical Negligence

We meet with the incredible Karen Hillyer, chair of the Erb's Palsy Group, for an engaging talk about her role and achievements as part of the Erb’s Palsy Group, advice for parents, and how Erb's Palsy Awareness Week could help achieve great results for the charity and those affected by the condition.

Posted by

Clair Hemming

Partner and Solicitor