Guidance on the processing of personal data and cybersecurity in the context of the COVID-19 pandemic


Paolo Balboni – ICT Legal Consulting Founding Partner – and his team, without the presumption of completeness, has proceeded to map official resources that provide guidance on the correct processing of personal data in the context of COVID-19 and Cybersecurity-related information on working remotely in the context of the pandemic.

An updated version of the list can be found on Paolo Balboni’s personal blog.


Cybersecurity: Information on working remotely in the context of the COVID-19 pandemic


European Commission, ENISA, CERT-EU and Europol – COVID-19 Joint Statement

EU Agency for Cybersecurity (ENISA) – Tips for cybersecurity when working from home

Europol – Safe Teleworking Tips and Advice; How criminals profit from the COVID-19 pandemic; Make your home a Cyber Safe Stronghold

France – platform, IT security recommendations for teleworking in crisis situations

Irish Data Protection Commission – Protecting Personal Data When Working Remotely and Staying safe online during a pandemic

UK Information Commissioner’s Office  – Data security – a guide to the basics

UK National Cyber Security Centre (NCSC) – NCSC issues guidance as home working increases in response to COVID-19

United States Cybersecurity and Infrastructure Security Agency – Defending Against COVID-19 Cyber ScamsRisk Management for Novel Coronavirus (COVID-19)



Privacy and Data Protection: Processing of personal data in the context of COVID-19


Statements from EDPS, EDPB and UN

European Data Protection Board – Statement of the EDPB Chair on the processing of personal data in the context of the COVID-19 outbreak and Statement on the processing of personal data in the context of the COVID-19 outbreak Adopted on 19 March 2020

European Data Protection Supervisor – Monitoring the speed of COVID-19, EDPS Comments to DG CONNECT of the European Commission on monitoring of COVID-19 spread

United Nations Special Rapporteurs – COVID-19: States should not abuse emergency measures to suppress human rights


National Statements and Guidance

Albania – IDP Guidelines on the protection of personal data in the context of the measures taken against COVID-19

Argentina – Agencia de Acceso a la Información Pública  Tratamiento de datos personales ante el Coronavirus

Australia – Office of the Australian Information Commissioner (OAIC), 

Coronavirus (COVID-19): Understanding your privacy obligations to your staff – Agencies

Austria – Austrian Data Protection Authority, Information on Coronavirus (Covid-19)

Bulgaria – Commission for Personal Data Protection, CPDP introduces anti-epidemic measures against the spread of COVID-19

Canada – Office of the Privacy Commissioner of Canada, Announcement: Commissioner issues guidance on privacy and the COVID-19 outbreak  and Guidance: Privacy and the COVID-19 outbreakOffice of the Information and Privacy Commissioner of Alberta Privacy in a Pandemic

China – Cyberspace Administration of China, Notice on protecting personal information and using big data to support joint prevention and control

Denmark – Datatilsynet, How about GDPR and coronavirus? and
Corona virus and digital infection detection

Finland – Office of the Data Protection Ombudsman, Data protection and limiting the spread of coronavirus

France – Commission Nationale de l’Informatique et des Libertés, Coronavirus (Covid-19): les rappels de la CNIL sur la collecte de données personnelles;Recherches sur le COVID-19 : la CNIL se mobilise

Gibraltar – Gibraltar Regulatory Authority Data protection and Coronavirus: What you need to know

Germany – Office of the Federal Commissioner for Data Protection and Freedom of Information, DSK provides information on data protection and Coronavirus and German Data Protection Supervisory Authorities joint information paper on data protection and the Coronavirus pandemic

Greece – Hellenic Data Protection Authority, Guidelines for personal data processing in the management of COVID-19

Hong Kong – Privacy Commissioner for Personal Data, The Use of Information on Social Media for Tracking Potential Carriers of COVID-19  and Privacy Commissioner Responds to Privacy Issues Arising from Mandatory Quarantine Measures and Provides Updates on Doxxing

Hungary – Hungarian National Authority for Data Protection and Freedom of Information, Information on processing data related to the Coronavirus epidemic

Iceland  Data Protection Authority, COVID-19 and privacy

Ireland – Irish Data Protection Commission, Data Protection and COVID-19;Covid 19 and Subject Access Requests

Italy – Garante per la protezione dei dati personali, Coronavirus: No do-it-yourself (DIY) data collection, says the Italian DPA, Italian state – Urgent provisions for the strengthening of the National Health Service in relation to the COVID-19 emergency and Italian state – March 14 Shared protocol for the regulation of measures for counteracting and containing the spread of the Covid-19 virus in workplaces

Isle of Man – Information Commissioner, Coronavirus, Data Protection, and Freedom of Information

Jersey – Office of the Information Commissioner, Data Protection and Coronavirus

Lithuania – State Data Protection Inspectorate, Personal Data Protection and Coronavirus COVID-19

Luxembourg – National Commission for Data Protection, Coronavirus (COVID-19): recommendations by the CNPD on the processing of personal data in the context of a health crisis

Malta – Office of Information and Data Protection Commissioner, Processing of personal data in the context of COVID-19

Mexico – National Institute for Transparency, Access to Information and Personal Data Protection, Ante casos de COVID-19, INAI emite recomendaciones para tratamiento de datos personalesSuspende INAI eventos públicos, por recomendación de la SSA para evitar contagio de COVID-19, and Adoptará INAI como medida de prevención el trabajo a distancia ante COVID-19

Netherlands – De Autoriteit Persoonsgegevens, AP gives organizations more time due to corona crisis

New Zealand – Office of the Privacy Commissioner, Covid-19 and privacy FAQs, Privacy and Covid-19: Hospitality establishment guest registers

North Macedonia – Personal Data Protection Agency of the Republic of Northern Macedonia, Data Protection and Coronavirus

Norway – Datatilsynet,  Corona and privacy; New tracking app to prevent coronavirus infections

Peru – Autoridad Nacional de Protección de Datos Personales del Peru, Divulgar datos personales de pacientes con coronavirus puede ser multado hasta con 215 mil soles

Phillipines – National Privacy Commission, NPC PHE BULLETIN No. 3: Collect what is necessary. Disclose only to the proper authority

Poland  – Personal Data Protection Office of Poland, Statement by the President of the Personal Data Protection Office on coronavirus

San Marino – Autorità Garante per la protezione dei dati personali, Public announcement on COVID-19 emergency

Slovakia – Office for Personal Data Protection of the Slovak Republic, Statement of the EDPB Chair on the processing of personal data in the context of the COVID-19 outbreak and Coronavirus and processing of personal data

Spain –  Agencia Española de Protección de Datos, Report from the State Legal Service Department on Processing Activities Relating to the Obligation for Controllers from Private Companies and Public Administrations to Report on Workers Suffering from Covid-19Covid-19 FAQs,  La AEPD publica un informe sobre los tratamientos de datos en relación con el COVID-19Campañas de phishing sobre el COVID-19; Comunicado de la AEPD sobre apps y webs de autoevaluación del Coronavirus

Sweden – Datainspektionen, Corona virus and personal data

Switzerland – Federal Data Protection and Information Commissioner, Data protection legal framework for the containment of the coronavirus

Turkey  – Turkish Data Protection Authority KVKK, Public Announcement on COVID-19

United Kingdom –  Information Commissioner’s Office (ICO), Data protection and coronavirus: statement for health and care practitionersCOVID-19: general data protection advice for data controllers; and The power of data in a pandemic

United States of America  – Federal Communications Commission, Declaratory Ruling on COVID, and Department of Health and Human Services, HIPAA Privacy and Novel Coronavirus


The content of this article has undergone an update. Please read this post for the updated version.