With the continuing COVID-19 pandemic, the world is experiencing serious economic dislocation, threats to well-established lifestyles, social stability and challenges to long-held values. In seeking to deal with the pandemic and manage the crisis, governments face various challenges, one area being data protection. For the European Union and its member states clarity is needed around this subject. For data controllers the question is: what is the relationship between COVID-19 pandemic restrictions and the protection of personal data? This article considers the relation between the General Data Protection Regulation and COVID-19 restrictions in the main areas of data management most affected by coronavirus, i.e. the processing of personal health data, the processing of workers‘ personal data and the processing of personal data in COVID-19 pandemic applications. Each of these areas has particular issues in terms of personal data processing, and these are discussed in the light of: the interpretations and experience of the European Union; the European Data Protection Board and other competent authorities; and the basic principles of personal data processing which remain unchanged as an essential duty of every controller.