COVID-19 and Employee Data Protection: Employers’ Most Common Dilemmas

From the perspective of personal data protection, the employees personal data collected by the employer in the context of COVID-19 can be divided into two groups:

Personal data in the general data protection regime includes all personal data, excluding the data that fall into categories that are explicitly defined in the law. The data is processed in accordance with general rules.

As we have previously written, companies must comply with the six data protection principles. We call them “the holy commandments” considering that each procedure and rule that the company implements must be in accordance with all six principles at any time. Besides this, for the processing to be lawful, the purpose of the processing must be categorized under one of the six lawful bases. Hence, there are no limitations when it comes to processing purposes, but each purpose must be subsumed under one of six lawful bases. To find out more on the principles and lawful bases for processing, please see our blog Tic-Toc… Is Your Company Compliant with the New Law on Personal Data Protection?

While personal data processing is generally permitted, in accordance with the GDPR (general data protection regime), processing of particularly sensitive data, as a general rule, is not.

Nevertheless, in regards to Article 9 of the GDPR, in Article 17 of the Personal Data Protection Act, there are 10 itemized exceptions to the prohibition of processing, particularly sensitive data. To process sensitive data lawfully, in every concrete situation, it is necessary to subsume the processing under one of the exceptions.

Thus, if personal data is related to the health status of a person, during the processing all legal conditions must be met, concerning both the general and special protection regime.

Based on the above, it appears that the employer’s first step will be determining whether the personal data falls under the category of health data (special protection regime) or data in the general data protection regime.

We will illustrate a few of the most common examples:

Unfortunately, there is no “one-size-fits-all” solution. In every specific case, the employer will have to determine the purpose of processing and categorize it under a legal basis prescribed by law, and ensure that the processing is compliment with the principles of processing.

In general, legal bases for data processing in the general data protection regime will most often be:

• Respecting the legal obligations of the controller(employer), such as ensuring safety and protection of life and health at work (Article 80 of the Employment Act and the Law on Safety and Health at Work)
• The legitimate interest of the employer or third party

but only in exceptional cases:

• Protection of vital interests of the person that the data is related to or of another natural person
• The employee’s consent.

For the particularly sensitive data, legitimate interest will not be relevant, since it cannot be used as the basis for the processing of this data. On the other hand, it will be necessary to meet the conditions of one of the exceptions prescribed by Article 17 of the Law on personal data protection (or Article 9 of the GDPR). In practice, the processing will most often be necessary for the fulfillment of the obligations or application of legally prescribed powers of the controller or other person to which the data is related in the area of work, social insurance, and social protection.

In the following text, we will be giving some good and bad examples of the employer’s data collection practices:

It is important to note that it should be considered that different rules will be applied depending on whether the employees work from home or come to work at the employer’s premises.

If the employee works from home, the scope of collected employee data will surely be narrowed down since the employer has fewer obligations concerning safety and protection measures in the workplace. However, the Commissioner emphasized that, if such work also involves personal data processing, in accordance with the principle of integrity and confidentiality, employers are obligated to ensure adequate measures to protect personal data, which includes implementation of technical and organizational measures, such as checking the security of the network and correspondence via business emails, etc.

Most of the time, consent will not be an adequate legal basis for the processing of employees’ personal data. Namely, the employer and employee are in a relationship of subordination, thus the consent can often be extorted. A more detailed explanation of consent as a legal basis in the employment context can be found in our previous blog 9 Most Common Misconceptions of Employers on Personal Data Protection.

The employer can share information with the staff about the presence of the virus within the company premises, but without giving names or any other identifying information of the infected employee, except if it is truly inevitable.

If the employee became infected while working from home, thus if the employer enabled their employees to work from home, it would be hard to find a reason to share the personal data of the infected employee.

An additional step in implementing measures within the company can involve introducing a special hotline for emergency calls in the context of the coronavirus, which would allow the employees, who suspect that they are potentially infected, to ask for help anonymously and without spreading panic.

In accordance with the general principle of transparency, the employer is obligated to inform the person, to which the data refer, about which of their data is disclosed, to who, for what purpose, and how long the retention period is.

Additionally, when the virus stops posing a threat, the employer is obligated to erase all collected personal data of their employees in relation to the coronavirus.

As we mentioned above, the health data of the employee requires a higher level of protection, due to their nature and sensitivity. In this regard, there is one more question that should be raised: what is the usage restriction regarding this type of data and how to justify their disclosure to third parties.? In this respect, a significant number of the national data protection authorities agree –the personal data of the infected employee can be disclosed only if it is necessary, in order to protect public interests and public health, for instance:

• Sharing with subjects required to be involved in order to implement certain health and safety measures, or
• Sharing with government authorities and organizations, when mandatory.

• United Kingdomcomplied their actions with the EDPB’s Statement: the employer should undertake all the necessary measures to protect the employees and holds the right to be notified if an employee is potentially infected. Additionally, employers whose businesses include direct contact with the clients may demand from all the visitors to comply with instructions by the competent authorities before entering the business premises of the employer.
• In France, the employer is authorized to collect coronavirus-related personal data of the employees only upon the request of competent authorities, but not before implementing all the prescribed measures of protection and work organization during the epidemic.
• Italian authorities announced that the detection and repression of COVID-19, by all means, is the exclusive mission of the professional healthcare institutions and civil protection subjects, in accordance with the legislation. Therefore, employers should refrain from performing self-initiated measures regarding data collection.
• Spanish data protection authority issued a statement that follows the one issued by the EDPB, highlighting which requirements need to be fulfilled, in relation to data collecting and processing during the coronavirus epidemic: a) lawful basis for processing – referring to Article 9 of GDPR, Spanish Data Protection Law and Labor Law, and b) data minimization.