Stay in the loop with the most important updates
Contact: Tijana Žunić Marić
Although the presence of the COVID-19 has become a part of our everyday lives, certain questions remained unclear in practice. Since the beginning of the COVID-19 pandemic, employers are often facing situations in which their employees are COVID-19 positive. This challenge arises several doubts relating to the implementation of health protection measures in the workplace and information exchange on one side, and the protection of employee privacy on the other.
These questions arise not just in with respect to the employer-employee relationship, but also in relation to other visitors to different business premises (for example, clients, suppliers, job candidates, and so on).
Unlike the majority of the European countries, the local supervisory authority, the Commissioner for Personal Data Protection (hereinafter: the Commissioner) has not introduced any concrete instructions for the companies with respect to the processing of personal data of both employees and company visitors. On multiple occasions, the Commissioner has called on the public, especially the public authorities and media, to ensure that activities related to the prevention of the spread of the coronavirus, do not violate the right to privacy of those infected. The Commissioner briefly discussed the matter of employer obligations in his Statement from April 1, 2020, but the statement does not contain any further instructions.
Bearing in mind that the Personal Data Protection Act is a “clone” of sorts of the EU General Data Protection Regulation (hereinafter: GDPR) (explained in detail in our blog The New Law on Personal Data Protection – Key Novelties), the potential solution may be to consult the Statement on the processing of personal data in the context of the COVID-19 outbreak, which was introduced by the European Data Protection Board (hereinafter: EDPB or European Board). Besides this, certain conclusions can be made by the analysis of the solutions implemented in some EU countries.
We will analyze by answering hypothetical questions, which we have most often come across in practice.
In short: NO
The European Board emphasized that the rules related to data protection do not in any manner obstruct the implementation of emergency measures introduced to prevent the spread of coronavirus, and, therefore, that the personal data processors (including employers) must maintain a certain level of protection of the collected personal data regardless of whether the state of emergency or emergency situation is declared in their country.
Additionally, the Commissioner has expressed in their statement given during the state of emergency that unlike the other rights (for example, the right to assembly), the right to personal data protection is not limited during the state of emergency. Therefore, in a situation where the state of emergency is not in force, there is even less room to consider limiting the right to personal data protection.
From the perspective of personal data protection, the employees personal data collected by the employer in the context of COVID-19 can be divided into two groups:
Personal data in the general data protection regime includes all personal data, excluding the data that fall into categories that are explicitly defined in the law. The data is processed in accordance with general rules.
As we have previously written, companies must comply with the six data protection principles. We call them “the holy commandments” considering that each procedure and rule that the company implements must be in accordance with all six principles at any time. Besides this, for the processing to be lawful, the purpose of the processing must be categorized under one of the six lawful bases. Hence, there are no limitations when it comes to processing purposes, but each purpose must be subsumed under one of six lawful bases. To find out more on the principles and lawful bases for processing, please see our blog Tic-Toc… Is Your Company Compliant with the New Law on Personal Data Protection?
However, according to Article 9 of the General Data Protection Regulation (GDPR), health data is classified into the special (particularly sensitive) data category, which requires a higher level of protection compared to other data. This means that this type of processing should be given special attention.
While personal data processing is generally permitted, in accordance with the GDPR (general data protection regime), processing of particularly sensitive data, as a general rule, is not.
Nevertheless, in regards to Article 9 of the GDPR, in Article 17 of the Personal Data Protection Act, there are 10 itemized exceptions to the prohibition of processing, particularly sensitive data. To process sensitive data lawfully, in every concrete situation, it is necessary to subsume the processing under one of the exceptions.
Thus, if personal data is related to the health status of a person, during the processing all legal conditions must be met, concerning both the general and special protection regime.
Based on the above, it appears that the employer’s first step will be determining whether the personal data falls under the category of health data (special protection regime) or data in the general data protection regime.
We will illustrate a few of the most common examples:
|PERSONAL DATA||DATA PROTECTION REGIME|
|Data about the employee’s COVID-19 symptoms||Requires the special data protection regime|
|Data about the employee’s COVID-19 test results||Requires the special data protection regime|
|Data about the contacts of the employee who contracted COVID-19||Requires the general data protection regime|
|Data about traveling to high-risk areas||Requires the general data protection regime|
Unfortunately, there is no “one-size-fits-all” solution. In every specific case, the employer will have to determine the purpose of processing and categorize it under a legal basis prescribed by law, and ensure that the processing is compliment with the principles of processing.
In general, legal bases for data processing in the general data protection regime will most often be:
but only in exceptional cases:
For the particularly sensitive data, legitimate interest will not be relevant, since it cannot be used as the basis for the processing of this data. On the other hand, it will be necessary to meet the conditions of one of the exceptions prescribed by Article 17 of the Law on personal data protection (or Article 9 of the GDPR). In practice, the processing will most often be necessary for the fulfillment of the obligations or application of legally prescribed powers of the controller or other person to which the data is related in the area of work, social insurance, and social protection.
In the following text, we will be giving some good and bad examples of the employer’s data collection practices:
|POTENTIALLY PERMITTED PROCESSING||POTENTIALLY PROHIBITED PROCESSING|
|Diagnosis of COVID-19 infection by a competent doctor||The implementation of blood tests or other tests by the employer (or a person hired by the employer for such purposes) or daily temperature measurements|
|Close contacts that have become infected or have symptoms||Data about persons with which the employee has been in contact|
It is important to note that it should be considered that different rules will be applied depending on whether the employees work from home or come to work at the employer’s premises.
If the employee works from home, the scope of collected employee data will surely be narrowed down since the employer has fewer obligations concerning safety and protection measures in the workplace. However, the Commissioner emphasized that, if such work also involves personal data processing, in accordance with the principle of integrity and confidentiality, employers are obligated to ensure adequate measures to protect personal data, which includes implementation of technical and organizational measures, such as checking the security of the network and correspondence via business emails, etc.
Most of the time, consent will not be an adequate legal basis for the processing of employees’ personal data. Namely, the employer and employee are in a relationship of subordination, thus the consent can often be extorted. A more detailed explanation of consent as a legal basis in the employment context can be found in our previous blog 9 Most Common Misconceptions of Employers on Personal Data Protection.
The employer can share information with the staff about the presence of the virus within the company premises, but without giving names or any other identifying information of the infected employee, except if it is truly inevitable.
If the employee became infected while working from home, thus if the employer enabled their employees to work from home, it would be hard to find a reason to share the personal data of the infected employee.
An additional step in implementing measures within the company can involve introducing a special hotline for emergency calls in the context of the coronavirus, which would allow the employees, who suspect that they are potentially infected, to ask for help anonymously and without spreading panic.
In accordance with the general principle of transparency, the employer is obligated to inform the person, to which the data refer, about which of their data is disclosed, to who, for what purpose, and how long the retention period is.
Additionally, when the virus stops posing a threat, the employer is obligated to erase all collected personal data of their employees in relation to the coronavirus.
As we mentioned above, the health data of the employee requires a higher level of protection, due to their nature and sensitivity. In this regard, there is one more question that should be raised: what is the usage restriction regarding this type of data and how to justify their disclosure to third parties.? In this respect, a significant number of the national data protection authorities agree –the personal data of the infected employee can be disclosed only if it is necessary, in order to protect public interests and public health, for instance: