COVID-19 and Employee Data Protection: Answering Employers’ Dilemmas

July 2020

Employers are massively facing situations in which their employees have contracted COVID-19. This challenge often comes with several doubts relating to information exchange and health protection measures in the workplace on one side, and the protection of employee privacy on the other.

These matters occur not just in relation to the employer-employee relationship, but also in relation to others visiting the workplace (for example, clients, suppliers, job candidates, and so on).

Unlike the majority of countries in the EU, the local supervisory authority, the Commissioner for Personal Data Protection (hereinafter: the “Commissioner”) has not introduced any concrete instructions about how employers should handle the processing of personal data of the employees and visitors. The Commissioner has called on the public, especially the media and public authorities, to take care that activities, done with the intent of preventing the spread of the coronavirus, do not violate the right to privacy of those infected, in the current situation. The Commissioner briefly discussed the matter of employer obligations in his Statement from April 1, 2020, but this statement contains no further instructions.

Having in mind that the Law on personal data protection is a “clone” of sorts of the General Data Protection Regulation (hereinafter: GDPR) (explained further in our blog The New Law on Personal Data Protection – Key Novelties), the solution may be to consult the Statement on the processing of personal data in the context of the COVID-19 outbreak, which was introduced by the European Data Protection Board (hereinafter: EDPB or European Board). Besides this, we will analyze how other countries in the EU have dealt with certain matters and draw conclusions in relation to Serbia.

We will analyze by answering hypothetical questions, which we have most often come across in practice.

Question 1: Can the employer suspend the rules on the employees’ personal data protection, while dealing with the matter of health protection?

In short: NO

The European Board stressed that the norms related to data protection do not in any way hinder the implementation of emergency measures introduced to prevent the coronavirus spread, and, thus, that the personal data processors (which include employers) must maintain a certain level of protection of the collected data independently of whether the state of emergency is declared in their country, or an emergency situation.

In addition, the Commissioner has expressed in his statement given during the state of emergency that the right to personal data protection is not limited during the state of emergency, unlike other rights (for example, the right to assembly). Now, after the state of emergency has been lifted, there is even less room to consider limiting the right to personal data protection.

Question 2: What data is the employer permitted to process?

From the perspective of personal data protection, the data that the employer collects about their employees in the context of COVID-19 can be divided into two groups:

Personal data in the general data protection regime includes all personal data, excluding exceptions that fall into categories that are explicitly defined in the law. The data is processed in accordance with general rules.

As we have previously written, companies must take into account the six data protection principles. We call them “the holy commandments” because each procedure and rule that the company implements must be in accordance with all six principles at all times. Besides this, for the processing to be lawful, the purpose of the processing must be subsumed under one of the six lawful legal bases. See more on the principles and lawful bases for processing in our blog Tic-Toc… Is Your Company Compliant with the New Law on Personal Data Protection?.

However, according to Article 9 of the General Data Protection Regulation (GDPR), health data is classified into the special (particularly sensitive) data category, which requires a higher level of protection compared to other data. This means that this type of processing should be given special attention.

Therefore, while personal data processing is generally permitted, in accordance with the GDPR (general data protection regime), processing of particularly sensitive data, as a general rule, is not.

Nevertheless, in regards to Article 9 of the GDPR, in Article 17 of the Law on personal data protection, there are 10 itemized exceptions to the prohibition of processing particularly sensitive data. In every concrete situation, it is necessary to subsume the processing under one of the exceptions.

Thus, if personal data is related to the health status of a person, all legal conditions must be met, concerning both the general and special protection regime.

Based on the above, it appears that the employer’s first step will be determining whether the personal data falls into the category of health data (special protection regime) or data in the general data protection regime.

We will illustrate a few of the most common examples:

Data about the employee’s COVID-19 symptomsRequires the special data protection regime
Data about the employee’s COVID-19 test resultsRequires the special data protection regime
Data about the contacts of the employee who contracted COVID-19Requires the general data protection regime
Data about traveling to high-risk areasRequires the general data protection regime

Question 3: What should the employer look after in a concrete situation?

Unfortunately, there is no “one-size-fits-all” solution. In every specific case, the employer will have to determine the purpose of processing and categorize it under a legal basis prescribed by law, while bearing in mind the principles of processing.

In general, legal bases for data processing in the general data protection regime will most often be:

  • Respecting the legal obligations of the controller (employer), such as ensuring safety and protection of life and health at work (Article 80 of the Employment Act and the Law on Safety and Health at Work)
  • The legitimate interest of the employer or third party

but only in exceptional cases:

  • Protection of vital interests of the person that the data is related to or of another natural person
  • The employee’s consent.

In regards to particularly sensitive data, legitimate interest will not play a role. It will be necessary to meet the conditions of one of the exceptions prescribed by Article 17 of the Law on personal data protection (or Article 9 of the GDPR). The processing will most often be necessary for the fulfilment of the obligations or application of legally prescribed powers of the controller or other person to which the data is related in the area of work, social insurance, and social protection.

In the following text, we will be giving some good and bad examples of the employer’s data collection practices:

Diagnosis of COVID-19 infection by a competent doctor The implementation of blood tests or other tests by the employer (or a person hired by the employer for such purposes) or daily temperature measurements
Close contacts that have become infected or have symptomsData about persons with which the employee has been in contact

It should be considered that different rules will be applied depending on whether the employees work from home or come to work at the employer’s premises.

If the employee works from home, the collection of the employee’s data will surely be narrowed down since the employer has fewer obligations concerning safety and protection measures in the workplace. However, the Commissioner highlighted that, if such work also involves personal data processing, in accordance with the principle of integrity and confidentiality, employers are obligated to ensure adequate measures to protect personal data, which includes measures, such as checking the security of the network and correspondence via business emails, etc.

work from home

Question 4: Can the employer easily solve this matter by obtaining the employee’s consent?

In most cases, consent will not be an adequate legal basis. The employer and employee are in a relationship of subordination, in which case consent can often be extorted. A more detailed explanation on consent as a legal basis in the employment context can be found in our previous blog 9 Most Common Misconceptions of Employers on Personal Data Protection.

Question 5: Can the employer share information about which of the employees have become infected with other employees?

The employer can share information with the staff about the presence of the virus on the company premises, but without giving names or other identifying information of the infected employee, except if it is truly inevitable.

If the employee became infected while working from home, thus if the employer enabled their employees to work from home, we see no reason to share the personal data of the infected employee.

A step further in implementing measures within the business premises can involve introducing special hotlines for emergency calls in the context of the coronavirus, which would aid the employees, who suspect that they are potentially infected, in asking for help anonymously and without spreading panic.

Question 6: What obligations does the employer have towards the employee who tested positive for COVID-19 in terms of data protection?

In accordance with the principle of transparency, the employer is obligated to inform the person, which the data refers to, about which of their data is disclosed, to who, for what purpose, and how long the retention period is.

After the pandemic ends and the virus no longer poses a threat, the employer is obligated to erase all collected personal data of their employees in relation to the coronavirus.

Question 7: When is sharing personal data allowed?

As mentioned above, the health data of the employee requires a higher level of protection, in accordance with their nature and sensitivity. This raises the question of the usage restriction regarding this type of data, as well as the justification of their disclosure to third parties. In this respect, the majority of the national data protection authorities agree – infected employee’s personal data can be disclosed only if it is necessary, in order to protect public interests and public health, for instance:

  • Sharing with subjects required to be involved in order to implement certain health and safety measures, or
  • Sharing with government authorities and organizations, when mandatory.

European countries

  • UK complied their actions with the Statement by the EDPB: the employer shall undertake all the necessary measures to protect the employees and holds the right to be notified if an employee is potentially infected. Furthermore, employers whose businesses include direct contact with the clients may demand from all the visitors to comply with instructions by the competent authorities before entering the business premises of the employer.

  • In France, the employer has the authorization to collect coronavirus-related data referring to the employees only upon the request of competent authorities, but not before implementing all the prescribed measures of protection and work organization during the epidemic.

  • Italian authorities prescribe that the detection and repression of COVID-19, by all means, is the exclusive mission of the civil protection subjects and professional healthcare institutions, in accordance with the legislation. Therefore, employers shall refrain from performing self-initiated measures regarding data collection.

  • Spanish data protection authority issued a statement entirely in accordance with the one by EDPB, highlighting which requirements need to be fulfilled, in relation with data collecting and processing during the coronavirus epidemic: a) lawful basis for processing – referring to Article 9 of GDPR, Spanish Data Protection Law and Labor Law, and b) data minimization.

Latest Post


Stay in the loop with the most important updates