Although the presence of the COVID-19 has become a part of our everyday lives, certain questions remain unclear in practice. Since the beginning of the COVID-19 pandemic, employers are often facing situations in which their employees are COVID-19 positive. This challenge raises several doubts relating to the implementation of health protection measures in the workplace and information exchange on the one hand, and the protection of employee privacy on the other.
These questions arise not just in respect to the employer-employee relationship, but also in relation to other visitors to different business premises (for example, clients, suppliers, job candidates, and so on).
Unlike the majority of the European countries, the local supervisory authority, the Commissioner for Personal Data Protection (hereinafter: the Commissioner ) has not introduced any concrete instructions for the companies with respect to the processing of personal data of both employees and company visitors. On multiple occasions, the Commissioner has called on the public, especially the public authorities and media, to ensure that activities related to the prevention of the spread of the coronavirus, do not violate the right to privacy of those infected. The Commissioner briefly discussed the matter of employer obligations in his Statement from April 1, 2020 , but the statement does not contain any further instructions.
Bearing in mind that the Personal Data Protection Act is a “clone” of sorts of the EU General Data Protection Regulation (hereinafter: GDPR) (explained in detail in our blog The New Law on Personal Data Protection – Key Novelties), the potential solution may be to consult the Statement on the processing of personal data in the context of the COVID-19 outbreak, which was introduced by the European Data Protection Board (hereinafter: EDPB Or European Board). Besides this, certain conclusions can be made by the analysis of the solutions implemented in some EU countries.
We will analyze by answering hypothetical questions, which we have most often come across in practice.
Question No. 1: Can the employer derogate the rules on the employees’ personal data protection to deal with the matter of health protection?
In short: NO
The European Board emphasized that the rules related to data protection do not in any way obstruct the implementation of emergency measures introduced to prevent the spread of coronavirus, and, therefore, that the personal data processors (including employers) must maintain a certain level of protection of the collected personal data regardless of whether the state of emergency or emergency situation is declared in their country.
Additionally, the Commissioner has expressed in their statement given during the state of emergency that unlike the other rights (for example, the right to assembly), the right to personal data protection is not limited during the state of emergency. Therefore, in a situation where the state of emergency is not in force, there is even less room to consider limiting the right to personal data protection.
Question No. 2: Which employees’ data does the employer have the right to process?
From the perspective of personal data protection, the employees personal data collected by the employer in the context of COVID-19 can be divided into two groups:
Personal data in the general data protection regime includes all personal data, excluding the data that fall into categories that are explicitly defined in the law. The data is processed in accordance with general rules.
As we have previously written , companies must comply with the six data protection principles. We call them “the holy commandments” considering that each procedure and rule that the company implements must be in accordance with all six principles at any time. Besides this, for the processing to be lawful, the purpose of the processing must be categorized under one of the six lawful bases. Hence, there are no limitations when it comes to processing purposes, but each purpose must be subsumed under one of six lawful bases. To find out more about the principles and lawful bases for processing, please see our blog Tic-Toc… Is Your Company Compliant with the New Law on Personal Data Protection?
However, according to Article 9 of the General Data Protection Regulation (GDPR), health data is classified into the special (particularly sensitive) data category, which requires a higher level of protection compared to other data. This means that this type of processing should be given special attention.
While personal data processing is generally permitted, in accordance with the GDPR (general data protection regime), processing of particularly sensitive data, as a general rule, is not.
Nevertheless, in regards to Article 9 of the GDPR, in Article 17 of the Personal Data Protection Act, there are 10 itemized exceptions to the prohibition of processing, particularly sensitive data. To process sensitive data lawfully, in every concrete situation, it is necessary to subsume the processing under one of the exceptions.
Thus, if personal data is related to the health status of a person, during the processing all legal conditions must be met, concerning both the general and special protection regime.
Based on the above, it appears that the employer’s first step will be determining whether the personal data falls under the category of health data (special protection regime) or data in the general data protection regime.
We will illustrate a few of the most common examples:
| PERSONNEL DATA | DATA PROTECTION REGIME |
|---|---|
| Data about the employee’s COVID-19 symptoms | Requires the special data protection regime |
| Data about the employee’s COVID-19 test results | Requires the special data protection regime |
| Data about the contacts of the employee who contracted COVID-19 | Requires the general data protection regime |
| Data about traveling to high-risk areas | Requires the general data protection regime |
Question No. 3: What should the employer look for in every situation?
Unfortunately, there is no “one-size-fits-all” solution. In each specific case, the employer will have to determine the purpose of processing and categorize it under a legal basis prescribed by law, and ensure that the processing complies with the principles of processing.
In general, legal bases for data processing in the general data protection regime will most often be:
- Respecting the legal obligations of the controller (employer), such as ensuring safety and protection of life and health at work (Article 80 of the Employment Act and the Law on Safety and Health at Work)
- The legitimate interest of the employer or third party
but only in exceptional cases:
- Protection of vital interests of the person that the data is related to or of another natural person
- The employee’s consent.
For the particularly sensitive data, legitimate interest will not be relevant, since it cannot be used as the basis for the processing of this data. On the other hand, it will be necessary to meet the conditions of one of the exceptions prescribed by Article 17 of the Law on personal data protection (or Article 9 of the GDPR). In practice, the processing will most often be necessary for the fulfillment of the obligations or application of legally prescribed powers of the controller or other person to whom the data is related in the area of work, social insurance, and social protection.
In the following text, we will be giving some good and bad examples of the employer’s data collection practices:
| POTENTIALLY PERMITTED PROCESSING | POTENTIALLY PROHIBITED PROCESSING |
|---|---|
| Diagnosis of COVID-19 infection by a competent doctor | The implementation of blood tests or other tests by the employer (or a person hired by the employer for such purposes) or daily temperature measurements |
| Close contacts that have become infected or have symptoms | Data about persons with whom the employee has been in contact |
It is important to note that it should be considered that different rules will be applied depending on whether the employees work from home or come to work at the employer’s premises.
If the employee works from home, the scope of collected employee data will surely be narrowed down since the employer has fewer obligations concerning safety and protection measures in the workplace. However, the Commissioner emphasized that, if such work also involves personal data processing, in accordance with the principle of integrity and confidentiality, employers are obliged to ensure adequate measures to protect personal data, which includes implementation of technical and organizational measures, such as checking the security of the network and correspondence via business emails, etc.
Most of the time, consent will not be an adequate legal basis for the processing of employees’ personal data. Namely, the employer and employee are in a relationship of subordination, thus the consent can often be extorted. A more detailed explanation of consent as a legal basis in the employment context can be found in our previous blog 9 Most Common Misconceptions of Employers on Personal Data Protection .
Question No. 5: Can the employer share with other employees information on infected employees?
The employer can share information with the staff about the presence of the virus within the company premises, but without giving names or any other identifying information of the infected employee, except if it is truly unavoidable.
If the employee became infected while working from home, thus if the employer enabled their employees to work from home, it would be difficult to find a reason to share the personal data of the infected employee.
An additional step in implementing measures within the company can involve introducing a special hotline for emergency calls in the context of the coronavirus, which would allow the employees, who suspect that they are potentially infected, to ask for help anonymously and without spreading panic.
Question No. 6: What obligations does the employer have towards the employee who is COVID-19 positive in terms of data protection?
In accordance with the general principle of transparency, the employer is obliged to inform the person, to whom the data refers, about which of their data is disclosed, to whom, for what purpose, and how long the retention period is.
Additionally, when the virus stops posing a threat, the employer is obliged to erase all collected personal data of their employees in relation to the coronavirus.
Question No. 7: When is sharing personal data allowed?
As we mentioned above, the health data of the employee requires a higher level of protection, due to their nature and sensitivity. In this regard, there is one more question that should be raised: what is the usage restriction regarding this type of data and how to justify their disclosure to third parties.? In this respect, a significant number of the national data protection authorities agree – the personal data of the infected employee can be disclosed only if it is necessary, in order to protect public interests and public health, for instance:
- Sharing with subjects required to be involved in order to implement certain health and safety measures, or
- Sharing with government authorities and organizations, when mandatory.
European countries
- United Kingdom complied their actions with the EDPB’s Statement: the employer should undertake all the necessary measures to protect the employees and holds the right to be notified if an employee is potentially infected. Additionally, employers whose businesses include direct contact with the clients may demand from all the visitors to comply with instructions by the competent authorities before entering the business premises of the employer.
- In France , the employer is authorized to collect coronavirus-related personal data of the employees only upon the request of competent authorities, but not before implementing all the prescribed measures of protection and work organization during the epidemic.
- Italian authorities announced that the detection and repression of COVID-19, by all means, is the exclusive mission of the professional healthcare institutions and civil protection subjects, in accordance with the legislation. Therefore, employers should refrain from performing self-initiated measures regarding data collection.
- Spanish data protection authority issued a statement that follows the one issued by the EDPB, highlighting which requirements need to be fulfilled, in relation to data collecting and processing during the coronavirus epidemic: a) lawful basis for processing – referring to Article 9 of GDPR, Spanish Data Protection Law and Labor Law, and b) data minimization.
