Employers are massively facing situations in which their employees have contracted COVID-19. This challenge often comes with several doubts relating to information exchange and health protection measures in the workplace on one side, and the protection of employee privacy on the other.
These matters occur not just in relation to the employer-employee relationship, but also in relation to others visiting the workplace (for example, clients, suppliers, job candidates, and so on).
Unlike the majority of countries in the EU, the local supervisory authority, the Commissioner for Personal Data Protection (hereinafter: the “Commissioner”) has not introduced any concrete instructions about how employers should handle the processing of personal data of the employees and visitors. The Commissioner has called on the public, especially the media and public authorities, to take care that activities, done with the intent of preventing the spread of the coronavirus, do not violate the right to privacy of those infected, in the current situation. The Commissioner briefly discussed the matter of employer obligations in his Statement from April 1, 2020, but this statement contains no further instructions.
Having in mind that the Law on personal data protection is a “clone” of sorts of the General Data Protection Regulation (hereinafter: GDPR) (explained further in our blog The New Law on Personal Data Protection – Key Novelties), the solution may be to consult the Statement on the processing of personal data in the context of the COVID-19 outbreak, which was introduced by the European Data Protection Board (hereinafter: EDPB or European Board). Besides this, we will analyze how other countries in the EU have dealt with certain matters and draw conclusions in relation to Serbia.
We will analyze by answering hypothetical questions, which we have most often come across in practice.