Data protection is not antithetical but, rather, constitutes an integral part of corporate and state responses to the Coronavirus (“COVID-19”) pandemic. In light of the COVID-19 outbreak acquiring pandemic spread, employers in affected countries search out for the most appropriate ways to lawfully process their employees’ data in a relentless effort to contain the virus. Appropriate measures to protect employee data repel personal stigmatization, establish a level of trust between employers and employees, decrease unreported cases and make employees partners in the fight against the virus.
Data Processing in the Framework of Corporate Responses to COVID-19
These days corporations engage in an extensive collection and processing of data for the purposes of preventing and / or containing the COVID-19 outbreak within their businesses. Such data mainly refer to employees and contractors along with their relatives but may also extend to visitors of corporate premises and representatives of clients and suppliers.
Corporate measures may be both preventive and quarantine-related and can involve the collection of both personal data and special categories of data through questionnaires, reporting or even thermal cameras and health checks. Types of collected personal data may thus include the reporting of travel, data related to the circumstances of infection events and the tracing of personal contacts. Special categories of data may include many types of health data, such as data related to the health status of employees, the reporting of symptoms or health examinations and check-ups.
Nevertheless, the compliance with data protection law of any public sector measures taken for the prevention and containment of the Coronavirus is explicitly stipulated as a statutory requirement in article 1 § 3 of the relevant Emergency Acts, dated 25.02.2020 (Government Gazette 42/A/25-02-2020). Correspondingly, any measures of emergency taken by corporations in response to COVID-19 are still required to fully comply with the GDPR and Greek Law 4624/2019.
Legal Bases of Corporate Processing of Personal Data in Response to COVID-19
Employers are responsible under the law for the health and safety of their employees. In view of the COVID pandemic and the emergency measures taken by the Greek state, employers are obliged to ensure the health and safety of employees and to take necessary preventive measures to protect the health and safety of their personnel on the grounds of a risk-based approach, even by implementing collective measures of protection (article 42 § 1, 5, 6 and 7 of Law 3850/2010). In the context of such measures, employers may lawfully process personal data, if such processing is necessary to comply with their obligations for health and safety in their workplaces (article 6 § 1 c’ of the GDPR).
Furthermore, employers may lawfully process personal data, if such processing is necessary in order to protect the vital interests of their personnel and relatives (article 6 § 1 d’ of the GDPR). An interest is deemed to be vital only when it is essential for the life of the data subject or that of another natural person. The monitoring of epidemics is a type of processing, which may serve both important grounds of public interest and the vital interests of the data subject (recital 46 of the GDPR). Given that the COVID-19 fatality rates are relatively high and the current outbreak has acquired pandemic status, employers may lawfully collect and process employee personal data on the grounds that such processing is necessary to protect the vital interests of their personnel by deterring or delimiting exposure of their employees to COVID-19. Still, processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis.
On the other hand, employers may not be able to process personal data for the performance of tasks carried out in the public interest under article 6 § 1 e’ of the GDPR. Such processing ought to be explicitly stipulated in EU or national statutory provisions, carefully crafted to balance public interest objectives with the fundamental rights of data subjects. COVID-related emergency acts issued in Greece in the last days do not fulfill such criteria.
In all cases, employers are required to comply with the general principles of processing enlisted under article 5 of the GDPR, the principles of data minimization and storage limitation being of particular relevance.
Legal Bases of Corporate Processing of Health Data in Response to COVID-19
As far as the processing of employee health data are concerned, far stricter rules apply.
As a general rule, employers may lawfully process special categories of employee data only if processing is necessary for the assessment of the working capacity of an employee by or under the responsibility of a professional subject to the obligation of professional secrecy (article 9 § 2 h’ of the GDPR). Such processing may only be related to specific cases, where there is strong suspicion of infection, and may only be conducted by an occupational physician or other healthcare practitioner. Hence, blanket measures of health data processing across all employees, contractors and visitors cannot be accommodated under this legal basis.
The processing of special categories of data for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health, may also be lawful. In this context, recital 52 of the GDPR expicitly makes reference to the prevention or control of communicable diseases and other serious threats to health as a specific example for the processing of special categories of data in the public interest. Yet, such processing is required to be executed on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy (article 9 § 2 i’ of the GDPR). Again, COVID-related emergency acts issued within the last days in Greece do not fulfill such criteria.
Yet, according to article 49 § 1 and 2 of the Law, employees have the obligation to comply with corporate health and safety rules and to take care of both their health the health of other persons, by, among others, reporting immediately to their employer any incidents, which may reasonably be considered to present an immediate and serious danger to health and safety at work. Hence, employers may lawfully impose reporting obligations to employees in respect of suspected cases of infection by COVID-19 and lawfully collect such information under article 9 § 2 i’ of the GDPR.
In case of health data processing, employers are also expected to fully comply with the general principles of processing enlisted under article 5 of the GDPR, especially paying attention to the principles of data security, data minimization and storage limitation.
Supervisory Authorities’ Guidance on COVID-19 and Data Protection
In its March, 6th, 2020 Guidelines, the French Supervisory Authority (“CNIL”) has recommended that employers refrain from collecting in a systematic and generalized manner, or through individual inquiries and requests, information relating to the search for possible symptoms presented by employees / contractors and their relatives, by implementing, for example, regular mandatory readings of the body temperatures of all employees, contractors or even visitors, or the collection of medical examinations or questionnaires from all employees and contractors.
Nevertheless, in the event of an infection by COVID-19, an employer may record (i) the date and identity of the person suspected of having been exposed, and (ii) the organizational measures taken (confinement, teleworking, orientation and contact with the occupational doctor, etc.).
In the same manner, the Italian Supervisory Authority (“Garante”) has issued its Guidelines on COVID-19, stating that employers must refrain from collecting employee health data in advance and in a systematic and generalised manner, since such processing is the responsibility of healthcare professionals and public entities with tasks related to the protection of public health.
On the contrary, the German Federal Commissioner for Data Protection and Freedom of Information (“BFDI”) adopted a much more flexible approach in its relevant Guidelines, partly be justified on the grounds of German labour law, according to which employers may lawfully process personal data (including health data) when an infection has been identified or the data subject has been in contact with an infected person or the data subject has visited a high-risk country. Data may also be collected from guests and visitors to determine whether they have been infected or have been in contact with an infected person or visited a high-risk country.
Do’s and Don’ts in the Corporate Fight against COVID-19
Taking the foregoing into account, the following conclusions can be drawn in relation to the processing by employers of personal data for the prevention and / or containment of COVID-19 within their employment environment:
- The processing of personal data across all employees is permissible only if it is absolutely necessary for the prevention and containment of COVID-19 infections in the workplace;
- When there is suspicion of infection, the processing of a specific employee’s personal data is permitted to the extent necessary to trail contacts and impose measures of quarantine;
- The processing of personal data reported by employees in relation to suspicions of infection is permissible.
In terms of health data processing, the following do’s and don’ts apply:
- The processing of health data in a systematic and generalised manner is prohibited;
- The processing by employers of visitors’, clients’ or suppliers’ health data is generally prohibited;
- The processing of a specific employee’s health data is only permitted when there is suspicion of infection and may only be conducted by the occupational physician or a healthcare professional subject to the obligation of professional secrecy;
- The processing of health data reported by employees in relation to suspicions of infection is permissible.
Of course, employers are free to impose and implement reporting and hygiene procedures and policies as means to minimize risks arising from COVID-19 infection at work.
When planning to implement measures against COVID-19 in their workplaces, employers ought to proceed to the following actions in compliance with their “PbDD” and accountability obligations:
- If designated, engage the DPO already from the planning stage;
- Implement privacy by design and default (“PbDD”) in the measures to be taken;
- Document lawful bases and balancing tests in the process of designing relevant protection measures;
- Conduct a DPIA;
- Draft and implement relevant corporate policies and procedures, eg. health at work during the COVID-19 outbreak policies and business continuity plans;
- Update their register of processing activities;
- Provide notice to data subjects about the processing;
- Respect data subject rights throughout the duration of the relevant processing activities.
The Guidelines of the French CNIL, the Italian Garante and the German BfDI can be found here, here and here.