In the context of the coronavirus pandemic, companies are implementing exceptional measures to protect the health and safety of their employees and clients. As a result of these extraordinary measures, employers may collect new types of personal data, for example they might want to check whether employees have symptoms of the virus.
The European Data Protection Board (“EDPB”) and the Commission nationale pour la protection des données (“CNPD”) recently published recommendations[1] on the collection of personal data in the context of a health crisis. In light of these recommendations, we have collated a series of questions and answers to assist you in ensuring compliance with the recommendations.
In the event of a suspected coronavirus infection in your company, within the framework of your health and safety obligations under the Labour Code, you may record:
At the request of the health authorities, you will provide them with information such as the nature of the employee’s exposure, and health data necessary for them to decide which measures need to be put in place for the concerned employee/agent.
The data processing operations carried out by the employer in this context may be justified on the basis of compliance with its legal obligations in the field of health and safety at work (Article 6(1)(c) of the GDPR).
In addition, the employer may base the processing of health data on its obligations in the field of employment law (Article 9(2)(b) of the GDPR), on grounds of public interest in the domain of public health (Article 9(2)(i) of the GDPR), or on the need to safeguard the vital interests of the data subjects (Article 9(2)(c) of the GDPR).
In order to ensure optimal management of communication on suspected coronavirus infections, the CNPD recommends:
Article L. 313-1. of the Labour Code provides that employees have a duty to take care, according to their means, of their own personal safety and health as well as other persons who may be affected by their acts or omissions at work, in accordance with their training and with the instructions from the employer. Therefore employees must inform the employer if they suspect that they have been exposed to the virus. You should inform your employees of this obligation.
In order to be able to implement such recommendations, we advise you to draw up an internal procedure and to prepare a dedicated privacy information notice, or at least to update your existing internal privacy information notice or policy. This should include the reporting obligation applicable to the employees who suspect they have been exposed to the virus to be clearly displayed, as well as the nature of the information to be provided, the persons authorised to receive reports, and / or the creation of an email address dedicated to reports of suspicious cases. The new notice should be circulated to all the staff.
According to the recommendations of the EDPB, employers are required to inform their staff about the existence of any COVID-19 cases within the company and to take protective measures.
In compliance with the principle of data minimisation, employers shall not disclose more information than what is strictly necessary to protect the health of the employees.
The CNPD has specified that the identity of the persons concerned shall not be disclosed to third parties or to other staff members unless there is a clear justification to do so. Therefore, in order to assess whether the disclosure of the identity of the concerned persons is justified (e.g. the need to quarantine the staff members that have been in contact with the person in question), a case-by-case analysis shall be carried out.
In the event that it would be necessary to disclose the names of employees who have contracted the virus, they must be informed in advance and the employer must ensure that their dignity and integrity are respected.
Collecting information with a view to researching possible symptoms presented by an employee, an external person or their relatives on a systematic and generalised basis, or through individual inquiries and questions, is forbidden.
The CNPD prohibits:
In the context of teleworking, the employer remains responsible for incidents affecting the security of personal data and shall put in place appropriate technical and organisational measures such as:
If the use of private equipment cannot be avoided, the employer must ensure that it is adequately secured. Measures should be taken to ensure the separation of private and professional data.
Such monitoring is possible, but within strict limits.
Despite the exceptional circumstances caused by coronavirus, employers are not allowed to set up a system for monitoring employees beyond the conditions provided for in Article L. 261-1. of the Labour Code.
Prior to processing data for supervisory purposes, the employer must inform the employees concerned, as well as the but also the staff representative or, if appropriate, the labour and mines inspectorate. In addition, certain processing operations are a subject to a joint decision to be reached by the employer and the staff representative.
Employers who violate of the abovementioned provision may be subject to imprisonment for eight days up to one year, and / or a fine of up to EUR 125,000.
You should check whether your privacy policy and your record of processing activities contain the necessary information about the categories of data collected and the purposes of processing.
If you collect new categories of personal data and / or use personal data for new purposes, you should update your documentation to reflect these changes and inform your employees of all changes.
The MDTP (Media, Data, Technologies & IP) team of Molitor Avocats à la Cour is at your disposal to assist you with any questions you may have on the impact of coronavirus on data protection, or on your business in general.
[1] CNPD, Coronavirus (covid-19): Recommandations de la CNPD relatives à la collecte de données personnelles dans un contexte de crise sanitaire, https://cnpd.public.lu/fr/actualites/national/2020/03/coronavirus.html
EDPB, Statement on the processing of personal data in the context of the COVID-19 outbreak, https://edpb.europa.eu/our-work-tools/our-documents/other/statement-processing-personal-data-context-covid-19-outbreak_en