Coronavirus and the GDPR – privacy advice for companies

When introducing measures for employees, visitors and contractors to respond to the coronavirus threat, companies must choose procedures that minimise both the risk of infection and privacy non-compliance.

A company, for example, may inevitably obtain information about a worker potentially contracting the coronavirus (e.g. if an employee or a member of his family travelled to a region with confirmed cases).

In addition, a certain amount of data collection may be necessary, such as systematic data collection (e.g. through workplace questionnaires or obliging employees to report travel plans) to identify the risks specific to the organisation. This information may also relate to an employee's private life: whether he has recently gone on holiday to an affected region, or if he has been in contact with a potentially infected people with specific health conditions (e.g. a fever or other symptoms related to the coronavirus infection), which represents health data that – according to the GDPR – a company can only process in special cases.

So what are these special cases or – in short – how can an employer collect data on the coronavirus that complies with the GDPR?

Lawful collection of Coronavirus data

Employees must always assess whether data collection is necessary and lawful. In case of health data, Article 6 and Article 9 of the GDPR applies simultaneously. Article 6 provides a legal obligation to ensure health and safety in the workplace and prevent contamination, or to protect the vital interests of individuals. Article 9 provides for carrying out employment obligations, the use of preventive or occupational medicine, assessing employee working capacity and protecting against serious cross-border health threats under the applicable national laws.

Certain circumstances related to an individual may also represent personal data. If someone is in self-quarantine or wearing protective mask, co-workers may assume that he has health issues. Therefore, employers must establish an appropriate reporting line to handle employee concerns and harassment complaints. It is vital to ensure that reports about employees (i.e. the voicing of suspicion that someone may have been infected or has violated preventative practices) do not lead to bullying or discrimination.

Outsourcing employee health checks

Even in the absence of symptoms following travel to a particular country, only a doctor is allowed to test an employee and share the necessary medical data with the employer under the applicable professional medical rules. In extreme circumstances (e.g. when the doctor's schedule is full), employers may decide that the employees must perform day-to-day temperature tests themselves or through professional service providers. These tests, however, must always be conducted in compliance with the rules on permitted data processing and data transfers.

Recording the consequences of precautionary measures

To protect against potential claims, companies should record whether employees have accepted the applicable health guidance and if a staff member has unjustifiably refused to fulfil his duties.

Data controllers must remain compliant with the GDPR in extraordinary cases as well, such as if it becomes necessary to verify someone’s travel history (e.g. by using mobile data), health status (e.g. through forced temperature checks) or by using CCTV to monitor compliance with health and safety rules (e.g. a “no handshake policy”). Companies must also be aware that these measures would be premature unless recommended by the relevant health authority and/or advised by another local responsible body.

In all cases, organisations must conduct risk assessment to understand the legal implications of any protective measures and keep employees posted on the steps taken through ongoing privacy information and customised notices. Remote working rules and business continuity plans must reflect these specific tasks. Employers may consider drafting a specific code of conduct for discussing the health status of staff members or people outside the company. In short, data protection officers must be prepared to field coronavirus-related questions.

For more information on how to ensure that your coronavirus response is GDPR-compliant, contact your regular CMS advisor or local CMS experts: Dora Petranyi, Katalin Horvath and Marton Domokos.