In the context of the coronavirus pandemic, companies are implementing exceptional measures to protect the health and safety of their employees and clients. As a result of these extraordinary measures, employers may collect new types of personal data, for example they might want to check whether employees have symptoms of the virus.
The European Data Protection Board (“EDPB”) and the Commission nationale pour la protection des données (“CNPD”) recently published recommendations[1] on the collection of personal data in the context of a health crisis. In light of these recommendations, we have collated a series of questions and answers to assist you in ensuring compliance with the recommendations.
1) WHAT DATA CAN I COLLECT IN THE EVENT OF A SUSPECTED CORONAVIRUS INFECTION IN MY COMPANY AND ON WHAT BASIS?
In the event of a suspected coronavirus infection in your company, within the framework of your health and safety obligations under the Labour Code, you may record:
- the date and the identity of the person who might have been exposed to the virus;
- the organisational measures taken (quarantine, teleworking, contact with the occupational health service, etc.).
At the request of the health authorities, you will provide them with information such as the nature of the employee’s exposure, and health data necessary for them to decide which measures need to be put in place for the concerned employee/agent.
The data processing operations carried out by the employer in this context may be justified on the basis of compliance with its legal obligations in the field of health and safety at work (Article 6(1)(c) of the GDPR).
In addition, the employer may base the processing of health data on its obligations in the field of employment law (Article 9(2)(b) of the GDPR), on grounds of public interest in the domain of public health (Article 9(2)(i) of the GDPR), or on the need to safeguard the vital interests of the data subjects (Article 9(2)(c) of the GDPR).
2) HOW TO MANAGE INTERNAL COMMUNICATION ABOUT THE VIRUS?
In order to ensure optimal management of communication on suspected coronavirus infections, the CNPD recommends:
- raising awareness and inviting employees/agents to personally inform the employer or the health authorities regarding possible exposure; and
- facilitating the circulation of information by setting up, if necessary, dedicated channels to guarantee the security and confidentiality of data.
Article L. 313-1. of the Labour Code provides that employees have a duty to take care, according to their means, of their own personal safety and health as well as other persons who may be affected by their acts or omissions at work, in accordance with their training and with the instructions from the employer. Therefore employees must inform the employer if they suspect that they have been exposed to the virus. You should inform your employees of this obligation.
In order to be able to implement such recommendations, we advise you to draw up an internal procedure and to prepare a dedicated privacy information notice, or at least to update your existing internal privacy information notice or policy. This should include the reporting obligation applicable to the employees who suspect they have been exposed to the virus to be clearly displayed, as well as the nature of the information to be provided, the persons authorised to receive reports, and / or the creation of an email address dedicated to reports of suspicious cases. The new notice should be circulated to all the staff.
3) CAN I DISCLOSE THE IDENTITY OF EMPLOYEES AFFECTED BY THE VIRUS?
According to the recommendations of the EDPB, employers are required to inform their staff about the existence of any COVID-19 cases within the company and to take protective measures.
In compliance with the principle of data minimisation, employers shall not disclose more information than what is strictly necessary to protect the health of the employees.
The CNPD has specified that the identity of the persons concerned shall not be disclosed to third parties or to other staff members unless there is a clear justification to do so. Therefore, in order to assess whether the disclosure of the identity of the concerned persons is justified (e.g. the need to quarantine the staff members that have been in contact with the person in question), a case-by-case analysis shall be carried out.
In the event that it would be necessary to disclose the names of employees who have contracted the virus, they must be informed in advance and the employer must ensure that their dignity and integrity are respected.
4) TO WHAT EXTENT CAN I CARRY OUT CHECKS TO IDENTIFY SUSPECTED CASES OF INFECTION?
Collecting information with a view to researching possible symptoms presented by an employee, an external person or their relatives on a systematic and generalised basis, or through individual inquiries and questions, is forbidden.
The CNPD prohibits:
- requiring employees to provide the employer with daily body temperature data or to complete pre-determined medical forms or questionnaires; or
- asking visitors or other external persons to sign a pre-established declaration certifying that they do not have symptoms of coronavirus or that they have not recently travelled to a risk area, etc.
5) HOW CAN DATA SECURITY BE PRESERVED IN THE CONTEXT OF TELEWORKING?
In the context of teleworking, the employer remains responsible for incidents affecting the security of personal data and shall put in place appropriate technical and organisational measures such as:
- employees’ access to the company’s IT system must be provided via a secure access point (for example a VPN connection) with a robust access verification procedure;
- the employer shall ensure that employees respect the minimum security measures provided (e.g. locking the computer after leaving the workstation; taking confidential telephone calls without the presence of other persons who might hear the conversations; securing the Wi-Fi network used for teleworking);
- the implementation of a teleworking policy defining obligations employees’ obligations, particularly those intended to preserve the confidentiality and security of data;
- the prohibition or at least the limitation of the use by employees of documents containing confidential data in physical format (files, printouts); and
- preventing as much as possible the use of the employees’ private IT equipment for telew
If the use of private equipment cannot be avoided, the employer must ensure that it is adequately secured. Measures should be taken to ensure the separation of private and professional data.
6) MONITORING OF EMPLOYEES WHO ARE TELEWORKING: IS IT POSSIBLE?
Such monitoring is possible, but within strict limits.
Despite the exceptional circumstances caused by coronavirus, employers are not allowed to set up a system for monitoring employees beyond the conditions provided for in Article L. 261-1. of the Labour Code.
Prior to processing data for supervisory purposes, the employer must inform the employees concerned, as well as the but also the staff representative or, if appropriate, the labour and mines inspectorate. In addition, certain processing operations are a subject to a joint decision to be reached by the employer and the staff representative.
Employers who violate of the abovementioned provision may be subject to imprisonment for eight days up to one year, and / or a fine of up to EUR 125,000.
7) IS IT NECESSARY TO UPDATE MY PRIVACY POLICY?
You should check whether your privacy policy and your record of processing activities contain the necessary information about the categories of data collected and the purposes of processing.
If you collect new categories of personal data and / or use personal data for new purposes, you should update your documentation to reflect these changes and inform your employees of all changes.
The MDTP (Media, Data, Technologies & IP) team of Molitor Avocats à la Cour is at your disposal to assist you with any questions you may have on the impact of coronavirus on data protection, or on your business in general.
[1] CNPD, Coronavirus (covid-19): Recommandations de la CNPD relatives à la collecte de données personnelles dans un contexte de crise sanitaire, https://cnpd.public.lu/fr/actualites/national/2020/03/coronavirus.html
EDPB, Statement on the processing of personal data in the context of the COVID-19 outbreak, https://edpb.europa.eu/our-work-tools/our-documents/other/statement-processing-personal-data-context-covid-19-outbreak_en