The impact of the Covid-19 pandemic on the everyday life of citizens is dramatic. Whilst the protection of our health and that of our beloved ones is an absolute priority, we cannot deny that the impact on organisations is equally drastic. Protecting employees, customers and business partners from infection is a new, urgent challenge for many organisations.
With the further progression of the dissemination, the question arises more and more frequently how data protection can be guaranteed despite this exceptional situation. The fear of infections and paralysis of the business is immense. Many organisations act quickly and make important decisions, which, especially because of health data of employees, also require an assessment under data protection law. After all, violations of data protection law cannot be justified even by the Covid-19 pandemic. The data protection authorities may also consider and investigate these issues, whether it be during or after this crisis.
In this news flash, EY Law answers some of the most recurring questions under data protection law, concerning the measures taken by organisations to prevent the further spread of the virus.
Do the particular circumstances of the Covid-19 pandemic override data protection law?
The employer may take preventive measures with regard to work organisation (flexible working hours, teleworking, postponement of staff parties, etc.), and raise awareness with regard to social distance and hygiene on the workplace. However, as soon as the preventive measures to be taken involve the processing of personal data, the provisions of the General Data Protection Regulation (hereafter “GDPR”) must also be respected.
In this context, it should be pointed out in particular that, at this stage and on the basis of the latest information published by the Belgian Federal Public Health Services regarding Covid-19, there is no reason for a broader or systematic application of the legal basis for the processing of personal data contained in Article 6(1)(d) GDPR (“processing is necessary in order to protect the vital interests of the data subject or of another natural person”) in the context of preventive measures taken by organisations and employers.
This applies in particular to personal data concerning health, for which Article 9 GDPR stipulates that the processing of this type of data shall be prohibited (*).
Can the data protection law conflict with homeworking?
Before allowing homeworking, organisations should double check that homeworking of their employees does not violate contractual obligations with third parties. For example, some commissioned data protection agreements may contain corresponding prohibitions. Violations can, in the worst case, lead to contractual penalties or extraordinary termination of data processing contracts by business partners.
What kind of security measures should organisations have in place for homeworking during this period?
If employees process personal data from home, they should also comply with the organisation’s internal technical and organizational measures (“TOMs”). For example, documents containing personal data must be kept confidential, i.e. out of reach of life partners, children or visitors. It is the duty of every organisation to inform its employees accordingly and to oblige them to comply with TOMs.
Are organisations allowed to check employees’ temperatures?
Carrying out general and systematic checks such as measuring employees’ temperatures by organisations or employers cannot be considered as proportionate under the GDPR. It is the occupational physician’s role to follow-up the persons whom the employer suspects that they have been exposed to and/or show symptoms of Covid-19 (*).
Are organisations allowed to oblige their employees to fill in a medical questionnaire or a questionnaire concerning their recent travels?
An employer cannot oblige employees to complete such questionnaires. It is recommended to encourage employees to spontaneously report risky travels and symptoms. In this case, too, the role of the occupational physician should be emphasised (*).
Are organisations allowed to inform their employees about infected colleagues by naming them?
According to the principle of “integrity and confidentiality” of Article 5(1)(f) GDPR and the “data minimization” principle of Article 5(1)(c) GDPR, an employer may not disclose the names of the persons concerned. The employer may only inform other employees of this without mentioning the identity of the person(s) concerned (*).
To what extent must organisations adapt their data protection documentation?
The adaptation of the processes due to Covid-19 also entails the updating of the data protection documentation, in particular the data protection impact assessment (“DPIA”) and the register of processing activities (“ROPA”).
Are you prepared?
Although we are currently undergoing new factual circumstances, this does not change the position of organisations under data protection laws. As an organisation you must remain compliant with the GDPR in extraordinary cases such as the Covid-19 pandemic. Therefore, you must ensure that you have implemented the necessary data protection documentation and procedures, so that you can process any Covid-19 data in compliance with the data protection laws.
Please do not hesitate to reach out to us in case you would like to discuss the consequences of Covid-19 on the everyday work of your organisation. We have a team of experts who are happy to assist you with the legal questions you might have with regard to these current circumstances.
This newsflash is written from a GDPR perspective. One should also take into account that there may exist possible deviating stricter rules under specific local employment laws, which should also be taken into account in assessing the legality of actions to be taken. We therefore work closely together with our colleagues of our employment department, which enables us to provide you with a fully fletched and tailored advice for your specific case.
(*)The answers given herein take into account the positions taken by the Belgian Data Protection Authority in relation to Covid-19 according to its latest update of 13 March 2020 provided on its website (https://www.gegevensbeschermingsautoriteit.be/covid-19-en-de-verwerking-van-persoonsgegevens-op-de-werkvloer – Dutch version).