Coronavirus and data protection
18 March 2020
The health data of an individual is a special category of personal data within the meaning of Article 9 of the General Data Protection Regulation (GDPR).
This may seem counter intuitive, but the company cannot ask employees to tell whether they have been infected with the coronavirus in order to reduce risk in the work environment. Such processing operations would be contrary to the principle of data minimization as the company may achieve this purpose through other measures which do not involve the processing of personal data at all. For example, a company can train employees to deal with illness, promote remote work, provide disinfectants in the workplace, and create a work environment that encourages employees to exercise caution.
In turn, information disclosed voluntarily by an employee to a company about their medical condition (including information on whether the employee is infected with the virus) must be kept strictly confidential by appropriate technical or organizational measures. The company could, in principle, inform the team that one of its members has been infected, but it is not permissible for personal data to be disclosed that would allow that person to be identified. At the same time, the undertaking may be under an obligation to pass on the information at its disposal to the Center for Disease Prevention and Control (Latvian – Slimību profilakses un kontroles centrs) or other competent authorities, subject to the competence of those authorities.
According to the Data State Inspectorate's explanation, published on the institution's website on March 17, an employer can obtain information from employees whether their employees have not been abroad for the past 14 days and have not been in contact with Covid-19 sufferers or contacts as they have a legitimate interest in safeguarding public health interests and providing protection against the risk of illness of other employees and clients.
However, other national data protection authorities (DPAs) in the Member States of the European Union insist on a much more limited approach to data processing in the context of COVID-19. For example, the DPAs in Belgium, France and Luxembourg emphasize that systematic processing of personal data of employees, which includes regular measurement of body temperature at the workplace, or requests for individuals to confirm regularly that they have no symptoms of COVID-19 or have recently returned COVID-19 affected areas, should not be permitted. The Dutch and French DPAs, on the other hand, point out that measuring the body temperature of workers in the workplace may be permissible if it is carried out by a certified labor protection expert..
The diverging views of data protection authorities lead to the conclusion that the right approach is a balanced middle ground that does not disregard the fundamental principles of the processing of personal data. This was also the position adopted by the European Data Protection Board on 16 March, stating that data protection rules (such as the GDPR) do not preclude action against a coronavirus pandemic. However, even in these unusual circumstances, the processing of data must be justified and the controller must ensure the protection of personal data.
This publication has been carefully prepared, however it is written in general terms and should be considered as general informative material. The team of BDO Law will follow the development of the current situation and publish up-to-date information as soon as any changes will come into effect. Please contact BDO Law to discuss your particular situation!