It became obvious early on that the outbreak of the COVID-19 “Corona” virus was not a simple overblown case of the “fake news” designed to create panic. The momentum that the virus gained created the ubiquitous need to take measures to help prevent its further spreading. This especially applies to employers and their obligation to make their workplaces safe environments for their employees, for legal and business purposes. Many of these measures include processing of personal data and applying these measures is not an easy task due to the restrictions data protection regulation entails. For this reason, employers everywhere (and especially within the EU) are turning their heads looking for some guidance on how to lawfully process personal data of their employees.

Luckily, some European supervisory authorities provided their opinions on how to proceed with data processing activities during these trying times. The most notable are CNIL (France), Garante (Italy), ICO (United Kingdom), Data Protection Commission (Ireland), and NAIH (Hungary). The advice they have given has many common points which we will present here.

GDPR still applies

It is important to emphasise that even in the extraordinary situations like these, data processing must still be in line with the applicable regulation. The requirement for lawful processing of personal data does not entail conflict with the effective provision of needed healthcare whatsoever. In fact, the existing regulation has predicted situations like these. In its Recital 46, the GDPR states that “the processing of personal data should also be regarded to be lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person… Some types of processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters.”. This makes it undoubtful that the processing of personal data for the purpose of monitoring epidemics has lawful grounds. However, this does not mean that the processing should be taken lightly.

Another issue here is that, by the very nature of the situation at hand, required measures imply processing of data concerning health that fall under the special categories of personal data. This data is generally not allowed to be processed. However, some exceptions are possible and the one applicable to this situation is the one from the Article 9(2)(i) which states that the processing of special categories of personal data is lawful if “processing is necessary for reasons of public interest in the area of public health…”. Still, the suitable safeguards must be implemented. Such safeguards may include limitation of access to data, strict time limits for erasure, and other measures, such as adequate staff training, to protect the rights of individuals.

Every supervisory authority agrees that the measures taken in response to the virus that entail processing of personal data, including health data, should be necessary and proportionate to the purposes to which the data is being processed.

Other principles for data processing set in the GDPR also apply. Employers should be transparent regarding measures they implement. This includes the purpose of processing personal data and the period of their retention. Transparency can be achieved by complying to the Article 13 and 14 of the GDPR. Data acquired this way should be confidential. This means that the processed data should be secure and not disclosed to third parties without justification. As mentioned before, the principle of data minimisation should be applied – data processing should be necessary and proportionate to the purposes for which they are required. Employers should also be accountable for the processing. This means they should be responsible for the compliance to the data protection regulations and be able to demonstrate it.

Supervisory authorities have also given some specific advice on certain questions. We will lay them out respectively.

Ireland – Data Protection Commission (DPC)

Employers are justified on requiring information from employees and visitors on the virus symptoms they are experiencing and their recent travels to the high risk areas. It is their legal obligation to protect the health of their employees and provide them safe workplace. Introduction of the more stringent requirements, such as questionnaires, should strongly justified by the necessity and proportionality and on an assessment of risk.

Employers are also justified to require their employees to notify them on the fact that they are diagnosed with the virus, so they can take the steps required by the government. Employers may disclose to their employees that someone within the organisation was diagnosed with the virus, however, they should not disclose the identity of that person.

Aforementioned practices must be restricted by what is necessary to implement health and safety measures prescribed by law or the government.

Regarding the timelines for answering the requests of the data subjects, they are set down in law and cannot be changed. But DPC still recognizes the exceptional character of the situation and states that all facts shall be considered while evaluating the complaints.

United Kingdom – Information Commissioner’s Office (ICO)

ICO also recognizes the exceptionality of the situation and states that they will take no regulatory action against the organisations if their data protection practices do not meet the usual standard (e.g. the response to requests takes longer than prescribed by law). This applies only if there is justification for these practices to be hindered by other obligations of the organisation that have much higher priority.

ICO confirms the aforementioned opinion of the DPC that employers should inform their employees on the fact that a person within the organisation was diagnosed with the virus, but again, their identity should not be disclosed.

Likewise, ICO suggests it is reasonable to ask employees whether they have visited certain areas lately and whether they show any symptoms of the virus. ICO feels organisations can reveal the data of the specific employees to the relevant authorities if they are required to do so.

France – CNIL

French supervisory authority has taken somewhat different approach and stated organisations should still not collect health information and information on recent travels of their employees or visitors. However, this should not prevent employees to report their symptoms or recently visited places to their employer through their own initiative, and all employees and visitor should be encouraged to do so.

If an employee is diagnosed with the virus or even in the event of the suspected contact with the virus, they are obligated to report it to the employer. Employers are encouraged to train employees to individually disclose information related to possible exposure to the virus, and to set channels to receive this type of information.

In the event an employer receives the report on the case of the virus within their organisation, they may record the identity of the infected person, the date of recording, and the organisational measures taken. This allows them to submit the required report to the relevant authorities.

Denmark – Datatilsynet

The Danish DPA acknowledges that the data concerning health may be collected and disclosed but stresses the importance of assessing whether the processing is legitimate and limited to what is necessary.

Employers are encouraged to consider whether there is a good reason to collect or disclose the personal data in question. The specific personal data should be necessary, and employers’ purpose must not be possible to achieve by collecting less data. They should also assess whether it is necessary to issue names of the infected persons or persons belonging to a high risk category.

Hungary – NAIH

Supervisory authority from Hungary, NAIH, subscribes to CNIL’s opinion that employers should not request information about the medical history of an employee or any medical documentation. An employer is also not permitted to generally and systematically require employees to undergo medical checks, as it is possible in Italy.

NAIH declared that employers should encourage employees to report possible virus risks. If an employee reports it or an employer becomes aware of any suspicious circumstance, the employer may require the employee to fill out questionnaires that can contain certain information including travel destinations and dates as well as connections with infected persons.

Italy – Garante

Interestingly, in Italy, where the outbreak hit most severely, supervisory authority Garante stated that “employers must refrain from collecting, in advance and in a systematic and generalised manner, including through specific requests to the individual worker or unauthorized investigations, information on the presence of any signs of influenza in the worker and his or her closest contacts, or anyhow regarding areas outside the work environment.”. They justify this by saying that the investigation into and collection of information on the symptoms typical of the virus and on the recent movements of each individual are the responsibility of healthcare professionals and the civil protection system.

Each employee has the obligation to inform their employer of any danger to health and safety at the workplace. For this purpose, employers are encouraged to set up specific channels of communication related to this type of information.

The Garante calls on all data controllers to comply strictly with the instructions provided by the Ministry of Health and the competent institutions to prevent the spread of the virus without undertaking autonomous initiatives aimed at the collection of data also on the health of users and workers where such initiatives are not regulated by the law or ordered by the competent bodies.

Croatia – AZOP

Croatian Personal Data Protection Agency (AZOP) stated that the lawful grounds for processing personal data in a given situation is found in the Article 6(1)(c) of the GDPR if the processing is necessary for compliance with a legal obligation to which the controller is subject. This refers namely to the provisions of Labour Act which define the obligation of employer regarding the protection of life, health, and morals of employee, and the provisions of Occupational Health and Safety Act, which requires employer to systematically promote safety and protection of life of their employees. AZOP also finds legal grounds for processing of personal data in a given situation in the Article 6(1)(d) if processing is necessary in order to protect the vital interests of the data subject or of another natural person.

Regarding the prohibition of processing of special categories of personal data (data concerning health), AZOP, unlike many other supervisory authorities, finds another provision of the GDPR as the applicable exception upon which processing of that data would be lawful. AZOP states that the Article 9(2)(b) exempts the prohibition of processing of data concerning health because “processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law”.

AZOP put an accent on the recital 4 of the GDPR which states that the processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.This is why it is of great importance that any processing performed has legal grounds, and is necessary and proportional. Personal data processed should be adequate, relevant, and limited regarding the purposes to which they are processed, in line with the principles of data processing laid out in the Article 5 of the GDPR.

Statement of the European Data Protection Board

EDPB also issued its statement regarding the processing of personal data during the outbreak at 16th of March 2020.

Andrea Jelinek, Chair of the European Data Protection Board (EDPB), said: “Data protection rules (such as GDPR) do not hinder measures taken in the fight against the coronavirus pandemic. However, I would like to underline that, even in these exceptional times, the data controller must ensure the protection of the personal data of the data subjects. Therefore, a number of considerations should be taken into account to guarantee the lawful processing of personal data.”

EDPB also states that the GDPR has explicitly foreseen situations like these and provides legal grounds other than consent for processing of personal data. For instance, legal grounds for processing data concerning health exists when it is necessary for employers for reasons of public interest in the area of public health or to protect vital interests or to comply with another legal obligation.

Regarding processing of electronic communication data, such as mobile location data, additional rules apply “The national laws implementing the ePrivacy Directive provide for the principle that the location data can only be used by the operator when they are made anonymous, or with the consent of the individuals.” This means that the public authorities should first process location data in an anonymous way. In the event this is not possible, the Article 15 of the ePrivacy Directive enables the member states to introduce legislative measures pursuing national security and public security.

Conclusion

Since the opinions of supervisory authorities are diverging on certain points, we cannot give you one simple advice. What is certain is that you should follow the advice of your national supervisory authority, submit to your government’s decrees, and hold your activities at a high standard. Remember to process personal data in a manner that is necessary and proportionate to the purposes to which the data is being processed.

The GDPR has given plenty of alternative paths which allow extraordinary scope of processing. The regulation in no way precludes measures needed to be taken for the public health and national security. These goals can be attained without any hinderance from privacy regulation. Just make sure you do not go beyond what is necessary.

Marija Bošković Batarelo, mag.iur

It became obvious early on that the outbreak of the COVID-19 “Corona” virus was not a simple overblown case of the “fake news” designed to create panic. The momentum that the virus gained created the ubiquitous need to take measures to help prevent its further spreading. This especially applies to employers and their obligation to make their workplaces safe environments for their employees, for legal and business purposes. Many of these measures include processing of personal data and applying these measures is not an easy task due to the restrictions data protection regulation entails. For this reason, employers everywhere (and especially within the EU) are turning their heads looking for some guidance on how to lawfully process personal data of their employees.

Luckily, some European supervisory authorities provided their opinions on how to proceed with data processing activities during these trying times. The most notable are CNIL (France), Garante (Italy), ICO (United Kingdom), Data Protection Commission (Ireland), and NAIH (Hungary). The advice they have given has many common points which we will present here.

GDPR still applies

It is important to emphasise that even in the extraordinary situations like these, data processing must still be in line with the applicable regulation. The requirement for lawful processing of personal data does not entail conflict with the effective provision of needed healthcare whatsoever. In fact, the existing regulation has predicted situations like these. In its Recital 46, the GDPR states that “the processing of personal data should also be regarded to be lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person… Some types of processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters.”. This makes it undoubtful that the processing of personal data for the purpose of monitoring epidemics has lawful grounds. However, this does not mean that the processing should be taken lightly.

Another issue here is that, by the very nature of the situation at hand, required measures imply processing of data concerning health that fall under the special categories of personal data. This data is generally not allowed to be processed. However, some exceptions are possible and the one applicable to this situation is the one from the Article 9(2)(i) which states that the processing of special categories of personal data is lawful if “processing is necessary for reasons of public interest in the area of public health…”. Still, the suitable safeguards must be implemented. Such safeguards may include limitation of access to data, strict time limits for erasure, and other measures, such as adequate staff training, to protect the rights of individuals.

Every supervisory authority agrees that the measures taken in response to the virus that entail processing of personal data, including health data, should be necessary and proportionate to the purposes to which the data is being processed.

Other principles for data processing set in the GDPR also apply. Employers should be transparent regarding measures they implement. This includes the purpose of processing personal data and the period of their retention. Transparency can be achieved by complying to the Article 13 and 14 of the GDPR. Data acquired this way should be confidential. This means that the processed data should be secure and not disclosed to third parties without justification. As mentioned before, the principle of data minimisation should be applied – data processing should be necessary and proportionate to the purposes for which they are required. Employers should also be accountable for the processing. This means they should be responsible for the compliance to the data protection regulations and be able to demonstrate it.

Supervisory authorities have also given some specific advice on certain questions. We will lay them out respectively.

Ireland – Data Protection Commission (DPC)

Employers are justified on requiring information from employees and visitors on the virus symptoms they are experiencing and their recent travels to the high risk areas. It is their legal obligation to protect the health of their employees and provide them safe workplace. Introduction of the more stringent requirements, such as questionnaires, should strongly justified by the necessity and proportionality and on an assessment of risk.

Employers are also justified to require their employees to notify them on the fact that they are diagnosed with the virus, so they can take the steps required by the government. Employers may disclose to their employees that someone within the organisation was diagnosed with the virus, however, they should not disclose the identity of that person.

Aforementioned practices must be restricted by what is necessary to implement health and safety measures prescribed by law or the government.

Regarding the timelines for answering the requests of the data subjects, they are set down in law and cannot be changed. But DPC still recognizes the exceptional character of the situation and states that all facts shall be considered while evaluating the complaints.

United Kingdom – Information Commissioner’s Office (ICO)

ICO also recognizes the exceptionality of the situation and states that they will take no regulatory action against the organisations if their data protection practices do not meet the usual standard (e.g. the response to requests takes longer than prescribed by law). This applies only if there is justification for these practices to be hindered by other obligations of the organisation that have much higher priority.

ICO confirms the aforementioned opinion of the DPC that employers should inform their employees on the fact that a person within the organisation was diagnosed with the virus, but again, their identity should not be disclosed.

Likewise, ICO suggests it is reasonable to ask employees whether they have visited certain areas lately and whether they show any symptoms of the virus. ICO feels organisations can reveal the data of the specific employees to the relevant authorities if they are required to do so.

France – CNIL

French supervisory authority has taken somewhat different approach and stated organisations should still not collect health information and information on recent travels of their employees or visitors. However, this should not prevent employees to report their symptoms or recently visited places to their employer through their own initiative, and all employees and visitor should be encouraged to do so.

If an employee is diagnosed with the virus or even in the event of the suspected contact with the virus, they are obligated to report it to the employer. Employers are encouraged to train employees to individually disclose information related to possible exposure to the virus, and to set channels to receive this type of information.

In the event an employer receives the report on the case of the virus within their organisation, they may record the identity of the infected person, the date of recording, and the organisational measures taken. This allows them to submit the required report to the relevant authorities.

Denmark – Datatilsynet

The Danish DPA acknowledges that the data concerning health may be collected and disclosed but stresses the importance of assessing whether the processing is legitimate and limited to what is necessary.

Employers are encouraged to consider whether there is a good reason to collect or disclose the personal data in question. The specific personal data should be necessary, and employers’ purpose must not be possible to achieve by collecting less data. They should also assess whether it is necessary to issue names of the infected persons or persons belonging to a high risk category.

Hungary – NAIH

Supervisory authority from Hungary, NAIH, subscribes to CNIL’s opinion that employers should not request information about the medical history of an employee or any medical documentation. An employer is also not permitted to generally and systematically require employees to undergo medical checks, as it is possible in Italy.

NAIH declared that employers should encourage employees to report possible virus risks. If an employee reports it or an employer becomes aware of any suspicious circumstance, the employer may require the employee to fill out questionnaires that can contain certain information including travel destinations and dates as well as connections with infected persons.

Italy – Garante

Interestingly, in Italy, where the outbreak hit most severely, supervisory authority Garante stated that “employers must refrain from collecting, in advance and in a systematic and generalised manner, including through specific requests to the individual worker or unauthorized investigations, information on the presence of any signs of influenza in the worker and his or her closest contacts, or anyhow regarding areas outside the work environment.”. They justify this by saying that the investigation into and collection of information on the symptoms typical of the virus and on the recent movements of each individual are the responsibility of healthcare professionals and the civil protection system.

Each employee has the obligation to inform their employer of any danger to health and safety at the workplace. For this purpose, employers are encouraged to set up specific channels of communication related to this type of information.

The Garante calls on all data controllers to comply strictly with the instructions provided by the Ministry of Health and the competent institutions to prevent the spread of the virus without undertaking autonomous initiatives aimed at the collection of data also on the health of users and workers where such initiatives are not regulated by the law or ordered by the competent bodies.

Croatia – AZOP

Croatian Personal Data Protection Agency (AZOP) stated that the lawful grounds for processing personal data in a given situation is found in the Article 6(1)(c) of the GDPR if the processing is necessary for compliance with a legal obligation to which the controller is subject. This refers namely to the provisions of Labour Act which define the obligation of employer regarding the protection of life, health, and morals of employee, and the provisions of Occupational Health and Safety Act, which requires employer to systematically promote safety and protection of life of their employees. AZOP also finds legal grounds for processing of personal data in a given situation in the Article 6(1)(d) if processing is necessary in order to protect the vital interests of the data subject or of another natural person.

Regarding the prohibition of processing of special categories of personal data (data concerning health), AZOP, unlike many other supervisory authorities, finds another provision of the GDPR as the applicable exception upon which processing of that data would be lawful. AZOP states that the Article 9(2)(b) exempts the prohibition of processing of data concerning health because “processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law”.

AZOP put an accent on the recital 4 of the GDPR which states that the processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.

This is why it is of great importance that any processing performed has legal grounds, and is necessary and proportional. Personal data processed should be adequate, relevant, and limited regarding the purposes to which they are processed, in line with the principles of data processing laid out in the Article 5 of the GDPR.

Statement of the European Data Protection Board

EDPB also issued its statement regarding the processing of personal data during the outbreak at 16th of March 2020.

Andrea Jelinek, Chair of the European Data Protection Board (EDPB), said: “Data protection rules (such as GDPR) do not hinder measures taken in the fight against the coronavirus pandemic. However, I would like to underline that, even in these exceptional times, the data controller must ensure the protection of the personal data of the data subjects. Therefore, a number of considerations should be taken into account to guarantee the lawful processing of personal data.”

EDPB also states that the GDPR has explicitly foreseen situations like these and provides legal grounds other than consent for processing of personal data. For instance, legal grounds for processing data concerning health exists when it is necessary for employers for reasons of public interest in the area of public health or to protect vital interests or to comply with another legal obligation.

Regarding processing of electronic communication data, such as mobile location data, additional rules apply “The national laws implementing the ePrivacy Directive provide for the principle that the location data can only be used by the operator when they are made anonymous, or with the consent of the individuals.” This means that the public authorities should first process location data in an anonymous way. In the event this is not possible, the Article 15 of the ePrivacy Directive enables the member states to introduce legislative measures pursuing national security and public security.

Conclusion

Since the opinions of supervisory authorities are diverging on certain points, we cannot give you one simple advice. What is certain is that you should follow the advice of your national supervisory authority, submit to your government’s decrees, and hold your activities at a high standard. Remember to process personal data in a manner that is necessary and proportionate to the purposes to which the data is being processed.

The GDPR has given plenty of alternative paths which allow extraordinary scope of processing. The regulation in no way precludes measures needed to be taken for the public health and national security. These goals can be attained without any hinderance from privacy regulation. Just make sure you do not go beyond what is necessary.

Marija Bošković Batarelo, mag.iur