As the novel coronavirus (COVID-19) continues its march across the globe, particularly in Europe, and countries take increasingly drastic actions to counter the threat, employers are implementing measures across their organizations to limit the risks of contagion within the workplace. In doing so, employers are starting to collect and process new categories of potentially sensitive information about their employees, including whether they are displaying symptoms of the virus, the results of any COVID-19 testing and body temperature checks, and their geolocation data and social contact history. Consequently, a large proportion of this new information collected by employers will fall within the categories of “personal data” and, as much as it pertains to individuals’ health or COVID-19 status, “special categories of personal data” (or “sensitive personal data”), the use of which is subject to strict compliance requirements under the European Union’s General Data Protection Regulation (GDPR).
A key issue that many employers are facing is how they can effectively monitor and prevent the virus from spreading among their workforces while at the same time ensuring compliance with their obligations under the GDPR. Recently, the European Data Protection Authorities (DPAs) have made it clear that the GDPR cannot be ignored during this ongoing pandemic. Thus, it is important for businesses to keep in mind certain key considerations to ensure their processing activities remain in line with the GDPR’s requirements and to also understand how DPAs are responding to the COVID-19 virus outbreak.
A guiding principle of the GDPR is to avoid collecting, processing, or disclosing data unnecessarily and to maintain privacy—even during a global public health emergency. Prior to engaging in any processing activity involving employees’ personal data, employers must ensure they have a lawful basis for the collection and processing of such data. In the context of processing personal data relating to COVID-19, organizations may be able to rely on the following lawful bases:
In addition to identifying a lawful basis for processing personal data, if the personal data at issue falls within the category of sensitive personal data, then a further condition must be satisfied. Of the existing further conditions, the following are the most likely to be relevant:
There may also be other country-specific legal bases on which organization can rely to ensure the processing of personal data and/or sensitive personal data is compliant with data protection law.
Organizations may be tempted to collect as much information as possible from individuals relating to the novel coronavirus outbreak; however, the GDPR requires that organizations only collect as much personal data and/or sensitive personal data as is strictly necessary for the purposes being pursued. Prior to collecting any personal data and/or sensitive personal data from individuals, organizations should have a clear purpose in mind as well as a clear understanding of what personal data and/or sensitive personal data, and level of detail, is required to fulfill this purpose.
Whatever data is collected and used in the fight against COVID-19, organizations should be upfront and transparent about what data they process and for which reasons. Information should be accessible, easy to understand, and include the reasons why (additional) data needs to be processed. Organizations should review their existing privacy notices to ensure that they provide the necessary information regarding the data being collected and the purposes of processing. Employers that collect new categories of personal data or sensitive personal data from employees and using such data for new purposes will likely need to update their existing privacy notices to reflect the recent change in their collection of data from such individuals.
As part of their obligation to ensure the health and safety of their employees, employers may (subject to requirements of applicable law) inform personnel about COVID-19 cases. Disclosure of such information should be limited as much as possible. If it is necessary to disclose the name of the personnel who has contracted COVID-19 (and this is otherwise permitted by applicable law) to enable other personnel to take appropriate protective steps, the personnel who has contracted the virus should first be informed of the intended disclosure.
EU Member States each have implemented their own data protection laws which should be considered when processing personal data and/or sensitive personal data, together with any guidance issued by local regulators. An updated list of COVID-19 guidance published by DPAs to date is available here.
According to a statement recently issued by the European Data Protection Board (EDPB), which we have previously covered here, the EDPB attempted to clarify the legal bases employers can rely upon for processing personal data during the COVID-19 pandemic. Specifically, the EDPB stated that the GDPR provides legal grounds to enable employers to process data in the context of an epidemic, in accordance with national law and within the conditions set therein. In the employment context, the processing may be necessary “for compliance with a [national] legal obligation to which the employer is subject (such as obligations relating to health and safety at the workplace) or in the public interest, such as the control of diseases and other threats to health.” The EDPB also emphasized that the exceptions to the prohibition of processing of health data may be available to companies “where it is necessary for reasons of substantial public interest in the area of public health” or “where there is a need to protect the vital interests of the individual.” Although the EDPB shed some light on some of the issues regarding the purposes for which personal data may be lawfully processed under GDPR, its guidance did not offer practical advice for employers seeking to ensure their compliance with the lawfulness of processing requirement under GDPR during this uncertain time.
To provide much-needed clarity, the DPAs of nearly all EU Member States have issued specific guidance on how to collect and process personal data related to COVID-19. Several core principles have begun to emerge from this guidance:
For more information on maintaining compliance with the GDPR while implementing measures across your organization to monitor and prevent the spread of COVID-19 among your workforce, please contact your Foley relationship partner or one of the firm’s core privacy and cybersecurity partners. For additional web-based resources available to assist you in monitoring the spread of the coronavirus on a global basis, you may wish to visit the CDC and the World Health Organization.
Foley has created a multi-disciplinary and multi-jurisdictional team, which has prepared a wealth of topical client resources and is prepared to help our clients meet the legal and business challenges that the coronavirus outbreak is creating for stakeholders across a range of industries. Click here for Foley’s Coronavirus Resource Center to stay apprised of relevant developments, insights and resources to support your business during this challenging time. To receive this content directly in your inbox, click here and submit the form.