Key Considerations and Guidance for Employers on How to Comply with GDPR During the Novel Coronavirus Pandemic

As the novel coronavirus (COVID-19) continues its march across the globe, particularly in Europe, and countries take increasingly drastic actions to counter the threat, employers are implementing measures across their organizations to limit the risks of contagion within the workplace. In doing so, employers are starting to collect and process new categories of potentially sensitive information about their employees, including whether they are displaying symptoms of the virus, the results of any COVID-19 testing and body temperature checks, and their geolocation data and social contact history. Consequently, a large proportion of this new information collected by employers will fall within the categories of “personal data” and, as much as it pertains to individuals’ health or COVID-19 status, “special categories of personal data” (or “sensitive personal data”), the use of which is subject to strict compliance requirements under the European Union’s General Data Protection Regulation (GDPR).

A key issue that many employers are facing is how they can effectively monitor and prevent the virus from spreading among their workforces while at the same time ensuring compliance with their obligations under the GDPR. Recently, the European Data Protection Authorities (DPAs) have made it clear that the GDPR cannot be ignored during this ongoing pandemic. Thus, it is important for businesses to keep in mind certain key considerations to ensure their processing activities remain in line with the GDPR’s requirements and to also understand how DPAs are responding to the COVID-19 virus outbreak.

Key Considerations for Employers

1.  Ensure you have a lawful basis to process personal data, including sensitive personal data.

A guiding principle of the GDPR is to avoid collecting, processing, or disclosing data unnecessarily and to maintain privacy—even during a global public health emergency. Prior to engaging in any processing activity involving employees’ personal data, employers must ensure they have a lawful basis for the collection and processing of such data. In the context of processing personal data relating to COVID-19, organizations may be able to rely on the following lawful bases:

• Legitimate interests: An organization may consider it necessary to process personal data relating to its personnel (and other individuals) for the purposes of its legitimate interests in managing business continuity and the well-being of individuals with whom it interacts. Any such organization must accordingly consider whether its interests outweigh the interests or fundamental rights and freedoms of the individuals whose personal data are being processed. In the case of the current COVID-19 situation, the legitimate interest is to prevent the spread of infectious diseases and to ensure workplace safety. The collection of employee health data directly relating to the symptoms of novel coronavirus during the outbreak of the disease should be within the reasonable expectation of employees and well aligned with the employees’ individual interests for their well-being, so there is unlikely to be overriding compelling individual rights that would invalidate the processing.

• Compliance with a legal obligation: Depending on the applicable law, organizations may have legal obligations relating to health and safety, and it may be possible to justify certain personal data processing activities on the basis of these legal obligations.

• Contractual necessity: Where the processing of personal data relating to COVID-19 is necessary for an organization's performance of its obligations to employees under the employment contract (whether express or implied terms), such as an obligation to ensure the health, safety, and well-being of employees, then such processing may be justified.

In addition to identifying a lawful basis for processing personal data, if the personal data at issue falls within the category of sensitive personal data, then a further condition must be satisfied. Of the existing further conditions, the following are the most likely to be relevant:

• Employment-related obligations: An organization may be subject to certain obligations under employment law to justify the processing of sensitive personal data relating to COVID-19. This may apply if the employer can assert that it is necessary to take a particular measure in order to comply with its obligation to safeguard employees or others.

• Public interest in the area of public health: If the processing is necessary to protect against serious cross-border threats to health or if the organization is acting on the advice of public medical advisors, it may be possible to rely on this condition to justify the processing of sensitive personal data relating to COVID-19.

• Explicit consent: Although explicit consent of the employee might be preferred, employers will not be able to rely on this basis unless the employee is genuinely free to decide whether to provide their consent, with no threat of adverse consequences if they refuse, in addition to ensuring that the consent meets all of the other requirements for a valid consent under the GDPR.

There may also be other country-specific legal bases on which organization can rely to ensure the processing of personal data and/or sensitive personal data is compliant with data protection law.

2.  Understand what personal data and/or sensitive personal data is required from employees and identify the specific purposes for which that data will be processed.

Organizations may be tempted to collect as much information as possible from individuals relating to the novel coronavirus outbreak; however, the GDPR requires that organizations only collect as much personal data and/or sensitive personal data as is strictly necessary for the purposes being pursued. Prior to collecting any personal data and/or sensitive personal data from individuals, organizations should have a clear purpose in mind as well as a clear understanding of what personal data and/or sensitive personal data, and level of detail, is required to fulfill this purpose.

3.  Review and update privacy notices as necessary.

Whatever data is collected and used in the fight against COVID-19, organizations should be upfront and transparent about what data they process and for which reasons. Information should be accessible, easy to understand, and include the reasons why (additional) data needs to be processed. Organizations should review their existing privacy notices to ensure that they provide the necessary information regarding the data being collected and the purposes of processing. Employers that collect new categories of personal data or sensitive personal data from employees and using such data for new purposes will likely need to update their existing privacy notices to reflect the recent change in their collection of data from such individuals.

4.  Limit disclosures of COVID-19 cases to personnel.

As part of their obligation to ensure the health and safety of their employees, employers may (subject to requirements of applicable law) inform personnel about COVID-19 cases. Disclosure of such information should be limited as much as possible. If it is necessary to disclose the name of the personnel who has contracted COVID-19 (and this is otherwise permitted by applicable law) to enable other personnel to take appropriate protective steps, the personnel who has contracted the virus should first be informed of the intended disclosure.

5.  Refer to local law requirements and guidelines of applicable EU Member States.

EU Member States each have implemented their own data protection laws which should be considered when processing personal data and/or sensitive personal data, together with any guidance issued by local regulators. An updated list of COVID-19 guidance published by DPAs to date is available here.

Regulatory Guidance on the Lawful Processing of Personal Data

According to a statement recently issued by the European Data Protection Board (EDPB), which we have previously covered here, the EDPB attempted to clarify the legal bases employers can rely upon for processing personal data during the COVID-19 pandemic. Specifically, the EDPB stated that the GDPR provides legal grounds to enable employers to process data in the context of an epidemic, in accordance with national law and within the conditions set therein. In the employment context, the processing may be necessary “for compliance with a [national] legal obligation to which the employer is subject (such as obligations relating to health and safety at the workplace) or in the public interest, such as the control of diseases and other threats to health.” The EDPB also emphasized that the exceptions to the prohibition of processing of health data may be available to companies “where it is necessary for reasons of substantial public interest in the area of public health” or “where there is a need to protect the vital interests of the individual.” Although the EDPB shed some light on some of the issues regarding the purposes for which personal data may be lawfully processed under GDPR, its guidance did not offer practical advice for employers seeking to ensure their compliance with the lawfulness of processing requirement under GDPR during this uncertain time.

To provide much-needed clarity, the DPAs of nearly all EU Member States have issued specific guidance on how to collect and process personal data related to COVID-19. Several core principles have begun to emerge from this guidance:

• COVID-19 sensitive personal data, such as medical symptoms and diagnosis, travel history, and contacts with those who have been diagnosed can be processed on the basis of safeguarding public health.

• Employers must continue to adhere to the principles of proportionality and data minimization. For example, employers should inform staff about COVID-19 cases and take protective measures, but they should not communicate more information than necessary. Where it is necessary to reveal infected employees’ names, provided that the national law of the relevant European country allows it, employees must be informed in advance and their dignity and integrity must be protected. Otherwise, such identifying information about the individual should not be disclosed.

• DPAs have scrutinized, if not discouraged or prohibited, mass surveillance techniques by controllers such as the use of questionnaires or temperature checks other than those performed by health authorities.
  
  
• Information collected through checks relating to an employee or visitor’s temperature, even just noting it as “high” or “within a normal range,” will constitute “data concerning health” under GDPR. By recording such data, you will be processing sensitive personal data, which is generally prohibited by GDPR unless you can satisfy one of the legal grounds under Article 9(2).

• Security measures must still be implemented to protect COVID-19-related personal data.

For more information on maintaining compliance with the GDPR while implementing measures across your organization to monitor and prevent the spread of COVID-19 among your workforce, please contact your Foley relationship partner or one of the firm’s core privacy and cybersecurity partners. For additional web-based resources available to assist you in monitoring the spread of the coronavirus on a global basis, you may wish to visit the CDC and the World Health Organization.

Foley has created a multi-disciplinary and multi-jurisdictional team, which has prepared a wealth of topical client resources and is prepared to help our clients meet the legal and business challenges that the coronavirus outbreak is creating for stakeholders across a range of industries. Click here for Foley’s Coronavirus Resource Center to stay apprised of relevant developments, insights and resources to support your business during this challenging time. To receive this content directly in your inbox, click here and submit the form.