Due to the outbreak of COVID-19, companies are taking various preventive measures to prevent the spread of the virus. These range from questionnaires (about recent destinations, medical symptoms, etc.) to measuring body temperature (with a thermometer or even with thermal imaging cameras) and taking immunity tests. As part of these measures, in most cases personal data of employees and visitors are processed. How far may a company go in this respect?
Processing of sensitive data
As such, medical tests do not constitute processing of personal data. However, as soon as information is collected, stored, transmitted or consulted, personal data is processed, which implies the need for compliance with data protection legislation including the GDPR.
As soon as data relating to a person’s health are processed, additional caution is required. Indeed, health data are sensitive data and enjoy special protection under the GDPR.
The European Data Protection Board emphasised in its recent guidelines 03/2020 that health data is a broad concept. Both the results of a medical test or a treatment and the information collected in a query (e.g., on symptoms) can be considered as health data.
The GDPR states that any processing of personal data requires a legal basis (e.g., a legal obligation or the legitimate interests of the company). In addition, if sensitive data are also processed, the company will have to invoke a specific exception, since such processing is in principle prohibited.
It can be argued that a company can invoke a valid legal basis for collecting information through, e.g., questionnaires on recent destinations or symptoms. For example, a company could argue that it has an obligation under the welfare law to analyse the risks from the coronavirus in order to be able to take adequate measures to ensure the health, safety and well-being of its employees, or it could invoke its legitimate interest to protect (the health of) its employees and customers and its economic interests (preventing all employees from falling ill at the same time).
However, in order to process health data, it is necessary not only to invoke a general legal basis, but also to have an exception allowing for such processing. In the context of the survey on medical data, or the introduction of medical tests associated with the processing of health data, the following exceptions may be relevant:
1. The explicit consent of the data subject
The GDPR requires that consent must be freely given, specific, informed and unambiguous. This implies, among others, that there is no imbalance of power between the controller and the data subject. Consent is therefore not a solid exception in the context of the employment relationship. Moreover, if consent is given, it can be revoked at any time.
2. The necessity for the controller – or the person concerned in the field of labour and social security law or for purposes of preventive or occupational medicine – to respect and exercise specific rights.
Within the framework of the welfare legislation and duty of care, the employer is obliged to take preventive measures, after risk analysis and consultation with the internal and external prevention services and the competent consultative body (CPPW/trade union delegation, or if not present, the workers). It does not seem excluded that in some organisations, for certain functions, such tests may be justified. Due account should be taken of the limitations of the welfare legislation (supervision by or under the supervision of an occupational doctor and is reserved for high-risk functions).
3. Necessity for reasons of substantial public interest where this is provided for by EU or Member State law. For the time being, Belgian law does not provide for such derogations for companies.
Position of the European Data Protection Board
In a general statement of 16 March 2020 (as further complemented on 19 March 2020), the European Data Protection Board stated that the GDPR does not hinder measures taken in the fight against the COVID‑19, including by employers, but that, even in these times, care must be taken to ensure that data protection legislation is respected. However, for the processing of personal data by employers, the European Data Protection Board mainly refers to the applicability of national law.
Position of the Belgian Data Protection Authority
The Belgian Data Protection Authority has published on its website a rather strict statement regarding workplace-related processing of personal data in the context of the employment relationship, in which it states, among other things, that:
- Employers cannot force their employees to fill in medical questionnaires or questionnaires related to their recent travel. The DPA recommends that companies encourage their employees to voluntarily report any trips to risky areas or symptoms of the virus;
- As part of the prevention of the further spread of the COVID-19 virus, an employer cannot reveal names of infected persons/employees. The employer may only inform the employees about an infection without mentioning the identity of the person(s) concerned;
- The mere recording of a person’s body temperature does not constitute processing of personal data (and the GDPR is therefore not applicable) insofar as this recording is not accompanied by an additional recording or processing of personal data. The DPA does, however, point out that the employer is not allowed to take measures that go beyond the applicable employment law regulatory framework.
If you want to process personal data to combat the risks associated with COVID-19, carefully analyse the risks and limitations under welfare law but also under data protection law.
Moreover, if processing is permissible, the GDPR principles should be strictly adhered to, including:
- Data minimisation (processing only what is strictly necessary);
- Storage limitation (keep data only as long as necessary);
- Compliance with the obligation of transparency;
- Data security and limitation of access to a restricted list of persons subject to a confidentiality obligation.