Special serie COVID-19 - n°3 How to deal with GDPR aspects?

In the context of the difficult evolving situation in connection to COVID-19, most companies are currently facing unprecedented legal issues within their organisations. As a result, they have to significantly adapt their way of working to go through this unique time in the best possible and efficient manner. In order to assist you in this task, we have identified several hot topics. We propose to present each of these points in a separate newsletter, to be published within the coming day, where we will provide you with practical hints to approach the situation efficiently.
The third issue of our special serie will focus on privacy and data protection issues.
Indeed, companies facing the new challenges arising in the context of COVID-19 can be eager to collect some information about their employees, providers, partners, visitors, etc. in order to determine whether these latter have met with somebody at risk, have symptoms, have been travelling, etc.
Some of this information may constitute personal data and, in some instances, even qualify as sensitive personal data when in relation to health information, and must therefore be processed (collected, used or disclosed) very carefully and in accordance with applicable law, including the GDPR [1] .
In this context, the CNPD [2] and the EDPB [3] have respectively on 10 March and 16 March published guidelines on the processing of personal data in relation to the COVID-19 outbreak.
What should companies avoid doing in relation to the processing of personal data?
Companies must refrain from trying to collect from employees or any other third party, on a regular basis and through individualized enquiries or requests, information on potential symptoms they could be experiencing. Any practice such as requesting employees to perform tests or to complete pre-filed medical questionnaires is therefore not allowed.
To avoid this, companies are rather encouraged to issue clear communications to their employees, providers or visitors providing them with guidelines on how to act should they believe they (or their family) are at risk and encouraging their employees, potential consultants or providers working on site to self-quarantine in their homes and work remotely when possible.
In case of infected employees, companies must refrain from disclosing any names to their colleagues or other third parties unless:

  • such disclosure is necessary for the company to comply with employment and/or social security obligations such as its obligation to ensure the health and safety of its employees under article L.312-1 of the Employment Code; or,
  • to the extent necessary to protect the "vital interests" of the employee or another natural person. Regarding this second exception, it could be assumed that the CNPD will not want to give it an interpretation that is too broad to avoid abuses from employers but would however assess the notion of vital interest on a case by case basis as situations may arise during the epidemic. The possibility to call health services requesting immediate assistance for a specific employee currently in the office could surely fall within this notion.

It is to be noted that, as consent is not considered by the CNPD to be freely given by an employee to his/her employer, given the link of subordination, asking for an employee’s consent to disclose the fact that he/she tested positive to COVID-19 would not be a valid option to be able to disclose names.
As a consequence, in case of an infected employee, companies should contact persons that may have been in contact with the latter and try, to the extent described above, to communicate without mentioning any name. Concerned individuals should then themselves take any necessary steps such as contacting their doctor in case they have symptoms and notify the employer in case they tested positive.
Recommendations to companies in relation to the processing of personal data
Whereas companies are not allowed to proceed with specific enquiries, they are however allowed, in the context of the epidemic, to collect and store internally some personal data such as, the date and identity of infected persons (employee, agent, etc.) and of persons that were in contact with them and any measures taken in relation to such cases (request of homeworking, request to self-quarantine, contacts with health authorities, etc.).
Such information must be stored with a high level of care and security and it must be ensured that access to it is limited on a need-to-know basis.
In addition, organisations are encouraged (i) to raise awareness amongst their supervisors and HR department regarding the confidentiality and framework around any information collected in this specific context and (ii) to allow safe channels of communication that could be used by employees or third parties in relation with the company.
Setting a secure framework for homeworking
Under the GDPR, companies must make sure to implement any appropriate technical and organizational security measures to protect the personal data they process. The risk for personal data and confidentiality of companies’ information increases in a context of generalized homeworking.
Organizations must make sure that the solutions used for remote working, audio and video conferencing, etc. are appropriate and sufficiently secured and that clear guidelines have been provided to employees on how to ensure the highest possible level of confidentiality and avoid any breaches of security while working from their homes.
Any measure of monitoring (of time or of the use of IT tools by employees) that would be implemented by companies must comply with specific requirements such as, but not limited to, employees’ prior information and sometimes involvement of staff representatives. In addition, specific rules can apply to remote working depending on the field of activity of the company, such as in the financial or insurance sector.
The members of our Technologies & IP team work remotely and remain available, should you need any assistance in relation to the above.
[1] REGULATION (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC
[2] Luxembourg National Commission for the Protection of Personal Data
[3] European Data Protection Board