GDPR AND COVID-19
The rapid spread of the COVID-19 virus, also known as the coronavirus, raises many questions related to day-to-day business operations. One of the many legal issues concerns whether companies may disclose and record data about their employees to limit possible infection and further spread of the virus.
The Danish perspective
The question of what data the employer has the right to require and the obligation to disclose information to the employee is governed by the rules of employment and public law. If the above rules are observed, employers may, within the framework of the General Data Protection Regulation (GDPR), take action to limit the risk of infection within the company.
As a rule, the employer may only record and disclose data if the information is not too specific and, thus, does not have the nature of health data as defined in Article 9 of the GDPR. For example, a concrete example of legal processing of data may be, that you announce that an employee is ill or in quarantine at home without, however, specifying the reason for the quarantine.
On 5 March 2020, the Danish Data Protection Agency stated that, as a result of the virus outbreak, it may be justified for the employer to register and disclose health data if the purpose is objective and the information is otherwise limited to the necessary. Also, the basic principles of Article 5 of the GDPR (the general principles of processing) must always be observed.
Such justified processing of health data may be particularly relevant now as the virus infection spreads unchecked. An employee is obliged to disclose, and the company is entitled to know if an employee is sick or suspected of being infected by the coronavirus. It would also be justified to notify the company's other employees of a case of infection within the company. The consideration behind this is that other employees can take the necessary precautions to avoid becoming infected.
France and Italy
The virus outbreak is currently a global issue, which has also led the data protection agencies in France and Italy, respectively, to comment on the registration and disclosure of health data. In both France and Italy, the authorities have announced that employers are not allowed to actively collect health data on their employees, even though the current situation is exceptional.
In France, the authorities have expressly prohibited employers from collecting data about the employees and other visitors' body temperature. However, the company may register and disclose data to relevant health authorities about viral infections if they become aware of them.
In Italy, the authorities have also prohibited employers from collecting health data and data on leisure travel activities. In Italy, however, there is an exception where the employer can ask internal health professionals to carry out health checks on an employee if the employee is working in a working environment with a high risk of infection.
However, in both France and Italy, employees are obliged to notify the employer if they are infected by the virus, after which the registration and transmission of the health data can be performed legally.
Continued compliance with the GDPR
Thus, in Denmark, France, and Italy, the data protection authorities have commented on and specified the rules for the registration and disclosure in the GDPR. Although we are in an exceptional situation globally with the current virus-outbreak, compliance with the data protection rules in the GDPR remains essential as the rules impede neither due diligence nor the adherence to necessary precautions to avoid virus infection. In other words, the rules of the GDPR do not restrict our desire to control the outbreak of the virus.
The Danish Data Protection Agency recommends
On 5 March 2020, the Danish Data Protection Agency stated that it is important to bear in mind that the registration or disclosure of data must always be objective, and that the data must be limited to what is necessary. Therefore, employers should always consider the following:
- Whether there is a good reason for the recording or disclosure of the data in question.
- Whether it is necessary to specify the data, including whether the purpose can be achieved by "disclosing less”.
- Whether it is required to mention names, such as the name of the person infected and/or in quarantine at home.
If you are unsure about how to deal with personal data and the raging virus outbreak in your company, do not hesitate to contact our personal data team. We are ready to provide advice so that you can comply with the GDPR while limiting the virus infection.