The European Data Protection Board (EDPB) and a number of European data protection supervisory authorities have recently issued guidance on processing personal data, including special categories of personal data (i.e., health data), in connection with COVID-19. While the General Data Protection Regulation (“GDPR”) generally harmonizes data protection laws across Europe, E.U. Member States may derogate from the law in certain circumstances, including in matters of “public interest.” It is therefore critical for companies to keep abreast of the latest guidance issued by supervisory authorities in jurisdictions relevant to their businesses to ensure they comply with any local law guidance.
Notably, the EDPB but also the supervisory authorities in Denmark, France, Germany, Ireland, Italy, Luxembourg, Norway, Poland, Spain, and the U.K. have issued guidance on data processing in connection with COVID-19. We provide below a summary of the guidance, statement and reports provided by these authorities. In general, the supervisory authorities highlight that while the GDPR does not prevent organizations from processing personal data, including health data, in connection with COVID-19, companies should nevertheless bear in mind core GDPR principles (such as purpose limitation and data minimization) when processing such data.
In Denmark, the Danish Supervisory Authority (“Datatilsynet”) published a statement on March 5, 2020, in which it provides detail as to how companies should process employee personal data in the context of COVID-19. Specifically, Datatilsynet indicates that, provided an employer complies with other applicable laws (e.g., employment law), it may collect data about whether: (i) an employee has been in a “risk area”; (ii) the employee is at home in quarantine (without stating the reason); and (iii) the employee is ill (without stating the reason). Like other regulators, Datatilsynet urges employers to limit the collection and disclosure of personal data to what is necessary and consider, among other things, whether it is necessary to name the employee at issue (i.e., the employee at home in quarantine).
In its statement (in French language) dated March 6, 2020, the French data protection authority (CNIL) issued reminders with respect to the collection of personal data within the specific context of COVID-19.
This statement recalls that employers cannot implement measures which may affect the privacy of individuals, notably when the data collected would go beyond what is necessary or required to assess one’s contamination to COVID-19. For instance, employers cannot (i) impose mandatory body temperature recordings to employees, agents or visitors to be submitted daily to the management or (ii) the collection of medical questionnaires to its employees or agents.
Nonetheless, the CNIL also recalls that an employer, which is legally in charge of the health and security of its workforce, shall be able (i) to implement any measures that may prevent but also (ii) carry out informational as well as training actions and (iii) implement an appropriate organization and means to prevent the contamination of its employees (as set out by Article L. 4121-1 of the French Employment Code). To that extent, an employer may:
The statement also indicates that, in the event of an alert, the employer may record the following information:
Finally, the CNIL adds that health data may be collected by health authorities, it being specified that such data collection is under the supervision of these authorities.
To access the statement (in French language), please click on the following link: https://www.cnil.fr/fr/coronavirus-covid-19-les-rappels-de-la-cnil-sur-la-collecte-de-donnees-personnelles
The German data protection supervisory authorities competent on the Federal and Länder level (“DSK”) issued its guidance on March 13, 2020. In line with the other European regulators, the DSK stresses that the processing of health data is often permissible, but one should focus on the principles of proportionality and lawfulness. Any collected data should be deleted once no longer needed for the purpose of addressing the Covid19 spread. The DSK considers the following processing situations of medical data to be justifiable:
In its guidance published on March 6, 2020, the Irish Data Protection Commissioner (“DPC”), like other regulators, observes that data protection laws do not impede the provision of healthcare and the management of public health but highlights that there are nevertheless important considerations when handling personal data in this context, particularly with respect to health and other sensitive data. Overall, the guidance urges companies to consider core GDPR principles in processing personal data in the context of COVID-19, such as lawfulness, transparency, data minimization and accountability. On lawfulness, the DPC notes that in an emergency situation where no other legal basis can be identified, it is permissible to process personal data, including health data, to protect the vital interests of an individual. Similar to guidance from other E.U. regulators, the Irish DPC notes the importance of data minimization, i.e., collecting the minimum necessary amount of data to achieve the purpose of implementing measures to prevent or contain the spread of COVID-19.
The Italian Data Protection Authority (“Garante”) has issued on March 2, 2020 a statement concerning the processing of personal data of employees and visitors to data controllers premises in which the latter have been asked to refrain from collecting, in a systematic and generalized manner, health data concerning the symptoms of the Covid-19. However, few days later, despite the initial position of the Garante, the Italian Government:
The Protocol highlighted that the processing of such data should:
On March 10, 2020, the Luxembourg supervisory authority (“CNPD”) published guidance indicating what employers should and should not do during the COVID-19 crisis. Specifically, the CNPD recommends that employers should not: (i) require that employees provide their temperature on a daily basis or fill out questionnaires; or (ii) have visitors sign a statement certifying that they have no symptoms of the coronavirus or that they have not recently traveled to a risk zone.
Conversely, CNPD states that employers should: (i) ask employees to provide information on their possible exposure to the virus to the employer or to competent health authorities; (ii) facilitate the transmission of information by setting up, if necessary, dedicated channels to ensure data security and confidentiality; and (iii) promote remote working methods and encourage the use of occupational medicine.
The Norwegian Supervisory Authority (“Datatilsynet”) statement, published on March 10, 2020, focused its advice on clarifying what information constitutes personal data and what information constitutes health data subject to additional protections. Specifically, Datatilsynet indicates that the fact that someone is infected with the coronavirus is health information, but information that someone has returned from a "risk area" and/or that someone has been quarantined is not health information.
Datatylsinet notes that information as to whether an employee has been infected or quarantined should not be disclosed outside of a company and recommends responding to outside requests about an employee that the employee in question is absent or unavailable.
The Polish data protection authority (“UODO”) issued a statement on March 12, 2020 regarding the evaluation of measures undertaken in relation to the coronavirus in terms of data protection compliance. In summary, the statement sets out that:
On March 12, 2020, the Spanish Supervisor Authority (“AEPD”) published a statement and a report on processing personal data in connection with COVID-19. The AEPD indicates, like other regulators, that data protection law should not be used to impede the effectiveness of the measures taken by the authorities, in particular health authorities, in the fight against the pandemic. However, the AEPD notes that companies processing personal data in the context of their effort to prevent the spread of COVID-19 must comply with the GDPR, the Spanish Data Protection Law and Spanish sectoral health laws. The report focuses on two key aspects of GDPR compliance—establishing a lawful basis of processing and data minimization.
As to the lawful basis of processing, the AEPD points out that there are a number of legal bases set forth in the GDPR that allow companies to process personal data in connection with COVID-19. However, the AEPD notes that some processing will involve health data and companies must therefore establish a lawful basis of processing under both Article 6 and Article 9 of the GDPR. The report goes on to outline each relevant lawful basis of processing under Articles 6 and 9 and provides relevant examples of data processing. On data minimization, the report states that companies may only process personal data that is adequate, relevant and limited to what is necessary to prevent the spread of COVID-19.
On March 12, 2020, the U.K. Information Commissioner’s Office (the “ICO”) issued a statement and business friendly FAQs on data protection issues associated with COVID-19. In its statement, the ICO notes that data protection and electronic communication laws do not prevent the government, the NHS or any other health professionals from sending public health messages to people, either by phone, text or email, as these messages are not direct marketing. The ICO also emphasizes that data protection should not stop organizations from sharing information quickly but highlighted the importance of being proportionate in processing data in connection with COVID-19.
In the FAQs, the ICO reassures organizations that it understands that resources, including finances and people, may be diverted from information governance work during the crisis and that companies should not be concerned about regulatory action from the ICO. Another FAQ addresses an issue that may be relevant to many companies: whether organizations can inform their employees if another employee may have contracted COVID-19. The ICO notes that companies have a duty of care to employees and stated that staff should be kept informed of cases within an organization. However, the ICO reminds companies that they may not need to name specific individuals or provide more information than necessary.
As to whether organizations can collect health data in relation to COVID-19 about employees or from visitors to an organization, the ICO again underscores a company’s duty to protect employees’ health but cautions organizations to be mindful about the volume and specificity of information collected. The ICO states that it would be reasonable to ask employees to inform the company if they have visited a particular country or experienced COVID-19 symptoms. In addition, the ICO confirms that, if necessary, employers can share employees’ health information with authorities for public health purposes.