The European Data Protection Board (EDPB) and a number of European data protection supervisory authorities have recently issued guidance on processing personal data, including special categories of personal data (i.e., health data), in connection with COVID-19. While the General Data Protection Regulation (“GDPR”) generally harmonizes data protection laws across Europe, E.U. Member States may derogate from the law in certain circumstances, including in matters of “public interest.” It is therefore critical for companies to keep abreast of the latest guidance issued by supervisory authorities in jurisdictions relevant to their businesses to ensure they comply with any local law guidance.
Notably, the EDPB but also the supervisory authorities in Denmark, France, Germany, Ireland, Italy, Luxembourg, Norway, Poland, Spain, and the U.K. have issued guidance on data processing in connection with COVID-19. We provide below a summary of the guidance, statement and reports provided by these authorities. In general, the supervisory authorities highlight that while the GDPR does not prevent organizations from processing personal data, including health data, in connection with COVID-19, companies should nevertheless bear in mind core GDPR principles (such as purpose limitation and data minimization) when processing such data.
On March 16, 2020, the European Data Protection Board (“EDPB”), published a short statement entitled “Statement of the EDPB Chair on the processing of personal data in the context of the COVID-19 outbreak”. The statement echoes the central message of guidance and statements made by the national supervisory authorities that the GDPR should not stand in the way of data processing but data controllers still need to ensure that they comply with the law when processing data. The statement reaffirms that the GDPR provides for the legal grounds to enable employers and public health authorities to process personal data in the context of epidemics, without the need to obtain the consent of the data subject. Specifically, the statement notes that consent is not required where the processing of personal data is necessary for reasons of public interest in the area of public health or to protect vital interests or to comply with another legal obligation.
The statement also reminds organizations that additional rules apply to the processing of electronic communication data. In particular, the EDPB chair points out that the national laws implementing the ePrivacy Directive provide that location data can only be used if consent has been obtained or the data has been anonymized. The EDPB states that when it is not possible to anonymize data, the ePrivacy Directive enables member states to introduce legislation that pursues national and public security. The statement highlights that emergency legislation is possible under the condition that it constitutes a necessary, appropriate and proportionate measure within a democratic society.
In Denmark, the Danish Supervisory Authority (“Datatilsynet”) published a statement on March 5, 2020, in which it provides detail as to how companies should process employee personal data in the context of COVID-19. Specifically, Datatilsynet indicates that, provided an employer complies with other applicable laws (e.g., employment law), it may collect data about whether: (i) an employee has been in a “risk area”; (ii) the employee is at home in quarantine (without stating the reason); and (iii) the employee is ill (without stating the reason). Like other regulators, Datatilsynet urges employers to limit the collection and disclosure of personal data to what is necessary and consider, among other things, whether it is necessary to name the employee at issue (i.e., the employee at home in quarantine).
In its statement (in French language) dated March 6, 2020, the French data protection authority (CNIL) issued reminders with respect to the collection of personal data within the specific context of COVID-19.
This statement recalls that employers cannot implement measures which may affect the privacy of individuals, notably when the data collected would go beyond what is necessary or required to assess one’s contamination to COVID-19. For instance, employers cannot (i) impose mandatory body temperature recordings to employees, agents or visitors to be submitted daily to the management or (ii) the collection of medical questionnaires to its employees or agents.
Nonetheless, the CNIL also recalls that an employer, which is legally in charge of the health and security of its workforce, shall be able (i) to implement any measures that may prevent but also (ii) carry out informational as well as training actions and (iii) implement an appropriate organization and means to prevent the contamination of its employees (as set out by Article L. 4121-1 of the French Employment Code). To that extent, an employer may:
- raise employees awareness and invite them to individually provide information regarding their heath, in particular when such employee may have encountered or have been in contact with a contaminated person:
- facilitate the transmission of such information, notably by implementing dedicated channels to do so;
- promote remote working and the use of occupational physician.
The statement also indicates that, in the event of an alert, the employer may record the following information:
- the date and identity of the individual that may have been contaminated;
- the organizational measures that have been taken (confinement, remote working, contact with the occupational physician etc.).
Finally, the CNIL adds that health data may be collected by health authorities, it being specified that such data collection is under the supervision of these authorities.
To access the statement (in French language), please click on the following link: https://www.cnil.fr/fr/coronavirus-covid-19-les-rappels-de-la-cnil-sur-la-collecte-de-donnees-personnelles
The German data protection supervisory authorities competent on the Federal and Länder level (“DSK”) issued its guidance on March 13, 2020. In line with the other European regulators, the DSK stresses that the processing of health data is often permissible, but one should focus on the principles of proportionality and lawfulness. Any collected data should be deleted once no longer needed for the purpose of addressing the Covid19 spread. The DSK considers the following processing situations of medical data to be justifiable:
- Collection and processing of personal data (including health data) of employees by the employer or employers in order to best prevent or contain the spread of the virus among employees. This includes in particular information on the cases:
- in which an infection has been detected or contact has been made with a person who is proven to be infected.
- in which a stay in an area classified as a risk area by the Robert Koch Institute (RKI) took place during the relevant period.
- Collection and processing of personal data (including health data) of guests and visitors, in particular to determine whether they:
- are themselves infected or have been in contact with a person who is proven to be infected.
- have stayed in an area classified as a risk area by the German Robert Koch Institute (RKI) for during the relevant period.
- In contrast, the disclosure of personal data of demonstrably infected persons or persons suspected of being infected for the information of contact persons is only lawful if the knowledge of the identity is exceptionally necessary for the precautionary measures of the contact persons.
In its guidance published on March 6, 2020, the Irish Data Protection Commissioner (“DPC”), like other regulators, observes that data protection laws do not impede the provision of healthcare and the management of public health but highlights that there are nevertheless important considerations when handling personal data in this context, particularly with respect to health and other sensitive data. Overall, the guidance urges companies to consider core GDPR principles in processing personal data in the context of COVID-19, such as lawfulness, transparency, data minimization and accountability. On lawfulness, the DPC notes that in an emergency situation where no other legal basis can be identified, it is permissible to process personal data, including health data, to protect the vital interests of an individual. Similar to guidance from other E.U. regulators, the Irish DPC notes the importance of data minimization, i.e., collecting the minimum necessary amount of data to achieve the purpose of implementing measures to prevent or contain the spread of COVID-19.
The Italian Data Protection Auhtority (“Garante”) has issued on March 2, 2020 a statement concerning the processing of personal data of employees and visitors to data controllers premises in which the latter have been asked to refrain from collecting, in a systematic and generalized manner, health data concerning the symptoms of the Covid-19. However, few days later, despite the initial position of the Garante, the Italian Government:
- on March 9, issued the Law Decree no. 14/2020 providing “Urgent provisions for the strengthening of the National Health Service in relation to the COVID-19 emergency” (“Decree”) in which has been stated that those data controllers not belonging to the Public Administration can process health data in case it is deem necessary for limiting the propagation of the Covid-19;
- on March 14, signed with the national trade union associations a Protocol for the prevention of the Covid-19 in the workplace in which has been expressly allowed the employers in their quality of data controller:
- to monitor the temperature of the employees or visitors as far as possible in an anonymous way;
- to ask for information concerning the movements of the employees or visitors in the last 14 days before allowing them to access the workplace.
The Protocol highlighted that the processing of such data should:
- start after having provided the data subjects with a specific privacy notice;
- respect the principle of minimization, proportionality;
- be made for the only purpose of preventing the diffusion of the Covid-19;
- be made pursuant to art. 1, n. 7, lett. d) of the Decree of the Prime Minister dated March 11, 2020;
- be done throughout the emergency period;
- respect the security principles set forth by art. 32 GDPR;
- not be disclose to third parties different from the Public Authority requesting so.
On March 10, 2020, the Luxembourg supervisory authority (“CNPD”) published guidance indicating what employers should and should not do during the COVID-19 crisis. Specifically, the CNPD recommends that employers should not: (i) require that employees provide their temperature on a daily basis or fill out questionnaires; or (ii) have visitors sign a statement certifying that they have no symptoms of the coronavirus or that they have not recently traveled to a risk zone.
Conversely, CNPD states that employers should: (i) ask employees to provide information on their possible exposure to the virus to the employer or to competent health authorities; (ii) facilitate the transmission of information by setting up, if necessary, dedicated channels to ensure data security and confidentiality; and (iii) promote remote working methods and encourage the use of occupational medicine.
The Norwegian Supervisory Authority (“Datatilsynet”) statement, published on March 10, 2020, focused its advice on clarifying what information constitutes personal data and what information constitutes health data subject to additional protections. Specifically, Datatilsynet indicates that the fact that someone is infected with the coronavirus is health information, but information that someone has returned from a “risk area” and/or that someone has been quarantined is not health information.
Datatylsinet notes that information as to whether an employee has been infected or quarantined should not be disclosed outside of a company and recommends responding to outside requests about an employee that the employee in question is absent or unavailable.
The Polish data protection authority (“UODO”) issued a statement on March 12, 2020 regarding the evaluation of measures undertaken in relation to the coronavirus in terms of data protection compliance. In summary, the statement sets out that:
- Data protection provisions cannot be placed as an obstacle to the implementation of activities intended to fight the coronavirus.
- The provisions regarding the coronavirus issued to organizations do not conflict with the principles of data processing and do not violate the GDPR; instead they provide tools for organizations to take specific actions that result from both the recommendations of the Chief Sanitary Inspector and the Prime Minister.
- The Chief Sanitary Inspector may make decisions imposing obligations on organizations to take specific preventive or control measures and cooperate with other public bodies—organizations should in the first instance follow the instructions of the State of Sanitary Inspection.
- The Prime Minister has the right to issue instructions to organizations in connection with counteracting the coronavirus, and these instructions are subject to immediate execution upon their delivery or announcement and do not require justification.
- Pursuant to Recital 46 of the GDPR, the processing of personal data should be considered lawful in cases where it is necessary to protect the interest which is significant for the life of the data subject, e.g., when the processing is needed for humanitarian purposes, including epidemic monitoring and spread.
On March 12, 2020, the Spanish Supervisor Authority (“AEPD”) published a statement and a report on processing personal data in connection with COVID-19. The AEPD indicates, like other regulators, that data protection law should not be used to impede the effectiveness of the measures taken by the authorities, in particular health authorities, in the fight against the pandemic. However, the AEPD notes that companies processing personal data in the context of their effort to prevent the spread of COVID-19 must comply with the GDPR, the Spanish Data Protection Law and Spanish sectoral health laws. The report focuses on two key aspects of GDPR compliance—establishing a lawful basis of processing and data minimization.
As to the lawful basis of processing, the AEPD points out that there are a number of legal bases set forth in the GDPR that allow companies to process personal data in connection with COVID-19. However, the AEPD notes that some processing will involve health data and companies must therefore establish a lawful basis of processing under both Article 6 and Article 9 of the GDPR. The report goes on to outline each relevant lawful basis of processing under Articles 6 and 9 and provides relevant examples of data processing. On data minimization, the report states that companies may only process personal data that is adequate, relevant and limited to what is necessary to prevent the spread of COVID-19.
On March 12, 2020, the U.K. Information Commissioner’s Office (the “ICO”) issued a statement and business friendly FAQs on data protection issues associated with COVID-19. In its statement, the ICO notes that data protection and electronic communication laws do not prevent the government, the NHS or any other health professionals from sending public health messages to people, either by phone, text or email, as these messages are not direct marketing. The ICO also emphasizes that data protection should not stop organizations from sharing information quickly but highlighted the importance of being proportionate in processing data in connection with COVID-19.
In the FAQs, the ICO reassures organizations that it understands that resources, including finances and people, may be diverted from information governance work during the crisis and that companies should not be concerned about regulatory action from the ICO. Another FAQ addresses an issue that may be relevant to many companies: whether organizations can inform their employees if another employee may have contracted COVID-19. The ICO notes that companies have a duty of care to employees and stated that staff should be kept informed of cases within an organization. However, the ICO reminds companies that they may not need to name specific individuals or provide more information than necessary.
As to whether organizations can collect health data in relation to COVID-19 about employees or from visitors to an organization, the ICO again underscores a company’s duty to protect employees’ health but cautions organizations to be mindful about the volume and specificity of information collected. The ICO states that it would be reasonable to ask employees to inform the company if they have visited a particular country or experienced COVID-19 symptoms. In addition, the ICO confirms that, if necessary, employers can share employees’ health information with authorities for public health purposes.