Following the impact of coronavirus (“COVID-19”) across the world which continues to be a source of concern for all businesses, the implementation of emergency measures (Presidential Decree no. 195 dated 16.03.2020, Military Ordinance no. 1 dated 17.03.2020, Military Ordinance no. 2 dated 21.03.2020, Military Ordinance no. 3 dated 24.03.2020, etc.) to ensure the safety and health of employees and collaborators can lead to the initiation of a process for the collection and processing of special categories of data (such as health data), in which case the provisions of the legislation on the processing of personal data must be applied and observed.
The employers have to take into consideration the data protection implications in the context of collecting employees’ personal data as part of the efforts to monitor and prevent the spread of COVID-19 within the company (e.g. special categories of data, such as health data – data resulting from screening or testing of employees’ health condition, information that an employee is or may be infected with the coronavirus that causes COVID-19).
The obligations of companies, acting as data controllers, remain the same as regards the processing of personal data, namely to comply with the principles provided by the General Data Protection Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”).
In this context, the following aspects regarding the methods of data processing and ensuring compliance with the requirements of the applicable legislation must be considered by employers a priority:
A. Lawfulness and legitimacy of the processing
In the employment context, the processing of personal data is necessary for compliance with a legal obligation to which the employer is subject such as obligations relating to health and safety at the workplace, or to the public interest, such as the control of diseases and other threats to health.
Thus, the companies process special categories of data, such as health data and they have to ensure that the processing activity complies with the lawfulness principle and observes the provisions of both Article 6 and Article 9 of the GDPR.
The data processing activity may be based on the fulfilment of a legal obligation, but this reasoning implies an extensive interpretation of the provisions of the legislation on occupational health and safety, according to which the employer has the obligation to ensure the safety and health of the employees in all work-related aspects.
However, given that the above-mentioned legislation does not expressly provide for the employers’ obligation to take measures to analyze and determine the existence or non-existence of a suspected illness, controllers may rely on the following grounds provided by Article 9 of the GDPR in order to process health personal data:1 ”
b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional […]
Note: subject to compliance with certain conditions and guarantees (data to be processed by a professional subject to the obligation of professional secrecy or under his responsibility, in accordance with European Union or national law or under the rules established by the competent national bodies or another person, also subject to an obligation of confidentiality under European Union or national law or rules established by competent national bodies);
i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;”
Specific comments on questionnaires & temperature verification
Starting with the appearance of COVID-19 across the world, employers were trying to find solutions of limiting the spread of the virus and many of them wanted to implement questionnaires or to verify the temperature of the employees before starting the program.
There are no legal grounds which allow the collection of employees’ health data by the company by means of questionnaires. Romanian authority has not yet adopted any official position with respect on this matter.
According to the guidelines provided by other supervisory authorities within Europe, as well as by the European Data Protection Board, a company cannot invoke any grounds for processing the data of its employees by means of a questionnaire, for example, for the prevention of COVID-19 spread. This conclusion is justified by the fact that the competence to process such data pertains to the competent institutions, which means that a person who has the symptoms/would be suspected of having COVID-19/would have visited the affected areas would anyway be bound to stay under quarantine and would no longer visit the headquarters of the company.
Furthermore, a company may not implement a medical testing system (temperature scanning, blood tests, etc.), not even for the purpose of preventing the virus spread. Such a testing system is considered by the supervisory authorities to be intrusive and to prejudice a person’s dignity.
Please note that in practice business have successfully implemented alternative measures which are effective for preventing the virus spread and at the same time do not raise such data protection concerns, for instance:
- facilitating the transmission of information related to a potential exposure by creating, if necessary, dedicated channels which guarantee the security and confidentiality of data – for example, employees can inform the human resources officer that they have/might have COVID-19 symptoms;
- raising awareness and inviting employees to contact their physician if they have/ might have COVID-19 symptoms;
- using, as much as possible, the technological means of communications (teleconferences) as an alternative to physical business meetings;
- implementing teleworking;
- prohibiting the entry of any visitors or the organization of direct meetings at the employer’s premises;
- limiting business trips to areas with a risk of contamination and prohibiting trips to the red areas;
- providing hygiene and sanitary products to employees free of charge;
- conducting training with regard to hygiene measures and supplying the latest information received from official sources.
B. Fairness and transparency of the processing
Taking into consideration the efforts of the companies in implementing the GDPR, the employers should assess if the existing documentation (part of the GDPR implementation) may cover the processing intended to mitigate COVID-19, or if there is a need to amend the documentation or to adopt additional documentation. Mainly, such documentation may cover the processing of health data, as this may be necessary in the ordinary course of business (e.g. to manage medical leaves, etc.).
In the case that it may be necessary, the company should adopt dedicated policies or internal procedures for COVID-19, or include general reference thereon in the internal regulation/information notice or add any information that departs from or supplements the latter’s content.
C. Internal and external disclosure of personal data
Employers should limit as much as possible the disclosure of their employees’ personal data, especially health data. The processing of personal data may be necessary for compliance with a legal obligation to which the employer is subject such as obligations relating to health and safety at the workplace, or to the public interest, such as the control of diseases and other threats to health.
The GDPR also foresees derogations to the prohibition of processing of certain special categories of personal data, such as health data, where it is necessary for reasons of substantial public interest in the area of public health (Article 9.2.i), on the basis of Union or national law, or where there is the need to protect the vital interests of the data subject (Article 9.2.c), as recital 46 from the GDPR explicitly refers to the control of an epidemic.2
Considering the above and given the context of COVID – 19 (a relatively long incubation period and an increased risk of spreading), the employers may require to the employees, which may be suspected of COVID-19, to perform immediately a medical control, by contacting the medical service provider (already existent in the company – if any). In case the suspected employee refuses to perform the above-mentioned control, the employer may send the employee at home.
However, in case of suspected or confirmed cases, disclosure might become necessary in order for the employer to comply with any reporting obligations under Romanian law. In such cases, the employer has to limit the reporting to what is legally required and ensure that such report is transmitted to the competent public authority. The identity of the employee should not be made public in any other situation than the above-mentioned.
In case of necessity, the employer may disclose internally several aspects related to an infected employee in case of necessity for investigation and identification of the individuals who were in contact with the employee who is or may be infected with COVID-19.
In accordance with the new information provided by the National Supervisory Authority for Personal Data Processing, the name and health status of an individual, may be publicly disclosed only subject to those individuals` consent3.
D. Whistleblowing/internal reports
In case the employers receive information with respect to a potentially affected employee, it is necessary to document such information, as part of the obligations related to health and safety at the workplace, by:
• marking down the relevant dates and identifying the employee which was or might have been exposed to COVID-19;
• taking appropriate organizational measures (isolation, working remote, contacting the medical service provider, etc.).
E. The necessity of a data protection impact assessments (DPIA)
Taking into consideration the context and purposes of the processing of personal data, the necessity of carrying out of a data protection impact assessment might be needed, as provided by Article 35 of the GDPR.
In case that the processing activities performed by controllers in the context of COVID-19 result in a high risk to the rights and freedoms of data subjects, controllers have to consider carrying out a DPIA before starting the processing activity.
Thus, the controllers must understand that in the effort to mitigate the effects of COVID-19 and the state of emergency that led to the carrying out of new processing activities, the provisions regarding the processing of personal data must continue to be complied with in order to maximize the results pursued and avoid potential infringement risks during this period.
1 https://www.dataprotection.ro/?page=Prelucrarea_datelor_privind_starea_de_sanatate&lang=ro; We have not included consent on this list, since the use of consent as ground for processing of employees’ personal data is in general questionable
2 Statement on the processing of personal data in the context of the COVID-19 outbreak. Adopted on 19 March 2020 – EBDP