1. Home
  2. Articles

COVID-19 and GDPR

European telecommunication network connected over Europe, France, Germany, UK, Italy, concept about internet and global communication technology for finance, blockchain or IoT, elements from NASA

Below you may find answers to some of the most relevant GDPR-related questions in the COVID-19 disease context:

Can a company implement a measure in order to take the temperature of employees when entering the workplace? Not only can the company implement such a measure, but it is obliged to perform this procedure during the state of alert taking into account the provisions introduced by several normative acts: Law No. 55/2020 on some measures to prevent and combat the effects of the COVID-19 pandemic, Order No. 831/2020 on measures to prevent contamination with the SARS-CoV-2 and to ensure the health and safety at work, during the state of alert; Decision No. 394/2020 on the declaration of the state of alert and the measures applied during it to prevent and combat the effects of the COVID-19 pandemic.

Upon implementation of these measures, the company has the following obligations:

  • to appoint a person responsible for checking the temperature at the entrance of the unit/institution;
  • to ensure the triage of employees by checking the temperature at the beginning of the work program and whenever necessary during the program;
  • if the employee shows respiratory symptoms (cough, sneezing, rhinorrhea) and / or fever higher than 37.3 ° C and / or general impaired condition, the employer must isolate the person from other employees and send him / her to his / her home or to the medical unit (depending on his / her condition). The rules on access and temperature measurement shall also apply to visitors.

Unlike other EU Authorities that have taken a position on this issue, the Guide to the Romanian Supervisory Authority (available here) does not address the issue of applying data protection rules in the case of temperature measurement.

Depending on the measurement method and the existence of subsequent processing, the GDPR may not be applicable, this opinion being also supported by some of the Supervisory Authorities (Belgium, Greece) through their own guidelines related to COVID-19. However, the implementation of such a measure  usually involves additional processing such as documenting the decision when the access is forbidden.

Even in case GDPR does not apply, other rights of the employee must be taken into account, namely: the right to respect for private and family life guaranteed by the ECHR; the right to dignity at work. Ultimately, the approach needs to be proportional with the risks considered (e.g., protecting employees’ health) and implemented in a manner so as to ensure the employees’ dignity at work (e.g., ensure privacy by not revealing the temperature to others in line to enter, use non-intrusive equipment, etc.).

Therefore, to the extent that such a process is to be implemented, it is advisable to carry out an impact assessment in advance to document and address the risks for the employees together with the measures that ensure risk mitigation, proportionality of the processing and data protection requirements.
Can a company use questionnaires asking certain information from employees or visitors prior to allowing them to access its premises? Yes, but such questions should normally be limited to:

  • whether the individual has been in the last 14 days in COVID-19 quarantined areas;
  • whether he is subject to an active quarantine or self-isolation measure (without asking for the reason); or
  • whether he believes to have been in contact with persons confirmed or suspected of having the COVID-19 disease (without asking for details/name of the respective person).

Asking if the individual has certain symptoms (e.g., fever, shortness of breath) is not advisable, as such details qualify as sensitive data. Under GDPR, the processing of such data is allowed only in limited cases. In the COVID-19 disease context, one justification may be when the law requires companies to collect the data (but this is not usually the case) or when companies may reasonable demonstrate that they need to undertake the processing for reasons of public interest in the area of public health, such as protecting against cross-border threats to health. But this does not justify preventive collection of health data from all employees or visitors.

However, questionnaires may include the recommendation to follow general public health advice on managing COVID-19 risks.
How much time can a company retain the visitors or employees’ questionnaires? No legal term exists, so each company has to decide its own retention period. It is recommendable to set short periods (e.g., 30 to 60 days) with the possibility of prolongation as required (e.g., if the authorities ask for the data as part of an epidemiological investigation).
What other measures should companies take for using visitors’ questionnaires?
  • restrict the access to questionnaires (ideally to 1 or 2 persons within the organization, e.g.: health doctor)
  • define the applicable technical and organizational rules for protecting the confidentiality of questionnaires
  • appoint persons responsible to monitor compliance with the relevant retention terms, access rights, etc.
Has the Romanian data protection authority (DPA) issued any guidance in the context of COVID-19 disease?
  • Yes, on 18 March 2020 the National Authority for the Supervision of Personal Data Processing has issued clarifications on the conditions to be met in case of processing health data in the COVID-19 context. The clarifications are available here. Pursuant to such clarifications, there are several guarantees already recognized by GDPR that, if applicable, allow the processing of health data. These are:
  • meeting legal obligations towards employees – including on health and safety at the work place
  • processing as part of activities related to preventive medicine, including diagnosis and provision of medical assistance, etc. – this is most relevant for the companies in the medical sector, including providers of occupational medical services
  • reasons of public interest in the area of public health, such as protecting against cross-border threats to health – this may be relevant for companies from all sectors, but should be invoked with care
  • individuals’ consent
Can employers ask employees to report if they have been diagnosed with COVID-19 disease? Yes, especially since this diagnosis triggers obligations under employment law (e.g., medical leave) and public health legislation (e.g., to disinfect premises).
Does the company provide a privacy notice to the employees about the processing of sensitive data (i.e., that the employees have been diagnosed with COVID-19 disease)? No, as long as the already provided privacy notice covers the processing of health data for complying with legal obligations.If, however, the company opts to share the health data with other third parties than public authorities based on reasons of public interest in the area of public health, such as protecting against cross-border threats to health, this may trigger the need to provide an additional notice to employees, unless this possibility was already covered in the general employee privacy notice (this was not necessarily industry practice until now).

Based on the DPA guidance, companies may provide this via the website. In employees’ case, alternative communication tools may by the email or the Intranet (the latter, if the employees continue to have access to this tool even if they work from home).
Can the company disclose the information that employees were diagnosed with COVID-19 disease to third parties? To public authorities: Yes, companies can communicate the date to the local public health authority or the emergency services (112) (if the company cannot reach the public health authority in due time to the increase in demands experienced by the authority).To other employees: Normally no, unless this is necessary in order to determine if other employees are at risk due to contact with the employee.

To other companies within the group: Normally no, unless this is necessary for reasons of public interest in the area of public health, e.g. as protecting against cross-border threats to health. For example, the company may wish to disclose the information if the affected employees have been traveling to the employer’s affiliate in another country during the incubation period. The company should:

  • assess these situations on a case by case basis, including to check that there are no (additional) limitations within the legislation applicable to the affiliate;
  • document such assessment, including why the company deems that the disclosure is necessary for reasons of public interest in the area of public health, such as protecting against cross-border threats to health;
  • ideally limit the sharing from health and safety at work responsible to health and safety at work responsible within the two affiliates.

To other third parties: Normally no, the only information to be provided, if necessary, should be that the employee is on leave (i.e., not on medical leave).  Based on DPA guidance, disclosure of an infected employee’s personal data to the public can be done only with the individual’s consent.

However, anonymised information e.g. that a positive case or contact case was confirmed can be shared on reasonable need to know bases (e.g. to companies within the same office building as the employer), always mindful to spreading information that may create panic.
Can the National Authority for the Supervision of Personal Data Processing (DPA) still perform investigations during the period? Yes, since the DPA can exercise its investigative powers from their own headquarters. The DPA has used such possibility often in the past, hence there is no reason to believe their remote investigation activities will be significantly diminished.If the company diverted resources normally tasked with managing DPA investigations to address COVID-19 actions, we believe the DPA will accept grounded requests to extend deadlines for responding to DPA’s requests of information and documents.
Is the company still required to comply with deadlines for managing data subject requests? Yes, the general 30-day term for responding to requests still applies.If the company diverted resources normally tasked with managing data subject requests to address COVID-19 actions, the company can notify the data subject about the extension of the response deadline for up to two (2) months and the grounds for such extension. The company needs to send this notification within the initial 30-day deadline.
Is the company still required to notify data breaches within 72 hours as of becoming aware of them? Yes.If the company diverted resources normally tasked with managing (including notifying) data breaches to address COVID-19 actions, the company may notify the data breach in phases, explaining the reason why not all details are readily available within the initial 72-hour deadline.

If the company notifies the data breach with delay, it may explain the reasons for such delay, but it will be up to the DPA to assess and decide if such grounds suffice to justify the submission with delay.
How is the DPA’s activity impacted during this period? For now, the DPA has suspended all audiances at its headquarters. Audiances with the interested public can be organized by phone from 9:00 to 12:00 every day. It also reduced the working hours of its registration office as follows: Monday, Wednesday and Friday, from 9:00 to 11:00 am.

Tags:COVID-19Employee dataHealth DataPublic interestQ&A

Statistics