Employers face an unprecedented situation as they need to protect their employees’ health against an invisible enemy. Asymptomatic carriers of the coronavirus make it complicated for supervisors and managers to take appropriate measures to ensure a safe working environment while complying with personal data protection legislation.
Derogatory legal regime for employment law
The General Data Protection Regulation (GDPR) introduces a derogatory legal regime for the processing of health data by an employer, but it has to meet strict conditions. Health information indeed belongs to particular categories of personal data1 due to their sensitive nature (cf. Health Data in the Time of Coronavirus).
Processing of special categories of personal data in the field of employment is possible only if it is necessary, it is authorized by a Member State’s law or a collective agreement, and there are appropriate safeguards in place to protect the fundamental rights and interests of workers2.
It means that there are no general rules applicable to the entire European Union and the exception to processing sensitive personal data can only be understood on a state by state basis. Member States may allow employers through their legislation to collect sensitive personal data for different reasons, including to guarantee the health and safety of employees at work.
Generally speaking, and it is a principle applicable to the entire European Union, employers cannot take measures that would infringe on the privacy of their employees. They have to respect the basic principles set out in the GDPR (cf. A Practical Guide to Data Protection and Health Application Development).
Processing of health data by employers needs to be proportionate to the aim of protecting the employees’ health. It is hard to conceive under these circumstances that an employer could collect health data that would go beyond managing suspected cases of exposure to the coronavirus, if they are allowed to do so by their national legislation.
Employers cannot collect data systematically through medical questionnaires, in search of coronavirus infection symptoms, surveys about recent travel or daily measures of employees’ body temperature. The problem would be the same with requesting employees to show a “green code” (immunity passport) from a smartphone application to authorize them to penetrate in the employer’s premises. It would not be considered proportionate to the aim of providing a safe working place, unless it is permitted by a local law.
The limits of consent in the employer-employee relationship
Employers could also rely on the explicit consent of their employees to process personal data3. They could ask them to willingly share information about their health condition if they suspect that they have been exposed to the virus or they show symptoms of contamination.
However, it would be difficult for an employer to rely on this exception to process health data. The European Data Protection Board, in its guidelines on consent, considers that the relationship between employers and employees is asymmetrical4. An employee would therefore not be able to express a “
freely given” consent.
If it is possible to use consent or if the employment law exception is applicable, employers would be able to process information about the identity of the concerned employee and the measures taken, like medical leave, distance working, or reference to an occupational physician. Collected personal data should be processed only for the specific purpose of coping with the pandemic and must be deleted as soon as they will not be relevant anymore.
Finally, employers cannot disclose the identity of infected employees as they have to respect the confidentiality of the collected data5. They may inform the workers about the general situation without revealing the names of the persons concerned, unless it is necessary and a national law allows it. Otherwise, it could lead to the discrimination or stigmatization of these employees by their coworkers.
* Une version française de ce texte a été publiée sous le titre Covid-19: le traitement des données de santé des salariés.
1 Art. 9 (1) GDPR.
2 Art. 9 (2) (b) GDPR.
3 Art. 9 (2) (a) GDPR.
4 European Data Protection Board, Guidelines 5/2020 on Consent under Regulation 2016/679 (2020), paras 21–22.
5 Art. 5 (1) (f) GDPR.