GDPR and COVID-19 : Key Takeaways from the full EDPB Statement and the Belgian DPA’s recommendation
After the statement of the EDPB Chair on 16 March 2020 that already reminded some general data protection principles, the EDPB decided to adopt a “more” elaborated statement.
Governments, public and private organisations throughout Europe are taking measures to contain and mitigate COVID-19. Such measures can definitively involve the processing of different types of personal data. Even in exceptional times, the EDPB underlines that the controller and processor must ensure the protection of the personal data of the data subjects and guarantee the lawful processing of personal data. Emergency is a legal condition which may legitimise restrictions of freedoms provided these restrictions are proportionate and limited to the emergency period.
1. Which legal grounds could be invoked by health public authorities and employers?
The GDPR allows competent public health authorities and employers to process personal data in the context of a pandemic, in accordance with national law and within the conditions set therein.
(a) With regard to the processing of personal data including health data by competent public authorities, the EDPB considers that Articles 6 and 9 of the GDPR enable the processing of personal data, in particular when it falls under the legal mandate of the public authority provided by national legislation and the conditions enshrined in the GDPR.
(b) In an employment context, the processing of personal data may be necessary for compliance with a legal obligation to which the employer is subject such as obligations relating to health and safety at the workplace, or to the public interest, such as the control of diseases and other threats to health.
The GDPR also authorises the processing of health data where it is necessary for reasons of substantial public interest in the area of public health (Art. 9 (2) (i) of the GDPR), on the basis of Union or national law, or where there is the need to protect the vital interests of the data subject (Art. 9 (2) (c) of the GDPR).
(c) With regard to the processing of telecom data, such as location data, national laws implementing the ePrivacy Directive must also be respected. In principle, location data can only be used by the operator when made anonymous or with the consent of individuals.
However, Art. 15 of the ePrivacy Directive allows Member States to introduce legislative measures to safeguard public security. Such exceptional legislation is only possible if it constitutes a necessary, appropriate and proportionate measure within a democratic society (see below point 3). In case of an emergency situation, it should also be strictly limited to the duration of the emergency at hand.
2. Do organisations still need to comply with core principles relating to the processing of personal data?
(a) Purpose limitation: personal data that is necessary to attain the objectives pursued should be processed for specified and explicit purposes.
(b) Transparency – Storage Limitation: data subjects should receive transparent information on the processing activities that are being carried out and their main features, including the retention period for collected data and the purposes of the processing. The information provided should be easily accessible and provided in clear and plain language.
(c) Integrity: it is important to adopt adequate security measures and confidentiality policies ensuring that personal data are not disclosed to unauthorised parties. The measures should be appropriately documented.
3. Can Member State governments use personal data related to individuals’ mobile phones in their efforts to monitor, contain or mitigate the spread of COVID-19 (geolocation, sending of public health messages)?
Public authorities should first seek to process location data in an anonymous way which could enable generating reports on the concentration of mobile devices at a certain location.
When it is not possible to only process anonymous data, as mentioned above, the ePrivacy Directive enables Member States to introduce legislative measures to safeguard public security.
If measures allowing for the processing of non-anonymised location data are introduced, a Member State is obliged to put in place adequate safeguards, such as providing individuals of electronic communication services the right to a judicial remedy.
The proportionality principle also applies. Invasive measures, such as the “tracking” of individuals (i.e. processing of historical non-anonymised location data) could be considered proportional under exceptional circumstances and depending on the concrete modalities of the processing. However, it should be subject to enhanced scrutiny and safeguards to ensure the respect of data protection principles (proportionality of the measure in terms of duration and scope, limited data retention and purpose limitation).
In Belgium, the Health Minister agreed last week that telecom operators are entitled to share a part of their database to a private third party, Dalberg Date Insights, in order to analyse anonymised aggregate data (from a geographical perspective – postal code) from the telecom operators with epidemic data of the authorities and better fight against the coronavirus. We are awaiting the agreement of the Belgian Data Protection Authority.
4. What are the rights/obligations of the employers towards their employees ?
The EDPB asks a few interesting questions (such as: can an employer require visitors or employees to provide specific health information in the context of COVID-19?; is an employer allowed to proceed to check-up on its employees?; can an employer disclose that an employee is infected with COVID-19 to his colleagues or to externals?; what information processed in the context of COVID-19 can be obtained by the employers ?) but always concludes that the employer should only require/process health information to the extent that national law allows it.
Under Belgian employment law, the employer may ask employees to undergo a medical examination (e.g. temperature check), but not on a general or systematic basis and only when health and safety require so (e.g. for employees returning from risk areas). The company doctor should do the screenings at the employer’s expense. The employer should best liaise with its internal and/or external health and safety provider.
The Belgian Data Protection Authority issued a recommendation on the processing of personal data due to the coronavirus. The employer should bear in mind that processing employees’ health data is sensitive personal data and ensure it complies with its data protection obligations (the processing may be allowed under the exception of "public interest in the area of public health"). See link in French and Dutch.
Therefore, an employer may not oblige its employees to fill out a medical Q&A. It is therefore preferable to simply ask employees who do not feel well with cold or flu-like symptoms to stay at home. Lydian’s employment team believes employees cannot reasonably refuse this instruction.
Moreover, please note that, according to such recommendation, the Belgian Data Protection Authority considers that the mere recording of body temperature is not a processing of personal data. Insofar as temperature recording is not accompanied by an additional recording or processing of personal data, the GDPR does not apply.
Lydian’s employment team advises the employer to liaise with the internal and/or external health services, in particular with the occupational doctor. If the latter considers that taking the body temperature is not a medical health examination (and should therefore not be done by a doctor, nor be submitted to the legal rules of the Codex Well-being at Work), you could consider implementing it, of course with respect of the employee's right to privacy. This means that employees will have to be informed and that it will have to be assessed on a case-by-case basis if an audit is proportionate in the light of the seriousness of the situation and the purpose (in particular, ensuring the general public health and well-being of employees at work). Certainly for employees working in critical sectors and essential services, this could possibly be justified.
Apart from the impact of the now widespread Coronavirus (COVID-19) on our daily personal life, companies in Belgium and around the world also face important difficulties and challenges on all levels of their day-to-day business.Find out more regarding various related topics
Our dedicated Lydian team is ready to assist you with any questions you might have regarding the impact of the Coronavirus on your daily business.Contact us with all your questions on firstname.lastname@example.org