DATA PROTECTION AND CORONAVIRUS: A difficult challenge for Businesses.
At the beginning of August 2020, Luxembourg was targeted by several European Member States as it suffered a second wave of the pandemic with an increase of new cases, which were partly explained by the fact that Luxembourg carries out 15 more times tests than the EU average1.
Luxembourg has chosen to perform testing widely on its citizens and cross-border workers. It has, however, rejected the use of a tracking app as this is done manually after people being tested positive.
At the beginning of the crisis in spring, the European Data Protection Board (“EDPB”) and the Luxembourg Commission nationale pour la protection des données (“CNPD”) published recommendations2 on the collection of personal data in the context of a health crisis. The lockdown in Luxembourg started on 16 March 2020 and the state of crisis ended on 24 June 2020.
The situation seems to have calmed down again but the back-to-work situation in early September is long awaited and companies and employers need to address the following questions:
1) What data can be collected in the event of a suspected coronavirus infection in the company and on what basis?
In Luxembourg, employers have stringent health and safety obligations to their employees. In the event of a suspected coronavirus infection in a company, it is permitted to record:
- the date and the identity of the person who might have been exposed to the virus;
- the organisational measures taken (quarantine, teleworking, contact with the occupational health service, etc.).
At the request of the health authorities, a company will provide them with information such as the nature of the employee’s exposure, and health data necessary for them to decide which measures need to be put in place for the concerned employee/agent.
Data processing operations carried out by the employer in this context may be justified on the basis of compliance with its legal obligations in the field of health and safety at work (Article 6(1)(c) of the GDPR).
In addition, the employer may base the processing of health data on its obligations in the field of employment law (Article 9(2)(b) of the GDPR), on grounds of public interest in the domain of public health (Article 9(2)(i) of the GDPR), or on the need to safeguard the vital interests of the data subjects (Article 9(2)(c) of the GDPR).
If companies process new categories of personal data and / or use personal data for new purposes, the GDPR compliance documentation must reflect these changes and be disclosed to employees.
2) How to manage internal communication about the virus?
In order to ensure optimal management of communication on suspected coronavirus infections, the CNPD recommends:
- raising awareness and inviting employees/agents to personally inform the employer or the health authorities regarding possible exposure; and
- facilitating the circulation of information by setting up, if necessary, dedicated channels to guarantee the security and confidentiality of data.
Article L. 313-1. of the Luxembourg Labour Code provides that employees have a duty to take care, according to their means, of their own personal safety and health as well as other persons who may be affected by their acts or omissions at work, in accordance with their training and with the instructions from the employer. Therefore, employees must inform the employer if they suspect that they have been exposed to the virus. Employees must be informed of this obligation.
In order to be able to implement such recommendations, it is highly recommended to draw up an internal procedure and to prepare a dedicated privacy information notice, or at least to update the existing internal privacy information notice or policy.
This should include the reporting obligation applicable to the employees who suspect they have been exposed to the virus to be clearly displayed, as well as the nature of the information to be provided, the persons authorised to receive reports, and / or the creation of an email address dedicated to reports of suspicious cases. The new notice should be circulated to all the staff.
3) Can the identity of employees affected by the virus be disclosed?
According to the recommendations of the EDPB, employers are required to inform their staff about the existence of any COVID-19 cases within the company and to take protective measures.
In compliance with the principle of data minimisation, employers shall not disclose more information than strictly necessary to protect the health of the employees.
The CNPD has specified that the identity of persons concerned shall not be disclosed to third parties or to other staff members unless there is a clear justification to do so. Therefore, in order to assess whether the disclosure of the identity of concerned persons is justified (e.g. the need to quarantine staff members that have been in contact with the person in question), a case-by-case analysis shall be carried out.
In the event that it is necessary to disclose the names of employees who have contracted the virus, they must be informed in advance and the employer must ensure that their dignity and integrity are respected.
4) To what extent can companies carry out checks to identify suspected cases of infection?
Collecting information with a view to researching possible symptoms presented by an employee, an external person, or their relatives on a systematic and generalised basis, or through individual inquiries and questions, is forbidden.
The CNPD prohibits:
- requiring employees to provide the employer with daily body temperature data or to complete medical forms or questionnaires; or
- asking visitors or other external persons to sign a declaration certifying that they do not have symptoms of coronavirus or that they have not recently travelled to a risk area, etc.
5) How can data security be preserved in the context of teleworking?
In the context of teleworking, the employer remains responsible for incidents affecting the security of personal data and shall put in place appropriate technical and organisational measures such as:
- employees’ access to the company’s IT system must be provided via a secure access point (for example a VPN connection) with a robust access verification procedure;
- the employer shall ensure that employees respect minimum security measures (e.g. locking the computer after leaving the workstation; taking confidential telephone calls without the presence of other persons who might hear the conversations; securing the Wi-Fi network used for teleworking);
- the implementation of a teleworking policy defining employees’ obligations, particularly those intended to preserve the confidentiality and security of data;
- the prohibition or at least the limitation of use by employees of documents containing confidential data in physical format (files, printouts); and
- preventing the use of the employees’ private IT equipment for teleworking as much as possible.
- If the use of private equipment cannot be avoided, the employer must ensure that it is adequately secured. Measures should be taken to ensure the separation of private and professional data.
6) Monitoring of employees who are teleworking: is it possible?
Such monitoring is possible, but within strict limits.
Despite the exceptional circumstances caused by coronavirus, employers are not allowed to set up a system for monitoring employees beyond the conditions provided for in Article L. 261-1. of the Labour Code.
Prior to processing data for supervisory purposes, the employer must inform the employees concerned, as well as the staff representative or, if appropriate, the labour and mines inspectorate. In addition, certain processing operations are a subject to a joint decision to be reached by the employer and the staff representative.
Employers who violate of the abovementioned provision may be subject to imprisonment for eight days up to one year, and / or a fine of up to EUR 125,000.
Luxembourg will continue with its large testing strategy by targeting specific sectors, healthcare professionals, hotels and restaurants, police, etc. At the end of the Luxembourg collective vacations in the building sectors for example (i.e. after 17 August 2020), companies will be able to request free testing for their staff. Free testing will also be available in the context of business travel. These campaigns will be organised by the Luxembourg State in collaboration with working federation, Chamber of Commerce etc.
2CNPD, Coronavirus (covid-19): Recommandations de la CNPD relatives à la collecte de données personnelles dans un contexte de crise sanitaire, cnpd.public.lu/fr/actualites/national/2020/03/coronavirus.html
EDPB, Statement on the processing of personal data in the context of the COVID-19 outbreak, edpb.europa.eu/our-work-tools/our-documents/other/statement-processing-personal-data-context-covid-19-outbreak_en
Article provided by: Michel Molitor and Virginie Liebermann (MOLITOR, Luxembourg)
Discover more about INPLP, the INPLP-Members and the GDPR-FINE database
Dr. Tobias Höllwarth (Managing Director INPLP)