Due to the outbreak of COVID-19, organisations are taking various preventive measures to prevent the spread of the virus. These range from questionnaires (about recent destinations, medical symptoms, etc.) to measuring body temperature (with a thermometer or even with thermal imaging cameras) and taking immunity tests. As part of these measures, in most cases employees’ and visitors’ personal data will be processed. How far can an organisation go in processing this data?
Processing of sensitive data
As such, medical tests do not constitute processing of personal data. However, as soon as information is collected, stored, transmitted or consulted, personal data is processed, which implies the need for compliance with data protection legislation including the GDPR.
As soon as data relating to a person’s health is processed, additional caution is required. Indeed, health data is sensitive data and enjoys special protection under the GDPR.
The European Data Protection Board emphasised in its recent guideline (03/2020 on ‘the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak’) that health data is a broad concept. Both the results of a medical test or treatment and the information collected from a query (e.g. on symptoms) can be considered as health data.
The GDPR states that any processing of personal data requires a legal basis (e.g. a legal obligation or the legitimate interests of the organisation). In addition, if sensitive data is also processed, the organisation will have to invoke a specific exception, since this processing is prohibited in principle.
It can be argued that an organisation can invoke a valid legal basis for collecting information, for example through questionnaires on recent destinations or symptoms. An organisation could argue that it has an obligation under the welfare law to analyse the risks from the coronavirus in order to be able to take adequate measures to ensure the health, safety and well-being of its employees, or it could invoke its legitimate interest to protect (the health of) its employees and customers and its economic interests (i.e. preventing multiple employees from falling ill at the same time).
However, in order to process health data, it is necessary not only to invoke a general legal basis, but also to have an exception allowing for this processing. In the context of the survey on medical data, or the introduction of medical tests associated with the processing of health data, the following exceptions may be relevant.
The explicit consent of the data subject
The GDPR requires that consent must be freely given, specific, informed and unambiguous. This implies, among other things, that there is no imbalance of power between the controller and the data subject. Consent is therefore not a solid exception in the context of the employment relationship. Moreover, if consent is given, it can be revoked at any time.
The need for the controller (or the person concerned in the field of labour and social security law or for purposes of preventive or occupational medicine) to respect and exercise specific rights.
Within the framework of welfare legislation and its duty of care, the employer is obliged to take preventive measures, after risk analysis and consultation with the internal and external prevention services and the competent consultative body (Committee for Prevention and Protection at Work/trade union delegation, or if there is none, the workers). It does not seem excluded that in some organisations, for certain functions, these tests may be justified. Due account should be taken of the limitations imposed by welfare legislation (supervision by or under the supervision of an occupational doctor and reserved for high-risk functions).
Necessity for reasons of substantial public interest
This is relevant where it is provided for by EU or Member State law. For the time being, Belgian law does not provide for this type of derogations for companies.
Position of the European Data Protection Board
In a general statement of 16 March 2020 (as further complemented on 19 March 2020), the European Data Protection Board stated that the GDPR does not hinder measures taken in the fight against COVID‑19, including by employers, but that, even in these times, care must be taken to ensure that data protection legislation is respected. However, for the processing of personal data by employers, the European Data Protection Board mainly refers to the applicable national law.
Position of the Belgian Data Protection Authority
On its website the Belgian Data Protection Authority has published a rather strict statement regarding workplace-related processing of personal data in the context of the employment relationship, in which it states, among other things, that:
If you want to process personal data to combat the risks associated with COVID-19, carefully analyse the risks and limitations under welfare law but also under data protection law.
Moreover, if processing is permissible, the GDPR principles should be strictly adhered to, including: