In light of the spread of the coronavirus (COVID-19), the situation regarding the processing of personal data has changed in many companies. Many employers are taking measures to prevent the spread of the coronavirus. However, it is important to realize that when implementing such measures, it is extremely important ensure that the processing of personal data complies with applicable laws and that security measures are also put in place to adequately protect the processed data. In this article, we will provide several answers to questions that have arisen regarding the processing of personal data in connection with the spread of the coronavirus.
An employer must ensure the occupational health and safety of its employees
We are currently facing a situation in which it is necessary to provide greater protection for employees’ health, as they are at significant risk from the spread of the COVID-19 coronavirus. Protecting employees at work is an integral part of labor relations. An employer can ensure such protection through a system of measures derived from legal regulations, organizational measures, technical measures, health measures, and social measures aimed at creating working conditions that ensure occupational safety and health, which will help prevent the spread of the infection in the current situation.
Many employers have such measures described in their occupational safety and health documentation; however, these documents often do not include anti-epidemic measures that would ensure the protection of employees against infection. For this reason, it is necessary for every employer to adopt such measures in light of the current spread of the epidemic.
One such measure may be gathering information from employees, such as whether they have recently traveled abroad or been in contact with an infected person. An employer may collect this personal data about its employees or visitors via a questionnaire, specifically to ensure a healthy work environment for its employees.
Measure – Temperature Checks
Another measure currently being adopted by many companies is taking the temperature of every person who enters the company’s premises. However, we must be aware that this involves the processing of a special category of personal data (sensitive personal data). In order for such data to be processed, a valid legal basis must be established in accordance with Article 6(1) of the GDPR, and such processing must be limited solely to the necessary purpose. But what does this mean? It means that the employer must first identify one of the conditions set forth in Article 9(2) of the GDPR and use it to justify the processing of this special category of personal data. The Office for Personal Data Protection considers Article 9(2)(i) of the GDPR to be the appropriate condition for processing such data, namely that processing is necessary for reasons of public interest in the area of public health, such as protection against serious cross-border threats to health or ensuring a high level of quality and safety of healthcare, medicines, or medical devices, based on Union law or the law of a Member State. However, in order to rely on this basis for processing personal data, such an obligation must be established in a separate legal act. At the time the Slovak Republic declared a state of emergency, such a legal provision was Act No. 42/1994 Coll., the Act on Civil Protection of the Population. However, an employer may adopt this measure only for as long as the state of emergency remains in effect in Slovakia; thereafter, there will no longer be a legal basis for such processing.
Another obligation imposed by this measure (temperature screening) is to limit data processing solely to the specified purpose. It is important to note here that we measure body temperature to prevent the spread of infection and to prevent potential carriers of the infection from entering the premises. Therefore, there should be no systematic processing of the measured body temperature values (they should not be stored). This data should truly serve only to grant access to the premises.
As part of this measure, we must not overlook the obligation to provide information, which must be made available to the data subject before we require an employee or visitor to have their body temperature measured.
Processing of Data on Employees’ Health Status
Under normal circumstances, an employer should not collect data on the health status of its employees. However, since the Slovak government has declared a state of emergency, it is permissible to process such data; nevertheless, there should be no systematic or blanket processing of personal data. This means that if a coronavirus case is detected among employees, the employer may record this information. However, the employer must not collect such information on a blanket basis or inquire about employees’ health status (symptoms of illness).
Data regarding an infected employee must also be properly protected. If an employer becomes aware of an infection within their company, they should notify the relevant authorities. Under no circumstances, however, should the employer disseminate such information among other employees; if the employer wishes to notify employees of a coronavirus case in the workplace, they may do so only in the form of anonymized information (the employee’s name or job title must not be disclosed). Furthermore, such employee data must not be retained for longer than is necessary to fulfill the purpose.
Measure – Working from Home
Another measure that companies are widely implementing (where possible) is working from home. The employer should ensure the protection of all personal data that will be processed outside the company’s headquarters or premises. This protection can be achieved by adopting the following rules:
- Establishing a VPN connection to provide secure remote access to the server (thereby ensuring the confidentiality and integrity of personal data).
- Training all employees on how to handle personal data in a home environment.
- Raising awareness of potential cybersecurity incidents.
- All personal data stored directly on a computer must be encrypted.
- Additionally, every technical device on which personal data is stored must be protected with a sufficiently strong password.
- The controller should describe all rules regarding the use of technical devices in a policy, which should be adopted internally and distributed for review to all authorized individuals who will be working from home.
Despite the current situation, care must be taken to ensure that the processing of personal data is lawful and in compliance with the GDPR and Act No. 18/2018 Coll. on the Protection of Personal Data. We remain at your disposal. Please feel free to contact us at any time with any questions, issues, or forms.
We wish you all the best.
The Top Privacy s.r.o. Team