The European Data Protection Board ("EDPB") issued a statement on March 19, 2020, in which it goes into more detail on the legal basis (Article 6 of the GDPR) and exceptions (Article 9 of the GDPR) on which data controllers (including employers) could base the processing of data, including sensitive data, in the context of the coronavirus crisis.
With regard to sensitive data, the EDPB points out that private entities could base such processing operations (inter alia) on exception 9(2)(i) of the GDPR on grounds of public interest in the area of public health, based on the law of the Member State or of the European Union.
The EDPB clarifies that the possibility for private entities to collect health data of visitors and employees, or to subject them to temperature readings in the context of coronavirus, should thus be assessed on a country-by-country basis according to local law.
In France, as mentioned in our previous post of March 16, 2020, it is important to remain alert to any change in the CNIL's position on this matter (change linked to a potential more flexible interpretation, particularly with regard to the obligation of employers to ensure the safety and health of employees and/or linked to any possible specific measure taken by the French State in relation to the protection of workers in the context of the coronavirus).
As a reminder, employers cannot, in principle, base the processing of sensitive data of their employees on their explicit consent, since such consent would not be considered as freely given in consideration of the subordinate relationship existing between an employer and its employee. Regarding the visitors, the validity of the consent may also be challenged if the access to the premises is denied to a visitor who refuses to submit to such data processing or presents symptoms.
EDPB statement of March 19, 2020 (in English)
Does the war against coronavirus justify all types of processing of personal data, especially in the workplace?
As a reminder, a data controller may only process personal data based on one of the lawful grounds provided for by Article 6 of the General Data Protection Regulation (“GDPR”) and, in case of sensitive data, on one of the exceptions to the prohibition on processing such data under Article 9 of the GDPR. The importance of respecting these principles, even in times of crisis, is reminded by the European Data Protection Board (EDPB) in its press release published on March 16, 2020.
As mentioned in our previous post on the subject, on March 6, 2020, the French data protection authority (the “CNIL”) published recommendations in which it stated, in essence, that “employers should refrain from collecting information relating to the research and detection of possible symptoms experienced by an employee/agent and his/her relatives, in a systematic and generalized manner, or through individual investigations and requests”. In this regard, the CNIL specified that it was not possible (i) to establish mandatory body temperature readings for each employee/agent/visitor to be sent daily to the employer, or (ii) to collect medical records or questionnaires from all employees/agents.
The CNIL might nevertheless update its recommendations. Indeed, depending on the tangible measures taken by the French government in the next few hours or days, including in relation to the protection of persons in the workplace, private entities could possibly benefit from some of the exceptions provided for by Article 9 of the GDPR based on the existence of a text adopted by the French government for the management of the health crisis, and thus carry out (proportionate) processing of health data in this context. Indeed, among the exceptions provided for by Article 9 of the GDPR, there is for instance the possibility to process sensitive data if such processing is carried out for reasons of public interest, including in the area of public health, on the basis of Member State law (see, in particular, Article 9(2) (g) or (i)). Article 9(4) of the GDPR also enables each Member State to “maintain or introduce further conditions (...) with regard to the processing (...) of data concerning health”. This general provision could possibly allow the French State to enact specific measures regarding the processing of health data.
The European Data Protection Board indicates, in its press release, that employers and relevant public health authorities may rely on legal grounds and exceptions to the prohibition on processing sensitive data under the GDPR, potentially allowing the processing of personal data, including health data, in the context of an epidemic such as coronavirus. Among the elements mentioned, but without further details, are the public interest in the area of health and compliance with a legal obligation.
In Italy, a decree issued by the Prime Minister dated March 11, 2020 (the “Decree”) recommends, among other things, that production sites (which are allowed to pursue their activities, except for activities that are not essential to production) take the necessary protective measures to ensure the health of workers (e.g. remote working), and facilitates the signing of agreements between trade unions and employers' organisations. As a result of this Decree, Italian employers' and trade union organisations established, on March 14, 2020, a memorandum of understanding containing additional measures in order to fight against coronavirus in the workplace. This memorandum of understanding provides for the possibility to collect health data via a questionnaire and to take the temperature of employees and visitors. However, appropriate measures must be implemented, including to ensure the confidentiality of data and the dignity of workers. This memorandum of understanding also seems to encourage Italian data controllers to specify in the information notice intended for individuals subject to questionnaires or temperature tests, that the legal ground for this processing is the Decree of March 11, 2020 aimed at stopping the epidemic.
Private entities in France whose business would be maintained in accordance with the instructions of the French State should pay particular attention, if this is not already the case, to the tangible measures to be taken by the French State, if any, and the resulting potential evolution of the CNIL’s recommendations regarding the processing of sensitive data.
http://www.governo.it/it/articolo/coronavirus-conte-firma-il-dpcm-11-marzo-2020/14299 (Decree of March 11, 2020 – in Italian)
https://www.cisl.it/attachments/article/15466/Protocollo.pdf (memorandum of understanding in Italian)