‘Can I ask my employees about their health status these days?’ || ‘Can I disclose their health data to public authorities, upon request?’ || ‘Can I disclose within the organisation that an employee of ours tested positive for Covid-19?’ || ‘Can I disclose their health data to the public?’ ||‘Can I track employees while during the ‘stay-at-home’ recommendation?’ || ‘How long can I store employees data in relation to Covid-19?’
While the Covid-19 pandemic is fast-pacing and shifting business models on the go, employment relations are also put to some strain: uncertainty also revolves around the newly emerged health data processing situations.
If you are an employer seeking guidance thereto, the ground rules below will shed some light.
1. Parting point
A statement recently issued by the European Data Protection Board (EDPB) emphasised that GDPR should not be a hindrance in the fight against the coronavirus pandemic.
In other words, even in exceptional times, the data controller and processor must ensure the protection of the data subjects’ personal data. Emergency may only legitimise restrictions of freedoms if these are proportionate and limited to the emergency period.
2. Processing of data concerning health. Legal basis
Legal basis. In processing health data, consent of the data subject may not be required. There are alternative legal grounds which may legitimise processing.
Thus, processing may be necessary for either:
- Carrying out the obligations and exercising the specific rights in the field of employment and social security and social protection law insofar as authorised by law or a collective bargaining agreement – GDPR Article 9(2)(b); or
- Preventive medicine, assessment of the working capacity of the employee, medical diagnosis, provision of health or social care or treatment, on the basis of law – GDPR Article 9(2)(h) d (3); or
- Reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care – GDPR Article 9(2)(i); or
- Protecting the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent, if the need may arise in epidemics spread control – GDPR Article 9(2)(c) d recital (46);
Clearly, applicability of each of the above should be analysed on a case by case basis.
Notice duties. While consent may not be needed, informing the employee of such processing is still mandatory: it must be done in a concise, transparent, easily intelligible and accessible manner, using a plain and simple language.
Pursuant to a guidance note released by the National Supervisory Authority for Personal Data Processing (the Authority), such notification may be done via the employer’s website.
3. Short answers
In light of the above, some keynotes may be drawn.
- ‘Can I ask my employees about their health status these days?’ In principle, yes, without needing their consent, provided (i) it is grounded on a public health/ preventive medicine related interest (as per above) and (ii) I have genuinely informed them of this processing of their health data. In analysing the situation, proportionality and minimisation principles should also be observed.
- ‘Can I disclose within the organisation that an employee of ours tested positive for Covid-19?’ In principle, yes, provided (i) it is grounded on a public health/ preventive medicine related interest (as per above) and (ii) I have genuinely informed them in advance, and duly respected their privacy. In analysing the situation, proportionality and minimisation principles should also be observed (e.g., it may be sufficient for the scope of protecting my employees to only disclose that we have a Covid-19 case within our organisation and we should all follow the applicable health protocol, without the need of also disclosing the name of the individual).
- ‘Can I publicly disclose the name and health status of an employee?’ According to the Authority, yes, but only with their prior explicit consent.
- ‘Can I share employees’ health information to authorities for public health purposes?’ In principle, yes. Public authorities may need such information for epidemics spread control or even enforcement proceedings against individuals infringing isolation/ quarantine protocols.
- ‘Can I track employees while during the ‘stay-at-home’ recommendation?’ The short answer is ‘no’ – there is no legal basis to support this. However, in a specific factual context this might be possible.
- ‘How long can I store employees health data in relation to the COVID-19 pandemic?’ Until you no longer need it – when is that? Quite uncertain. Also take into consideration that the statute of limitation periods are currently suspended.
*This ePublication is provided by Radu Taracila Padurari Retevoescu SCA and is for information purposes only. It does not constitute legal advice or an offer for legal services. The distribution of this document does not create an attorney−client relationship. If you require advice on any of the matters raised in this document, please call your usual contact at Radu Taracila Padurari Retevoescu SCA at +40 31 405 7777.