2 April 2020
The current coronavirus health crisis forces employers to conduct new data processing activities in order to limit the spread of the virus. These processing activities can involve various types of personal data, including health data.
Even in such an unusual context, the employer, acting as data controller, must continue to ensure the protection of its employees’ personal data and comply with the principles laid down by the GDPR and the French Data Protection Act. However, these legislations contemplate such circumstances, thus enabling employers to find the right balance between public health protection and the right to privacy.
In accordance with the principle of data minimisation, personal data collected by employers should be limited to what is necessary in relation to the purposes for which they are processed. It is recommended to ask employees to disclose adequate information on a voluntary basis, while insisting on the rationale behind such information request i.e. the protection of employees’ health.
In addition, data collected and processed as part of these processing activities shall be kept for no longer than is necessary for the purposes for which they are processed.
Data subjects should be provided with exhaustive, specific and transparent information regarding the data processing activities concerning them and their main characteristics, in order to be able to understand how their personal data are processed.
When the employer wishes to conduct coronavirus-related data processing activities and when such activities are not already described in a privacy policy or other information notice, it will be necessary to draft an additional information notice dedicated to these new processing activities and/or update the existing privacy policy accordingly and ensure that the relevant document is provided to data subjects.
Any processing activity must be based on one of the legal bases listed in article 6 GDPR.
In this respect, if a processing activity can be lawfully based on the data subject’s consent, it must be noted that such consent will only be valid if the data subject has been provided with an actual choice, which – according to the EDPB – is not the case in an employer-employee relationship, due to the employee being answerable to the employer.
In addition, use of the controller’s legitimate interest as a legal basis for a processing can only be envisaged when no other article 6 GDPR legal basis is relevant and subject to a balancing test between the employer’s legitimate interest, on the one hand, and the rights and freedoms of data subjects, on the other hand.
Finally, in addition to having a valid legal basis, any data processing involving sensitive data (such as health data) must fall within one of the exceptions of article 9 GDPR.
Possible legal bases and article 9 exceptions are further analysed in the next section.
A data protection impact assessment (DPIA) is required when the processing is likely to result in a high risk to the rights and freedoms of data subjects. Whether such a risk exists can be determined in two ways:
Like any other processing activity conducted by the employer, new coronavirus-related data processing activities, as well as their characteristics, should be recorded in the company’s records of processing activities.
On 6 March 2020, the CNIL published a note describing the measures an employer can or cannot take in the context of a public health crisis, when such measures are likely to result in the processing of employees’ personal data.
The employer is responsible for the health and safety of its employees and, in this respect, must implement occupational risk prevention actions, information and training actions, as well as appropriate organisations and means.
The CNIL more specifically indicates that the employer can:
However, only information which is strictly necessary for the protection of employees in the workplace should be provided to the employer, in particular the following: whether the employee has recently visited a region considered to pose a risk, been in contact with an infected person, suffers from symptoms of the virus or has been tested positive for the virus.
When reported to him, the employer can keep the following information:
Possible exception allowing for the processing of sensitive data: The processing of sensitive data is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller in the field of employment law (article 9 (2) (b) GDPR) – ie the safety obligation provided for in the French labour code and legislation applicable to civil servants, to which employers are subject.
Possible legal basis: The data processing is necessary for compliance with a legal obligation to which the controller is subject (article 6 (1) (c) GDPR) – ie the safety obligation provided for in the French labour code (more specifically article L. 4121-1) and legislation applicable to civil servants, to which employers are subject.
Both employee and employer can require a medical examination by the occupational health medical practitioner. In the context of a public health crisis, the CNIL points out that the employer can encourage going to the occupational health medical practitioner.
Possible exception allowing for the processing of sensitive data: The processing of sensitive data is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee (article 9 (2) (h) GDPR), and the processing of sensitive data is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller in the field of employment law (article 9 (2) (b) GDPR) – ie the safety obligation provided for in the French labour code and legislation applicable to civil servants, to which employers are subject.
Possible legal basis: The data processing is necessary for compliance with a legal obligation to which the controller is subject (article 6 (1) (c) GDPR) – ie the safety obligation provided for in the French labour code (more specifically article L. 4121-1) and legislation applicable to civil servants, to which employers are subject.
The CNIL specifies that, if public health authorities require so, the employer can provide them with information regarding the nature of an employee’s exposure to the virus, when such information is necessary to determine potential sanitary or medical measures.
Our understanding is that such a data processing activity would constitute a sub-purpose of the processing activity n°1 “Hazard prevention and protection of employees in the workplace” and should therefore be referenced in the information notice describing such new data processing activities.
The same article 9 exception and legal basis as those indicated above could therefore apply to this sub-purpose, considering that the employer is also complying with the safety obligation it is subject to.
Companies and public entities can decide to implement a business continuity plan in order to maintain activities which are essential to the organisation. This plan must include measures to protect employees’ safety, identify essential activities of the company which should be maintained, as well as the persons necessary for business continuity.
Possible exception allowing for the processing of sensitive data: Implementing a business continuity plan does not appear to require the processing of sensitive data, so that it is not necessary to determine which article 9 exception could apply.
Possible legal basis: The legal basis will depend on the nature and activity of the entity acting as data controller:
It must be noted that in order to complete their records of processing activities, data controllers can refer to the CNIL’s former declaration exemption for data processing activities carried out as part of business continuity plans put in place in the context of a flu pandemic[3].
The CNIL specifies in its guidelines that employers cannot take measures likely to violate data subjects’ right to privacy, including by collecting health data beyond the management of suspicions of exposure to the virus.
Employers must therefore refrain from collecting in a systematic or generalised manner or through inquiries and individual requests information relating to the search for possible symptoms from which an employee/agent or one of their relatives could suffer.
It is therefore not possible, for instance, to:
The employer cannot disclose the identity of an employee tested positive for coronavirus to their colleagues or to the rest of the company as this would amount to disclosing sensitive data.
In addition, the disclosure of the infected person’s identity is generally not necessary, since the employer can take appropriate measure to isolate persons at high risk of contamination without having to reveal the infected employee’s identity.
However, in some limited cases, including for reasons relating to the nature of the work or the employer’s incapacity to evaluate whether a high risk of contamination exists, confirmation of the infected person’s identity could be justified due to the high risk of further contamination. In this case, the disclosure would take place as part of the processing activities relating to hazard prevention and protection of employees in the workplace.
[1] https://www.cnil.fr/sites/default/files/atoms/files/liste-traitements-aipd-requise.pdf (available in French only)
[2] https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611236
[3] https://www.legifrance.gouv.fr/affichCnil.do?oldAction=rechExpCnil&id=CNILTEXT000021091156&fastReqId=166426898&fastPos=1 (available in French only)
by multiple authors
by multiple authors