Health data are a special category of personal data protection under the GDPR and national law. Any processing of employee health data in the context of COVID-19 should continue to be carried out in a responsible and efficient manner that ensure data security and confidentiality.
What GDPR compliant measures can employers take?
1. Implement procedures to document whether their employees have travelled to areas affected by COVID-19 or if they experience symptoms
Employers should implement an information, encouragement and empowerment of employees by which they are invited to declare whether they have travelled in risk zones or if they show COVID-19 specific symptoms, while providing them with a line of reporting that they can use to refer any matter/information on the coronavirus.
2. Request information on the diagnosis of employees with COVID-19
Employee health records must be limited to what is necessary to enable the employer to implement health and safety measures in labour relations.
3. Require the body temperature of employees/visitors to be taken
The request to take the body temperature of employees/visitors can only be carried out after explicit consent of data subjects. Explicit consent does not necessarily means it must be offered in writing.
4. Carry out information and awareness campaigns
Each employee is obliged to promptly inform the employer of the suspicion or diagnosis with coronavirus, failure to comply with these obligations may be disciplinary liability of the employee.
What measures taken by employers DO NOT comply with the GDPR?
1. Collect medical records or questionnaires from employees and/or visitors
Only state authorities may oblige data subjects to disclose detailed information on the condition and symptoms specific to coronavirus, while employers can only encourage their own employees to willingly disclose such information.
2. Disclose to employees the identity of an employee infected with coronavirus
Any processing of data on the health of employees must be treated in a confidential manner, i.e. any communication to staff about the suspicion or the presence of coronavirus at work should be carried out without identification by name and surname of the infected employee. However, depending on the specificity of the employer’s activity, it could also reveal the identity of the affected person, provided that there is clear justification and communication should only be made to persons who are necessary to be informed.
3. Installation of employee localization devices/applications
The introduction of ways of supervising employees in the context of work relations may be carried out only in compliance with the special conditions laid down in Law No 190/2018. Therefore, the pandemic cannot, according to the law, constitute a sound justification for installation of such employee localization devices/applications.
In general, employers can process data on the health of employees in order to reduce the risks of employee sickness and ensuring occupational safety and health, provided that that according to the GDPR the health information is a category personal data, which attracts a higher degree of protection.
The implementation of restrictive measures must have a strong justification based on proportionality and risk assessment.