Up Again Austria: Privacy and Data

Intellectual Property and Technology

1. Can an employer carry out temperature monitoring and other health checks on employees and visitors prior to them entering work premises?

The Austrian Data Protection Authority (DPA) views this as an issue subject primarily to employment law, but has concerns regarding the proportionality of such measures, arguing that the same data can be collected by less invasive ways (such as merely asking the employees about their health) and that high temperature is only one of many possible symptoms of COVID-19. While this opinion might be subject to challenge if the temperature is not recorded, the recording of measurements is likely to be considered non-proportional.

The DPA sees temperature monitoring as justified if carried out in compliance with a statutory obligation for health checks, such as with certain professions that carry a risk of an occupational disease.

Temperature monitoring may generally be carried out on the basis of consent by the employee/visitor. But in an employment relationship, the high standards regarding free consent would not usually be met, however.

2. Can an employer ask employees and visitors to complete a questionnaire on whether they are experiencing typical COVID-19 symptoms, have been in contact with an infected individual, or recently travelled to high risk countries?

The DPA recognises that health-related data may be processed to the extent necessary to prevent the spread of the virus and protect the population.

Regarding the processing of employees’ data, the DPA recognises the employers have a duty of care to the employees, which includes the prevention of health-related risks in the workplace, including the prevention of infections and limiting the spread of the virus.

The DPA recognises that this duty may include “in particular” collection of data from persons for whom an infection was confirmed or reasonably suspected due to:

  • contact with another infected person, or
  • staying in a high-risk area.

Having the employees and visitors complete a questionnaire to address these topics would likely be permissible, provided the questions are sufficiently general.

3. Can an employer require their employees to notify them if they or a member of their household has contracted COVID-19, or that they have the antigen?

The obligation of an employee to notify to their employer of infection (or suspected infection) may arise out of the general duty of care the employee owes to their employer. This duty does not entail reporting whether an employee carries the antigen, however.

The general duty of care exists also vice versa, and allows the employer to ask the employee whether they are infected or have been in contact with an infected person. Such inquiries constitute processing of health data and may be justified by the fulfilment of employment law duties according to Article 9 para 2 lit b and Art 6 para 1 lit c or f GDPR.

4. Can an employer tell their employees that a colleague may have potentially contracted COVID-19?

According to the DPA, data on whether a person is (potentially) infected constitutes sensitive data that enjoys special protection in data protection law, particularly to prevent stigmatisation of individual employees. This data may, however, be processed to the extent necessary to prevent the further spread of the virus.

For every case, a determination must be made in accordance with the principle of data minimisation (Art 5 para 1 lit c GDPR) whether the name of the infected employee must be named or it whether it may suffice to simply communicate that an infection has occurred in the workplace. The naming of an infected individual may be permitted if it is necessary to ascertain whom the infected person came into contact with.

5. Can an employer share information with a health authority about COVID-19 cases they become aware of?

Yes. The DPA has explicitly specified Art 9 para 2 lit i GDPR in connection with Section 10 Para 2 Data Protection Act (DSG) as the legal basis for the sharing of information regarding specific cases of COVID-19 infections with health authorities.

According to the DPA, the current epidemic qualifies as a disaster situation, which is required for the application of Section 10 para 2 DSG. A corresponding obligation under the Epidemics Act may also apply.

6. Can an employer send employees’ health data to one of their affiliates outside the EEA or otherwise in another jurisdiction?

The DPA guidelines say that the processing of health data must comply with the principle of purpose limitation. The processing of health data for purposes other than healthcare, prevention of the spread of the virus and treatment is prohibited.

If it is necessary, for example, to determine whether persons from other workplaces had been in contact with an employee who tested positive for COVID-19, it may be permissible to transmit this date to affiliates. Great care must be given, however, to transfer only as much data as necessary to fulfil the purpose. It may be sufficient to enquire whether someone has visited the workplace of an employee, who has tested positive for the virus, without identifying a particular individual at the outset. In most cases, transferring data to affiliates for these purposes will likely not be required and therefore not be permissible.

7. Can an employer monitor how employees move around the workplace to help keep social distancing rules?

No. As there has been no special legislation implemented for such measures, the general data protection laws apply. Any processing must be reasonable to fulfil the intended purpose. Special attention must be given to the relation between the intended purpose or outcome and the measure used. To be allowed, the monitoring of employees would need to be the least intrusive measure to yield the desired outcome of compliance with social-distancing rules by employees. In our assessment, this would not be the case.

Further, if the employer implements measures that allow the employer to monitor employees and affect the human dignity of the employees, the prior approval of the works council or, if there is no works council, the consent of each employee who is affected by the measure is required.

Such controls must be justified by the employer´s interests and the employer has to choose the least infringing measure. Depending on the measure, it might not only affect but violate human dignity if it leads to massive interference in the private sphere of employees. If so, the implementation of the monitoring system would be unlawful.

8. Does an employer need to comply with any other GDPR principles or local privacy laws, when collecting data for the purpose of tackling COVID-19?

The scope of application of the DSG is broader than the one for GDPR, as it also includes non-automated processing of data including, for example, simply asking employees about their health (a practical example stated by the DPA).

Section 16 Austrian Civil Code also provides general civil law protection for privacy and personality rights. It acknowledges any person’s personality as a born and fundamental right and provides a range of protection, such as the right to a sphere of privacy.

9. What are the risks if I am in breach of the GDPR or local privacy laws?

Breaches of the GDPR may result in fines of up to EUR20 million or up to 4% of total worldwide turnover, whichever is higher.

The DSG has its own penalties, which are applicable where a breach is not already subject to a GDPR fine. For such breaches (including the processing of data under false pretences concerning the event of a disaster) that don’t already constituting a breach of GDPR, fines of up to EUR50,000 may be imposed.

Fines under GDPR and DSG breaches are imposed by the DPA, whereby the DPA may choose to fine either the entity or a natural person, acting for the entity in an executive position, who has supervisory powers in the entity.

Any person can claim for material or non-material damages suffered due to the infringement of the GDPR or the DSG, and seek injunctive relief (cease and desist) concerning ongoing breaches.