Intellectual Property and Technology
1. Can an employer carry out temperature monitoring and other health checks on employees and visitors prior to them entering work premises?
According to the Belgian Data Protection Authority (DPA), merely taking someone's temperature does not constitute processing of personal data under GDPR, if it is not accompanied by an additional recording or processing of personal data (e.g. recording and storing historical measurement data, or carrying out any forms of automated decision-making with the collected data).
However, the Belgian DPA emphasises that, in general, an employer cannot take measures that exceed the existing employment law regulatory framework or instructions from competent authorities.
If the temperature monitoring or health checks go beyond the mere taking of temperature and include some kind of recording or processing of personal data, employers must comply with GDPR.
This means, among other things, that companies must have a valid legal basis under articles 6 and 9 GDPR . This requirement applies to data being collected via such checks from both employees and visitors to the work premises. Finding a correct legal basis may prove challenging.
Consent can provide a valid legal basis under both articles 6 and 9 GDPR for collecting and processing personal data of visitors entering the work premises. However, for employees, consent will not be considered a valid legal basis, given the subordinate position of the employee vis-à-vis the employer.
The Belgian DPA has rejected the possibility of relying on vital interests as ground for processing, stating that “there is no reason for a broader or systematic application of the lawfulness ground contained in Article 6.1(d) GDPR in the context of the taking of preventive measures by companies and employers.”
As regards the legal basis under article 9, the Belgian DPA has noted that “companies and employers can only invoke Article 9.2(i) GDPR for the processing of this category of personal data if they are acting in implementation of explicit guidelines imposed by the competent authorities.”
In this regard, the best way to collect such data would be via an occupational physician, who would be able to rely on the legal grounds provided in article 6.1(c) and article 9.2(b) GDPR.
2. Can an employer ask employees and visitors to complete a questionnaire on whether they are experiencing typical COVID-19 symptoms, have been in contact with an infected individual, or recently travelled to high risk countries?
The Belgian DPA states that an employer can oblige neither its employees, nor visitors entering work premises, to fill out such questionnaires.
Employers are allowed to encourage persons to voluntarily report relevant information (e.g. whether they are exhibiting symptoms, have been in contact with an infected individual, or have travelled to risk areas).
Ideally, any such information should be provided only to an occupational physician, who can then evaluate the person’s health situation and, if needed, report the relevant details to the employer.
3. Can an employer require their employees to notify them if they or a member of their household has contracted COVID-19, or that they have the antigen?
Information on whether a person has contracted COVID-19 is to be considered as health data. Accordingly, collecting and processing such data requires a legal basis under both article 6 and 9 GDPR.
Given the guidance issued by the Belgian DPA, it is unlikely an obligation for employees to reveal such information directly to the employer would be considered lawful. Instead, employees should be encouraged to report to their occupational physician and follow their instructions.
4. Can an employer tell their employees that a colleague may have potentially contracted COVID-19?
An employer may not disclose the names of infected persons to other employees. The Belgian DPA emphasises the importance of the proportionality principle, and states that this disclosure could have a stigmatising effect on the infected employee.
When proportionate to the purpose that is pursued (e.g. preventing further dissemination), the employer may communicate to other employees that an employee was infected without mentioning their identity.
The name of the infected person may, however, be communicated to the occupational physician or the competent government services.
5. Can an employer share information with a health authority about COVID-19 cases they become aware of?
Sending personal data to a health authority is the same as any other processing activity – it needs a valid legal basis. In such cases, the most likely avenue will be to rely on the performance of a legal obligation established by national or EU law.
In practice, this means that employers may share personal data of their employees with a health authority if there is a specific obligation in law, or if a competent state authority has issued an order addressed to the employer.
On the other hand, employers should carefully consider whether sharing any personal data with a health authority on its own accord is absolutely necessary in the given circumstances.
6. Can an employer send employees’ health data to one of their affiliates outside the EEA or otherwise in another jurisdiction?
To be able to transfer any personal data outside the EU, you need to have a valid legal basis. GDPR affords several ways to legitimise international transfers, the most likely solutions being either an intra-group data transfer agreement accompanied with Standard Contractual Clauses, or having in place binding corporate rules.
If the coronavirus outbreak has caused the employer to modify its data-sharing practices, they should also check whether their existing legal setup for transferring personal data outside the EU also allows the transfer of health data.
Often, due to additional complexities with special categories of personal data (such as health data), companies choose not to include such data in their data transfer flows.
In such situations, sending health data to an affiliate outside the EU, without adapting your legal setup, will be considered unlawful, as there essentially would be no legal basis to justify the transfer.
7. Can an employer monitor how employees move around the workplace to help keep social distancing rules?
With the lockdown slowly being phased out, and people returning to work, employers may want to ensure that certain protective measures are still obeyed and enforced. Monitoring employees is not as such prohibited, but it needs to comply with all relevant rules and principles of GDPR.
This means having a valid legal basis to carry out any envisaged monitoring. Given that the most likely ground for this will be the employer’s legitimate interests, a proportionality test must be carried out to demonstrate that the need for monitoring outweighs the employees’ right to privacy.
To pass this test, an employer will need to implement all other measures required by GDPR, such as ensuring transparency of the monitoring, minimising the data collection, deleting the data when it is no longer needed, and taking measures to keep the collected data safe.
In addition, an employer will most likely also need to carry out a data protection impact assessment, as monitoring activities usually present a high risk to the data subjects’ rights.
Finally, employers must comply with any information and consultation requirements under employment law, in particular regarding employee representative bodies.
8. Does an employer need to comply with any other GDPR principles or local privacy laws, when collecting data for the purpose of tackling COVID-19?
As stated by the European Data Protection Board, even in these exceptional times, the data controller must ensure the protection of the personal data of data subjects. This essentially means an employer still needs to comply with all relevant GDPR principles and any local data protection rules.
- Be transparent: inform employees and visitors about the intended measures you plan to take, what data you will collect from them, for which purposes you will use it, and how long you will keep it. Don’t forget to indicate the contact person in charge of handling any data subject requests you may receive as a result of the measures you have taken.
- Collect only data that you really need: the data minimisation principle requires you to collect data that is relevant for and limited to the aim pursued.
- Delete the collected data when it is no longer needed: the data you collect should be retained no longer than what is needed to carry out the intended purpose. If you conduct temperature checks and collect any health-related questionnaires from employees and visitors, the collected data should be deleted immediately if the checked person is cleared as healthy.
- Update your records of processing activities: many companies that keep such records will need to add new data processing activities if they perform processing activities relating to fighting COVID-19.
- Perform a data protection impact assessment for more intrusive measures that would present a high risk to data subjects’ rights: doing so will minimise any risks in cases where a data protection authority later decides to investigate the lawfulness of the measures you took. This includes cases where you have implemented any employee-tracking measures, or other technology-heavy innovations.
- Apply appropriate technical and organisational measures to protect personal data: ensure you are protected as much as possible from any cyber-incidents or other errors that may compromise data.
9. What are the risks if I am in breach of the GDPR or local privacy laws?
GDPR empowers supervisory authorities to impose fines of up to 4% of the annual worldwide turnover, or EUR20 million, whichever is higher.
Other sanctions can be imposed by the Belgian DPA. Depending on the infringement and the infringer, the company and/or legal representatives can also be subjected to criminal sanctions between EUR800 EUR and EUR160,000 EUR.
Finally, the Belgian DPA may also issue orders on the processing of personal data, such as orders to stop or temporarily freeze the processing.