Up Again France: Privacy and Data

Intellectual Property and Technology

1. Can an employer carry out temperature monitoring and other health checks on employees and visitors prior to them entering work premises?

French data protection laws provide that employers must refrain from systematically and generally collecting information related to any symptoms presented by workers or visitors.

The CNIL has thus maintained its position that employers cannot:

  • impose mandatory body temperature readings for each worker or visitor that are then sent daily to the line management; or
  • collect medical forms or requests from workers/visitors.

For more information, see the CNIL reminder of 7 May 2020.

In addition, the Ministry of Labour has issued a protocol to ensure employees’ health and security a temperature check at the entrance of premises is not advisable; this measure is considered efficient by the Ministry of Labour.

Everybody may, however, check their own temperature and take appropriate measures if any symptom is detected. Should the employer implement temperature checks as a precautionary measure for employees entering a work site, several conditions must be met:

  • it must be justified;
  • the check must be proportionate to the purpose sought;
  • proper information must be provided to employees on the conditions of the check and their consequence;
  • a note of service amending the Internal Regulation (subject to the CSE prior consultation) will have to be adopted; and
  • the temperature check must not be intrusive and should be conducted on a voluntary basis.

If an employee refuses such a check, no sanction can be taken against them for refusing, and the employee must be paid as usual (even if the employee cannot telework). In any event, no data will have to be collected on the temperature.

2. Can an employer ask employees and visitors to complete a questionnaire on whether they are experiencing typical COVID-19 symptoms, have been in contact with an infected individual, or recently travelled to high risk countries?

No, as clearly stated by the CNIL, employers are not allowed to conduct any survey on an individual basis on possible symptoms or contact with anyone with such symptoms or any other information related to the spread of the virus. Employers are not supposed to have access to employees’ health-related data.

Under the French Labour Code, not only must the employer ensure the security of and protect the physical and mental health of its employees, but also each employee must also preserve the health and safety of themselves and of other workers.

3. Can an employer require their employees to notify them if they or a member of their household has contracted COVID-19, or that they have the antigen?

No, an employer cannot require such notification. Instead it should raise awareness of COVID-19 and invite any employees who have contracted COVID-19 (or been in contact with someone with COVID-19) to stay at home and contact the healthcare professionals without delay.

Employers should also facilitate the transmission of such information by setting up, if necessary, dedicated channels and by collaborating with health authorities if they are contacted regarding COVID-19 contact tracing.

Where there is a potential case of contamination in the company, the employer should follow a protocol drafted with occupational health to take appropriate measures to isolate the employee concerned and invite them to return home.

4. Can an employer tell their employees that a colleague may have potentially contracted COVID-19?

As an employer, the company is responsible for its employees/agents’ health and security under the French Labour Code. Therefore, the employer should inform employees who may have been in contact with an infected employee about a possible case of infection, to raise their awareness if they notice any symptoms. However, the information provided must be anonymised and must not include the name and surname or any other information related to the person who has been infected and that is not necessary for a prevention purpose.

5. Can an employer share information with a health authority about COVID-19 cases they become aware of?

Where necessary for the medical care of an exposed employee, and for the possible tracing of people the employee has been in contact with, the employer may share data related to the circumstances of the exposure with the health authority that requests it.

6. Can an employer send employees’ health data to one of their affiliates outside the EEA or otherwise in another jurisdiction?

Employees’ health data related to COVID-19 should not be sent to an affiliate located outside the EEA unless this is justified by a legal basis. In such a case, provided that the transfer is justified, data minimisation (such as pseudonymisation) should be carried out.

The employer must also implement transfer mechanisms (e.g. EU Commission Contractual Model Clauses) to be signed between the transferor and transferee.

7. Can an employer monitor how employees move around the workplace to help keep social distancing rules?

The employer must clearly inform its employees on the organisational measures to ensure social-distancing rules (e.g. the distance to be respected and the minimum square meters to allocate to each employee, which will determine the number of employees who may be present at the same time, depending on the size of the area of the workplace). But the employer should not individually monitor how each employee moves within the workplace.

8. Does an employer need to comply with any other GDPR principles or local privacy laws, when collecting data for the purpose of tackling COVID-19?

Yes, based on the GDPR principles and French data privacy law principles, the data that may be collected for the purpose of tackling COVID-19 remains very limited – as indicated in CNIL guidelines of March 6, 2020, in accordance with the principle of proportionality and data minimisation.

For the limited data it may collected, an employer must comply with all the GDPR provisions, including the obligation to inform employees of the conditions of processing of personal data including, without limitation:

  • the specific purpose of such processing;
  • the obligation to hold the data record corresponding to such processing;
  • the obligation to ensure the data security;
  • the obligation to determine a limited data-retention period;
  • the obligation to implement employees’ rights of access, rectification and erasure; and
  • the obligation to carry out a privacy impact assessment.

9. What are the risks if I am in breach of the GDPR or local privacy laws?

An employer that does not comply with the GDPR provisions may be sanctioned by the CNIL by one of the following measures :

  • Administrative fines by the CNIL up to EUR20 million or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
  • Several types of sanctions:
    • warning
    • formal notice
    • injunction
    • oorder for immediate cessation of the infringing data-processing
    • temporary limitation of the processing
    • suspension of the processing
  • A significant reputational risk in the event of publication of the CNIL's decision sanctioning the employer on its website. This information is generally published by the press.
  • Criminal sanctions that could be ruled by a French court on the basis of articles 226-16 to 226-24 of the French Criminal Code (e.g. Article 226-18 states that the collection of personal data through unlawful means can be sanctioned by five years' imprisonment and a fine of up to EUR300,000).