Up Again Luxembourg: Privacy and Data

Intellectual Property and Technology

1. Can an employer carry out temperature monitoring and other health checks on employees and visitors prior to them entering work premises?

Article L. 312-1 of the Labor Code requires the employer to take any measures necessary to ensure the health and safety of the workers. The National Commission for Data Protection (CNPD) discourages employers from collecting information on possible symptoms experienced by an employee/visitor or their relatives in a systematic and generalised manner, or through individual inquiries and requests.

An employer should encourage the employees to visit a doctor and ask them to stay home (on paid leave) if there is reasonable suspicion that they may have contracted COVID-19.

2. Can an employer ask employees and visitors to complete a questionnaire on whether they are experiencing typical COVID-19 symptoms, have been in contact with an infected individual, or recently travelled to high risk countries?

Article L. 312-1 of the Labor Code requires the employer to take any measures necessary to ensure the health and safety of the workers.

The CNPD discourages employers from filling in medical forms or questionnaires, which have been drawn up in advance. The CNPD further discourages employers from requiring visitors or other external people to sign a standardised statement, certifying that they do not have symptoms of coronavirus or that they have not recently travelled to a risk area.

The CNPD reiterates that only healthcare professionals may collect, implement and access healthcare questionnaires from employees containing data relating to their state of health or information, for example concerning serological or COVID-19 screening tests. The results of these tests are subject to medical confidentiality: a healthcare professional only informs private and public entities whether or not an employee is able to work.

3. Can an employer require their employees to notify them if they or a member of their household has contracted COVID-19, or that they have the antigen?

Employees must take all steps to preserve the health and safety of themselves and colleagues, as provided by article L. 313-1 of the Labour Code. As such, they must, in principle, inform their employer if they suspect they have been exposed to the virus (i.e. through a member of their household).

4. Can an employer tell their employees that a colleague may have potentially contracted COVID-19?

Following guidance from the CNPD on the confidentiality, any data processing carried out in the context of preventing the spread of COVID-19 must be done in a way that ensures the security of the data, in particular any health data. The identity of the data subjects cannot, therefore be disclosed to third parties or the data subjects’ colleagues without justification.

Where possible, the information should be given without the person in question being identifiable.

5. Can an employer share information with a health authority about COVID-19 cases they become aware of?

Where notified of a case of COVID-19, businesses may, as part of their health and safety obligations, collect and store:

  • the date and identity of the person suspected of having been exposed to COVID-19; and
  • the organisational measures taken as a result (e.g. containment measures, teleworking, contact with the occupational health service).

Employers may communicate, to the health authorities at their request, information related to the nature of the exposure that is necessary for any health or medical care of the exposed person.

6. Can an employer send employees’ health data to one of their affiliates outside the EEA or otherwise in another jurisdiction?

Health data is in principle not processed by employers in Luxembourg.

Only health professionals are authorised to access data relating to the health of infected persons or persons at high risk of infection.

They have access to personal data relating to health to the strict extent that such access is necessary for the performance of the legal or conventional missions entrusted to them to prevent and combat the COVID-19 pandemic, and are bound by professional secrecy under the conditions and under the penalties in article 458 of the Criminal Code.

The personal data processed must be anonymised no later than three months after their collection.

Where an employer exceptionally processes health data, such data may only be transferred in strict compliance with the provisions of Regulation EU 2018/1725 (“GDPR”).

7. Can an employer monitor how employees move around the workplace to help keep social distancing rules?

Homeworking is recommended by the government wherever it is possible. If this cannot be done, article L. 312-1 of the Labor Code requires the employer to take any measures necessary to ensure the health and safety of its workers.

To limit risks, the employer should implement prevention, information and training measures, for example issuing internal instructions on social distancing in the workplace.

The employer could introduce a social-distancing policy and impose (proportionate) disciplinary sanctions, such as a warning, if the rules are not followed. For any adoption of a new policy (or amendments to an existing policy), the staff delegation is required to give its opinion on the policy and to monitor its enforcement.

8. Does an employer need to comply with any other GDPR principles or local privacy laws, when collecting data for the purpose of tackling COVID-19?

When processing COVID-19-related data, the employer must respect the seven key principles in GDPR, such as purpose limitation, data minimisation, and storage limitation.

9. What are the risks if I am in breach of the GDPR or local privacy laws?

GDPR breaches may be sanctioned with administrative fines of up to EUR 20 million or, in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Under Law of 1 August 2018, the CNPD can impose penalty payments of up to 5% of the average daily turnover achieved during the previous financial year, or during the last closed financial year, per day of non-compliance