Intellectual Property and Technology
1. Can an employer carry out temperature monitoring and other health checks on employees and visitors prior to them entering work premises?
The Dutch Data Protection Authority (DPA) published guidance on the applicability of GDPR in the context of temperature measurements. The starting point remains that taking temperature tests as a measure to control access will, in most cases, be subject to the strict regime of GDPR – and, as such, according to the Dutch DPA, may only be performed by a medical professional or company doctor.
However, with respect to temperature checks, the DPA acknowledged that GDPR does not apply when there is no question of (automated) processing. This is where the temperature is just read and not recorded anywhere, and where the health data does not end up in an automated system.
This clarification provides scope for flexibility for companies that wish to carry out temperature tests as a protective measure against COVID-19. However, in order to successfully carry out temperature tests outside the scope of GDPR, companies must carefully design their test processes and procedures. For example, measures must prevent temperature checks from being stored or communicated in one way or another, such as by setting up an adequate procedure and providing training to the relevant staff.
Even if GDPR does not apply, according to the DPA, there may still be an unjustified invasion of privacy, for example if a visitor is denied access (by a security guard) while this is visible to other people in the queue (who could then draw conclusions about a visitor's state of health). Therefore, some flexibility and creativity is required to design the testing process in such a way that the integrity and privacy of employees and visitors is safeguarded.
The position of the DPA on processing health data of employees and visitors (including the outcome of the temperature reading) remains very strict. The position of the DPA is that employees and visitors are in a dependent position and therefore cannot freely give consent. The DPA is of the opinion that only medical professionals or company doctors are allowed to process such health data of employees, and that the employer itself cannot do so.
2. Can an employer ask employees and visitors to complete a questionnaire on whether they are experiencing typical COVID-19 symptoms, have been in contact with an infected individual, or recently travelled to high risk countries?
From earlier guidance published on the DPA website, the DPA classifies this information as health data. Consequently, the starting point is that the employer may not process such data. This may only be done by a company doctor.
The employer could ask or require employees not to enter the premises and to contact a company doctor when they are experiencing any symptoms, or to stay at home when experiencing symptoms, when they have been in contact with an infected individual, or when they have recently visited high-risk areas. If the company doctor suspects that the employee has COVID-19, they will urgently contact the regional public health service (GGD). In consultation with the employer, the GGD will then take measures regarding the workplace.
A similar approach could potentially be taken as with temperature checks. As long as the outcome is not recorded or shared by the employer, asking such questions should be possible (see question 1 above on temperature checks).
3. Can an employer require their employees to notify them if they or a member of their household has contracted COVID-19, or that they have the antigen?
No, the DPA explicitly states that an employer may not enquire about the nature and cause of illness of employees. This also applies to members of the employee’s household, because this entails information on whether the employee has been in contact with an infected individual.
The DPA emphasises that even if the employee voluntarily informs the employer about having contracted COVID-19, the employer is not allowed to record or share this information.
4. Can an employer tell their employees that a colleague may have potentially contracted COVID-19?
The DPA emphasizes that it should remain up to the employee what they want to share about their illness. The DPA stressed that it is the primary task of the public health service (GGD) to prevent further spread of the coronavirus. If there is a risk of contamination in the workplace, a protocol from the GGD will be issued. This protocol will determine what measures will be taken.
An employer is allowed to inform immediate colleagues about the expected duration of an employee’s absence. The employer may also ask the employee whether they want it to inform the employees of other organisations they have been in contact with. Finally, the employer may tell other employees that it is the employee’s choice whether they wish to share more information about their absence or illness.
5. Can an employer share information with a health authority about COVID-19 cases they become aware of?
No. Because the employer is not allowed to process health data of the employee, an employee may be sent to the company doctor or a medical professional. If they suspect that the employee is infected with COVID-19, they will urgently contact the regional GGD. In consultation with the company, the GGD can then take measures regarding the workplace.
6. Can an employer send employees’ health data to one of their affiliates outside the EEA or otherwise in another jurisdiction?
No. The employer is not allowed to process health data of its employees. This includes sending data to one of its business’ affiliates.
This does not apply to, for example, administrative absence data (such as the date of reporting sick, the expected duration of the absence, and the date of recovery). Such may potentially be shared within the group to the extent reasonably required.
7. Can an employer monitor how employees move around the workplace to help keep social distancing rules?
This depends on the factual circumstances of each specific case. Employee monitoring is subject to strict requirements and permissibility should always be assessed through a data protection impact assessment. The employer should, for example, assess the impact of the proposed monitoring measures, whether such measures are proportional and whether the same results cannot be achieved by implementing less intrusive measures (e.g. remote working, temperature checks (without recording), or hygiene requirements).
General data protection principles should always be taken into account (e.g. data minimisation, providing notice to employees).
8. Does an employer need to comply with any other GDPR principles or local privacy laws, when collecting data for the purpose of tackling COVID-19?
When the employer processes personal data, the general GDPR requirements apply.
This means personal data should be processed lawfully, fairly and in a transparent manner. The data should be collected for specified, explicit and legitimate purposes. Data can be collected only when it is necessary for a specific purpose. The collected data should be correct and recorded only for a limited time, and adequate protection measures should be in place.
9. What are the risks if I am in breach of the GDPR or local privacy laws?
When there is a breach of GDPR, the DPA can conduct an investigation with the possible outcome of a fine. This fine can be up to EUR 20 million or 4% of the maximum worldwide yearly turnover of the business, whichever is higher.
Further risks are legal (civil) claims and reputational damage.