Does Coronavirus Affect GDPR?
Believe it or not, the GDPR is affected by CO-VID 19’ as well.
The new decade brought new challenges for humanity. Right after the start of 2020, the world has been shaken with a virus called COVID-19. As of 9 March, more than 110,000 people have been infected in more than 80 countries, according to the Johns Hopkins University Center for Systems Science and Engineering.
There have over 3,800 deaths globally. Just over 3,000 of those deaths have occurred in mainland China. 62,000 people have recovered from the coronavirus.
States are taking precautionary measures to prevent the spread of this virus. Many companies are suggesting their employees work from home, take their work laptops with them. Airlines are asking the passengers to fill a form to keep track of the possible spread of the virus.
Amongst the preventive measures taken by the companies, employers are monitoring the state of health of their employees by monitoring the recent travels of their employees or by obliging them to fill questionaires about themselves.
In order to prevent potential data breaches related to health monitoring, different data protection authorities of different jurisdictions provided guidance.
For instance, French data protection authority CNIL informed organizations to not collect the body temperature of their employees or visitors.
The CNIL explicitly mentioned that, if an employer is aware of a case of COVID-19 within the organization, the employer may record:
- the date and identity of the person suspected of having been exposed to the virus;
- the organizational measures are taken (isolation, remote working, contact with the workplace doctor, etc.).
Italian Data Protection Authority, where the largest amount of COVID-19 cases in Europe were reported, also published guidance on this.
Italian DPA simply prohibits the collection of health data about their employees and also prohibits the collection of their employees' travel history.
France directly obliges employees with COVID-19 to report their situation and in Italy employee’s are required to report their health conditions.
Since there is no unified approach towards COVID-19 monitoring, it can be difficult for companies operating at a multinational level.
One may immediately think of “consent” however it is worth reminding that consent is generally not a valid legal ground for the “employer-employee relationship”.
So, what are the alternatives?
Instead of monitoring, hygiene conditions at workplace can be improved, informative seminars can be given to the employees.
Moreover, instead of collecting information from employers directly, working-from-home can be an alternative approach. Employers can advise their employees who have traveled affected regions or have symptoms to work from home.
Last but not least, employers should make sure that the employers who are working from home are using the updated versions of online tools and complying with the privacy and security measures of the company.
Reminders from the CNIL on the collection of personal data:
Also, please see the online training provided by the World Health Organization to fight with the Coronavirus:
And who we are? We are Verilogy, a platform that tells you what to protect and why!
