Due to the spread of the coronavirus (COVID-19), the situation regarding the processing of personal data has changed in many companies. Many employers are taking measures to prevent the spread of the coronavirus. However, it is important to realize that when implementing such measures, it is crucial that the processing of personal data complies with legal regulations and that security measures are also put in place to adequately protect the processed data. In this article, we will provide you with several answers to questions that have arisen regarding the processing of personal data in connection with the spread of the coronavirus.
Employers must ensure the occupational health and safety of their employees
Currently, a situation has arisen in which it is necessary to protect the health of employees to a greater extent, as they are at significant risk from the spreading COVID-19 coronavirus. The protection of employees at work is an integral part of labor relations. An employer can ensure such protection through a system of measures derived from legal regulations, organizational measures, technical measures, health measures, and social measures aimed at creating working conditions that ensure occupational safety and health, which will be effective in the current situation against the spread of the infection.
Many employers have such measures described in their OSH documentation, but these often do not include anti-epidemic measures that would ensure the protection of employees against infection. For this reason, it is necessary for every employer to adopt such measures in light of the current state of the spreading epidemic.
One such measure may involve gathering information from employees, such as whether they have recently traveled abroad or been in contact with an infected person. Employers may collect this personal data from their employees or visitors via a questionnaire specifically to ensure a healthy work environment for their employees.
Measure – Temperature Checks
Another measure currently being adopted by many companies is taking the temperature of every person who enters the company’s premises. Here, however, we must realize that this involves the processing of a special category of personal data (sensitive personal data). In order for such data to be processed, it is necessary to establish a proper legal basis under Article 6(1) of the GDPR and to limit such processing to the necessary purpose. But what does this mean? It means that the employer must first identify one of the conditions listed in Article 9(2) of the GDPR and use it to justify the processing of this special category of personal data. The Office for Personal Data Protection considers Article 9(2)(i) of the GDPR to be the appropriate legal basis for processing such data, meaning that the processing is necessary for reasons of public interest in the area of public health, such as protection against serious public health threats. 2(i) of the GDPR, namely that processing is necessary for reasons of public interest in the area of public health, such as protection against serious cross-border threats to health or ensuring a high level of quality and safety of healthcare and medicines or medical devices, based on Union or Member State law. However, in order to rely on this ground for processing personal data, such an obligation must be established in a separate legal regulation. At the time the Slovak Republic declared a state of emergency, the relevant legal regulation was Act No. 42/1994 Coll., the Act on Civil Protection of the Population. However, an employer may adopt this measure only for as long as the state of emergency persists in Slovakia; thereafter, there will no longer be a legal basis for such processing.
Another obligation imposed by this measure (temperature measurement) is the restriction of processing to the specified purpose. It is important to note here that we measure body temperature to prevent the spread of infection and to prevent a potential carrier of the infection from entering the premises. Therefore, there should be no systematic processing of the measured body temperature values (they should not be stored). This data should truly serve only to allow entry into the premises.
As part of this measure, we must not forget the obligation to provide information, which must be made available to the data subject before we require an employee or visitor to have their body temperature measured.
Processing of Data on Employees’ Health Status
Under normal circumstances, an employer should not collect data on the health status of its employees. Since the Slovak government has declared a state of emergency, it is permissible to process such data; however, there should be no systematic or blanket processing of personal data. This means that if a coronavirus case is detected among employees, the employer may record this information. However, the employer must not collect such information across the board or inquire about employees’ health status (symptoms of illness).
Data regarding an infected employee must also be properly protected. If an employer learns of an infection within their company, they should notify the relevant authorities. Under no circumstances, however, should they disseminate such information among other employees; if they wish to notify employees of a coronavirus outbreak in the workplace, they may do so only in the form of anonymized information (the employee’s name or job title must not be disclosed). It is also necessary not to retain such employee data for longer than is necessary to fulfill the purpose.
Measure – Home Office (Working from Home)
Another measure that companies are widely implementing (where possible) is working from home. The employer should ensure the protection of all personal data that will be handled outside the company’s headquarters or premises. This protection is achieved by adopting the following rules:
- Establishing a VPN connection to ensure remote access to the server (thereby ensuring the confidentiality and integrity of personal data).
- Training all employees on how to handle personal data in a home environment.
- Raising awareness of potential cybersecurity incidents.
- All personal data stored directly on a computer must be encrypted.
- Additionally, every technical device on which personal data is stored must be protected with a sufficiently strong password.
- The controller should describe all rules regarding the use of technical equipment in a policy, which should be adopted internally and distributed for review to all authorized individuals who will be working from home.
Despite the current situation, care must be taken to ensure that the processing of personal data is lawful and in compliance with the GDPR and Act No. 18/2018 Coll. on the Protection of Personal Data. If you have any problems, questions, or need forms, you can contact our partner company Top privacy s.r.o. at any time; they specialize in personal data protection.
