As the recent events concerning the spread and the efforts to mitigate the effects of COVID-19 virus have a direct impact on the activity of companies across all industries, the implementation of emergency measures to ensure the safety and health of employees and collaborators can lead to the initiation of a process for the collection and processing of special categories of data (such as health data), at which point the provisions of the legislation on the processing of personal data must be applied and observed.
Although the aforementioned scenario contains new factual elements, the obligations of companies, acting as data controllers, remain the same as regards the processing of personal data, namely to comply with the principles provided by the GDPR.
In this context, the following aspects regarding the methods of data processing and ensuring compliance with the requirements of the applicable legislation must be considered by controllers as a matter of priority:
- What is the legal basis for processing personal data?
Considering that, in the context of the COVID-19 virus, the companies intend to process special categories of data, such as data concerning health, they must ensure that the processing activity complies with the lawfulness principle and observes both the provisions of art. 6 and the provisions of art. 9 of the GDPR.
At first glance, the data processing activity may be based on the fulfilment of a legal obligation, but this reasoning implies (as far as Romanian law is concerned) an extensive interpretation of the provisions of the legislation on occupational health and safety, according to which the employer has the obligation to ensure the safety and health of the employees in all work-related aspects.
However, given that the aforementioned legislation does not expressly provide for employers’ obligation to take measures to analyse and determine the existence or non-existence of a suspected illness, controllers may justify a legitimate interest in processing employee data. In this case, controllers must proceed to documenting such processing by performing a balancing test.
As regards the requirements established by art. 9 of the GDPR, it can be reasonably argued that it is not necessary to obtain the consent of data subjects, but the controllers can consider the exception provided by par. (2) letter g) of this article, according to which data concerning health can be processed when processing is necessary for reasons of substantial public interest, on the basis of Union or national law, which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject.
- What categories of data can be processed?
In the processing activity, controllers must also respect the data minimisation principle. Thus, it is recommended that companies do not process specific data such as the temperature level of data subjects or the places to which they travelled or collect in a systematic and generalized manner data concerning health, but limit the processing of data in this context to those strictly necessary for the purpose of ensuring the health and safety of employees in matters related to work. In this context, we consider that it would be advisable for the data subject not to be asked an open question (i.e., to indicate the destinations where he/she travelled), but only to tick yes/no if he/she travelled to the risk areas or to express the existence or non-existence of COVID-19 specific symptoms, namely: temperature, cough, respiratory difficulties, tiredness. Depending on the answer, the person may be advised to see a doctor and apply the measures communicated by the authorities for this situation.
Moreover, at international level, it has been proposed as a recommendation to set up a dedicated telephone line for the purpose of notifying cases of COVID-19, which aims to ensure confidentiality, as well as to avoid possible discrimination between employees.
- How is the transparency regarding the processing activity in relation to the data subjects ensured?
If the companies decide to implement measures that involve the processing of data concerning the health of employees, they have the obligation to inform the data subjects in advance of the purpose of the processing, the categories of data processed, as well as their storage period. In this regard, controllers may consider preparing a special information note that will provide all the details related to data processing in the context of the occurrence of the COVID-19 virus.
- For what period can the data be stored?
As regards the storage of the health data processed to prevent the spread and mitigate the effects of the COVID-19 virus, controllers should consider storing them separately from other data of employees collected for other purposes (i.e., this data should not be stored in the personnel file). Also, controllers should consider ensuring the deletion of personal data collected during the crisis period after a certain time, established by the controller in compliance with the storage limitation principle provided by the GDPR. For example, the controller could establish that data is retained for a reasonable period (such as 4-6 weeks) after the public authorities declare that Romania is no longer in a crisis situation, and that the data will then be deleted).
- Is it necessary to conduct a data protection impact assessment?
Given the nature, context and purposes of the processing of personal data, the possibility that the carrying out of a data protection impact assessment might be needed, as provided in art. 35 of the GDPR, cannot be excluded.
If the processing activities that controllers intend to carry out in the context of COVID-19 can result in a high risk to the rights and freedoms of data subjects, controllers will consider carrying out such an assessment before starting the processing activity envisaged.
In view of the above, controllers must understand that in the effort to mitigate the effects of COVID-19 and the state of emergency that led to the carrying out of new processing activities, the provisions regarding the processing of personal data must continue to be complied with in order to maximize the results pursued and avoid potential risks during this period.