Communications from Data Protection Authorities: Recommendations to Employers

This article also exists in German

_Even on a situation of crisis such as the COVID-19 pandemic, rules resulting from data protection legislation shall find application. While employers shall protect the health and safety of employees on the workplace, the main principles of the GDPR shall always be respected, in particular the principle of fairness, loyalty and transparency as well as the principle of data minimisation and proportionality.

(infographic can be downloaded below)

Where a processing of personal data for the purposes of preserving workers health is carried out, the employer as data controller shall always rely on a lawful basis according to article 6 GDPR or article 9 GDPR for specific categories of data including health data.

In this respect, the Belgian Data Protection Authority (“APD”), whose interpretation may also be followed in Luxembourg, reminds that the actual crisis may not justify a systematic recourse to article 6 (1) (d) GDPR (processing necessary to safeguard the vital interests of the data subject or of another natural person) or article 9 (2) (i) (processing for reasons of public interest in the area of public health), unless, for the latter, explicit instructions are given by the authorities.

In particular, while article L.312-1 of the Luxembourg Labour Code provides that employers are obliged to safeguard the safety and health of their employees, they shall not assume the role of a physician.

In this respect according to the Luxembourg data protection authority (“CNPD”), the following data processing are unlawful:

• Requiring employees to provide daily body temperature readings or to complete pre-determined medical questionnaires; or

• To have visitors or other external persons sign a preestablished statement certifying that they do not have symptoms of COVID-19 or that they have not recently travelled to a risk area, etc.

However, the CNPD regards as lawful:

• Raising awareness and inviting employees to provide individual feedback to the employer or to the competent health authorities regarding possible exposure to COVID-19; or

• Following a report, recording:

  • the date and identity of the person suspected of having been exposed;

  • the organisational measures taken to tackle the issue (containment measures, teleworking, contact with the occupational medicine service, etc.).
    Such data may then be transmitted to the competent health authorities on request.

In this respect, the employer shall facilitate the transmission of such information through secured and confidential means.

Such a processing shall of course be strictly limited to data necessary for the purposes to be reached, limited in time and be transparent towards data subjects.

It is also to be noted that, although teleworking should be favoured, it is clear that the current situation does not justify higher infringements on the rights and freedoms of employees in comparison to a normal teleworking situation.

As a consequence, principles that apply in normal telework situations continue to apply, including the segregation between personal and professional data and the specific rules on employee monitoring resulting from Luxembourg Labour law.