This article also exists in German
_Even on a situation of crisis such as the COVID-19 pandemic, rules resulting from data protection legislation shall find application. While employers shall protect the health and safety of employees on the workplace, the main principles of the GDPR shall always be respected, in particular the principle of fairness, loyalty and transparency as well as the principle of data minimisation and proportionality.

(infographic can be downloaded below)
Where a processing of personal data for the purposes of preserving workers health is carried out, the employer as data controller shall always rely on a lawful basis according to article 6 GDPR or article 9 GDPR for specific categories of data including health data.
In this respect, the Belgian Data Protection Authority (“APD”), whose interpretation may also be followed in Luxembourg, reminds that the actual crisis may not justify a systematic recourse to article 6 (1) (d) GDPR (processing necessary to safeguard the vital interests of the data subject or of another natural person) or article 9 (2) (i) (processing for reasons of public interest in the area of public health), unless, for the latter, explicit instructions are given by the authorities.
In particular, while article L.312-1 of the Luxembourg Labour Code provides that employers are obliged to safeguard the safety and health of their employees, they shall not assume the role of a physician.
In this respect according to the Luxembourg data protection authority (“CNPD”), the following data processing are unlawful:
-
Requiring employees to provide daily body temperature readings or to complete pre-determined medical questionnaires; or
-
To have visitors or other external persons sign a preestablished statement certifying that they do not have symptoms of COVID-19 or that they have not recently travelled to a risk area, etc.
However, the CNPD regards as lawful:
-
Raising awareness and inviting employees to provide individual feedback to the employer or to the competent health authorities regarding possible exposure to COVID-19; or
-
Following a report, recording:
-
the date and identity of the person suspected of having been exposed;
-
the organisational measures taken to tackle the issue (containment measures, teleworking, contact with the occupational medicine service, etc.).
Such data may then be transmitted to the competent health authorities on request.
-