The COVID-19 virus outbreak poses serious challenges to businesses operating globally, including in Europe. In response to the outbreak, governments worldwide are taking increasingly severe measures to fight the pandemic, and companies are implementing measures to ensure business continuity and protect their workforce. As a consequence, companies are contemplating steps which may impact privacy, including, for example, by subjecting employees, suppliers, and visitors to temperature checks, or issuing surveys to understand their workforce and visitors' recent travel and locations.

Such steps may involve the processing of personal information, and sometimes conflict with European data protection law. To clarify these issues, certain European privacy regulators (Supervisory Authorities or SAs) adopted emergency guidance covering COVID-19 related privacy issues. We have prepared FAQs to summarize the key takeaways.

Frequently Asked Questions

1. Sickness Monitoring and Administration

Q: Can we conduct mandatory temperature checks?

The answer to this question will vary in each European country. Several SAs prohibit compulsory temperature checks when entering the workplace because these are generally considered disproportionate and overly intrusive. For example, SAs in France,¹ Luxembourg,² the Netherlands,³ and Sweden⁴ have indicated that taking an employee's temperature is not allowed, despite the COVID-19 pandemic. The recent statement from the European Data Protection Board (EDPB) does not offer further guidance because it states that this is largely a matter of national employment and health and safety laws. The EDPB notes that the permissibility of "medical check-ups" is primarily a matter of "[…] national laws relating to employment or health and safety."⁵ The EDPB guidance, however, seems to suggest that temperature checks without further processing of temperature results are not covered by the GDPR. As highlighted below, certain SAs maintain the same view.

SAs that allow employees and visitors' temperature checks under specific conditions:

• The Spanish SA⁶ allows temperature checks if administered by healthcare staff, and only if carried out for COVID-19 prevention.
• The Italian government signed a protocol with trade unions⁷ permitting employers to proactively check employees' temperature if they i) only record high temperature, ii) accompany the checks with a privacy notice, iii) adopt appropriate security and confidentiality measures, and iv) only do so for COVID-19 prevention.
• The Belgian SA, which had initially prohibited temperature checks, updated its advice and took the position that it does not consider the measurement of employees and visitors' temperature as processing of personal data, provided that the results are not recorded.⁸
• The Greek SA⁹ allows temperature checks if i) no less intrusive measures are available, and ii) strict security measures are in place.
• Finally, although the Bulgarian SA¹⁰ has not published specific guidance relating to COVID-19 as of this date, it has announced that the temperature of every SA employee and visitor will be checked prior to entering the building.

Employers generally have an obligation to implement measures to protect employees based in the European Economic Area (EEA). SAs may relax their position on temperature checks as the pandemic progresses.

Q: Can information about a sick employee be shared with his/her colleagues and for what purposes?

Most SAs allow employers to notify their workforce of a positive COVID-19 case, for instance, to take protective measures towards colleagues who may have been exposed. However, if possible, the name or other identifying information about the employee should not be disclosed "to protect the individual's dignity."¹¹

Furthermore, the EDPB clarified that "Employers should inform staff about COVID-19 cases and take protective measures, but should not communicate more information than necessary. In cases where it is necessary to reveal the name of the employee(s) who contracted the virus (e.g. in a preventive context) and the national law allows it, the concerned employees shall be informed in advance and their dignity and integrity shall be protected."¹² In practice, employers must consider the principle of proportionality and consider whether it is necessary to name the affected employee, for instance, to reorganize the workforce. Employers should then consider whether they need to rely on the relevant employee's consent or if they can share such information to comply with their legal obligations as an employer; if consent is not required, employers should nevertheless inform the concerned employee before sharing health-status information with relevant colleagues.

Q: Can we survey contractors or visitors regarding symptoms, contact with a COVID-19 diagnosed person, or travel to a risk zone?

SA opinions on this point are divided.¹³ Some SAs consider such surveys disproportionate and unnecessary (e.g., Belgium, France, Luxembourg). Yet other SAs, which are increasing in number, take a more flexible approach and allow this (e.g., Germany, Iceland, Ireland, UK, Hungary¹⁴), typically on the basis of complying with a legal obligation or legitimate interests. Such surveys should not include questions about the individual's medical history, and should not request supporting health documentation. For instance, the Icelandic SA permits clear Yes/No questions, such as i) are you coming from a risk zone? ii) do you experience symptoms of COVID-19 such as headaches, fever, bone pain, and shortness of breath? and iii) have you interacted with someone who recently came from a defined risk area?

2. Remote Working

Q: Which security measures can we enforce for teleworking?

Companies should evaluate all SaaS applications that employees intend to use while teleworking to ensure that they are updated, they provide appropriate protection and security, and should plan for a large increase in use. Companies should ensure that computer and other IT equipment is encrypted as there is an increased risk of loss in transit, and VPNs/multi-factor authentication measures should be examined to ensure that they are up to date.¹⁵ Companies should backup data regularly to prevent data loss. If employees need to take equipment home, companies should maintain a log thereof.

Information security refreshers should also be considered as hackers and scammers¹⁶ may make use of the current state of affairs and try to actively target remote workers.¹⁷ Employees should be reminded to chat through the company's official channels, and not through social media applications. If employees need to take manual records home, they must ensure that they store and dispose of these safely, in a confidential manner. Employees should also be reminded of their confidentiality obligations to the company regardless of whether they are working in the workplace or at home.

Q: Can employees use their own personal devices when working remotely?

Most companies allow their employees to use their own personal devices for email access, but it is harder for companies to control the information security measures on such devices. In addition, work-related information is more likely to be mixed with private information. In practice, BYOD policies should be closely followed and enforced to ensure, for instance, that employees are not using any unauthorized software on their devices.

Q: Can we monitor employees' online presence?

Monitoring an employee's online presence may be justified on the basis of the company's business interests, for instance to calculate an employee's wage if he/she is paid per attendance/hour. However, employees must be made aware of such monitoring and companies should consider implementing measures to ensure sufficient transparency. At a minimum, a company's policies should identify the circumstances under which it may monitor the activity logs of its employees, and the legitimate business interest on which this is based. Note that the regular monitoring requirements remain applicable under the current circumstances and that national-specific regulations and SA sensitivity on the matter vary to a certain extent.

Q: Can we request an employee's current location or otherwise monitor the locations of employees?

The extraordinary circumstances created by the COVID-19 outbreak may require employers to have an understanding of their employees' effective residence, inter alia, in light of their obligation to protect the workforce. For instance, employees who reside in a "COVID-19 risk zone" may require additional assistance. If location monitoring is to be carried out, it should only be carried out in a manner that is strictly necessary for specific purposes, such as reducing the spread of COVID-19 in the workplace.

The legal requirements regarding electronic tracking in the EEA are not clear-cut. However, electronic tracking is generally considered disproportionate, and subject to restrictive conditions that vary by national regulation and SA policy (e.g., de-identification requirements, de-activation of fleet-tracking during free/private time, prior consent, etc.).¹⁸ However, member states may adopt legislative measures to safeguard public security that would allow for such collection. As such, companies should pay special attention to any emergency legislation enacted by their respective member states that may introduce safeguards and conditions for location monitoring.

3. Business Continuity

Q: Can we access emails of COVID-19 diagnosed employees for the purpose of business continuity?

It is generally accepted practice in most EEA countries that companies can access an employee's business inbox during a period of absence for business continuity purposes, but only if this has been clearly announced in relevant company policies.¹⁹ However, employers should consider whether there are less intrusive ways to ensure continuity, for instance, by asking the employee to give a full overview of ongoing work (if practically feasible). In addition, only professional emails should be accessed. It is also best practice to inform the employee of such access and to comply with the processes set forth in the applicable company policies (e.g., computer and network use policy; employee monitoring policy).

Q: Are the GDPR deadlines (e.g., to respond to a data subject, to respond to a data processing agreement (DPA) query, etc.) affected because of COVID-19?

SAs are generally silent on this topic, yet it is expected that SAs will be flexible with companies that may need to respond to a data subject request, or to an SA inquiry, while handling the COVID-19 outbreak. The UK SA has been clear about this, and has stated that it understands that company resources may be diverted from usual compliance and that, although it cannot extend statutory timescales, it will separately inform data subjects that they may experience delays when making information rights requests.²⁰ Similarly, the Irish SA recognized that companies may face delays when responding to individuals or the commissioner, advised that companies can also respond to a request in stages, and will fully take into account a company's extenuating circumstances.²¹ The Dutch SA issued a statement that it will give the government and companies time to focus on fighting the virus and will extend deadlines as appropriate.²² Finally, the Portuguese SA has announced that any privacy correspondence deadlines are interrupted while this exceptional period is ongoing.²³

Conclusion

Despite the extraordinary circumstances of the COVID-19 outbreak, data protection obligations continue to apply. Companies should thus be mindful of these, especially as the amount of sensitive data they may hold on their employees is likely to increase, and as the exodus from the office presents new informational security challenges. As the fast-changing pace of COVID-19 developments is likely to produce further changes, updates and guidance by SAs, companies would be well informed to stay abreast of such changes in order to react and respond appropriately.

^[1] Advice available at: https://www.cnil.fr/fr/coronavirus-covid-19-les-rappels-de-la-cnil-sur-la-collecte-de-donnees-personnelles?mod=article_inline.

^[2] Advice available at: https://cnpd.public.lu/fr/actualites/national/2020/03/coronavirus.html.

^[3] Advice available at: https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/werk-en-uitkering/mijn-zieke-werknemer#mag-ik-mijn-werknemers-controleren-op-corona-7633.

^[4] Advice available at: https://www.datainspektionen.se/nyheter/coronavirus-och-personuppgifter/.

^[5] Advice available at: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_statement_2020_processingpersonaldataandcovid-19_en.pdf.

^[6] Advice available at: https://www.aepd.es/sites/default/files/2020-03/FAQ-COVID_19.pdf.

^[7] Advice available at: https://www.cisl.it/attachments/article/15466/Protocollo.pdf.

^[8] Advice initially published on 13/03, updated on 20/03: https://www.autoriteprotectiondonnees.be/covid-19-et-traitement-de-donn%C3%A9es-%C3%A0-caract%C3%A8re-personnel-sur-le-lieu-de-travail.

^[9] Advice available at: https://www.dpa.gr/APDPXPortlets/htdocs/documentSDisplay.jsp?docid=163,39,44,101,194,223,3,99

^[10] Advice available at: https://www.cpdp.bg/index.php?p=news_view&aid=1606. In addition, the Bulgarian Ministry of Health adopted an Order requiring that “employees or outsiders with manifestations of acute infectious diseases” should not be admitted to the work floor. This results in practice to conducting temperature checks.

^[11] See EDPB Statement: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_statement_2020_processingpersonaldataandcovid-19_en.pdf.

^[12] https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_statement_2020_processingpersonaldataandcovid-19_en.pdf.

^[13] Depending on each country’s interpretation, this typically includes the following territories: Mainland China, Iran, Italy, South Korea.

^[14] Advice available at: https://www.naih.hu/files/NAIH_2020_2586_EN.pdf.

^[15] https://www.ncsc.gov.uk/guidance/home-working.

^[16] https://www.bbc.com/news/technology-51838468 and https://thehackernews.com/2020/03/covid-19-coronavirus-hacker-malware.html.

^[17] European Commission, ENISA, CERT-EU and Europol joint statement: https://www.enisa.europa.eu/news/enisa-news/joint-fight-against-covid-19-related-threats.

^[18] The ePrivacy Directive requires that operators render location data anonymous or obtain end-users’ prior consent. Location data may also be processed if permitted by member state law to safeguard public security (Article 15 ePrivacy Directive). In the employment context, the prior consent standard is generally relied on to track employees, albeit subject to restrictions and national variation.

^[19] For example, advice from Dutch DPA: https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/werk-en-uitkering/mijn-zieke-werknemer#mag-ik-mijn-werknemers-controleren-op-corona-7633.

^[20] Advice available at: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/03/data-protection-and-coronavirus/.

^[21] Advice available at: https://dataprotection.ie/en/news-media/blogs/data-protection-and-covid-19.

^[22] Announcement available at: https://autoriteitpersoonsgegevens.nl/nl/nieuws/ap-geeft-organisaties-meer-tijd-vanwege-coronacrisis.

^[23] Announcement available at: https://www.cnpd.pt/home/decisoes/Delib/DEL_2020_170.pdf.