Report on Supply Chain Compliance 3, no. 7 (April 2020)
Last issue, we discussed the Italian Data Protection Authority (DPA) guidance regarding the health data of employees. The DPA stated the responsibility for handling health data lies with public entities—not employers. Since then, several other DPAs in Europe have come out with guidance for companies about how to handle the movement and security of personal data. Under the GDPR, health data are considered to be sensitive. In an advisory brief sent out to organizations around the world, Cordery Compliance outlined the general stance toward health data, ways in which organizations can gain consent to process the data and concerns regarding data security while employees work from home. The brief states,
Businesses have to take appropriate technical and organizational measures (TOMs) under GDPR to secure personal data. That will include securing the personal data of customers and other employees as well. If you are asking or permitting employees to work from home you will have to make sure that you have the right protections in place for personal data both at the employee’s home and in transit. A recent Danish case for example shows that regulators expect organisations to make sure data is secure even when it’s being worked on outside the company’s offices.