Now that a large part of Belgium and the world is in the grip of the new coronavirus (COVID-19) and preventive measures have been promulgated by the Belgian government, the question arises as to what personal data organisations are allowed to process of their employees in the context of the new coronavirus. A brief explanation.
First and foremost, it should be remembered that Article 9.1 of the GDPR prohibits the processing of health data. Keeping track of the fact that a specific employee or freelancer is infected with the new coronavirus qualifies as processing health data. In principle, this may also not be communicated internally to colleagues of this employee or freelancer.
However, several exceptions may apply to the prohibition on processing health data. A possible applicable exception in this case is Article 9.2(i) of the GDPR. This article states that the processing prohibition does not apply if:
“processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy”
In other words, an organisation may process health data:
It is important to stress that an organisation invoking the above exception must always comply with all other data protection principles. For example, there has to be a legal basis, employees and freelancers have to be informed, the principle of data minimization has to be respected and processing activities always have to be proportionate and transparent.
Below we try to answer some of the common questions. Although most of the answers also include a labour law aspect, we focus on the privacy and data protection aspects below.
Can the names of infected employees or freelancers be disclosed?
No. However, colleagues can be informed of the fact that another colleague is infected with the new coronavirus, without the infected colleague being able to be named or identified. For example, do not mention the department of the infected colleague if that department consists of only one person or a limited number of persons.
Can customers or visitors be contacted by e-mail if they have not given their consent?
It depends on the purpose of your e-mail. Sending marketing emails requires prior consent in principle, but this rule does not apply to sending purely informative emails. For example, if an event is cancelled, you have to inform the participants. This can be done by e-mail, even without prior consent.
Can employees or freelancers who work from home be extra-checked?
Employees or freelancers who work from home may not suddenly be subject to extra checks, for example by means of certain software, without their knowledge. Moreover, in this case the applicable collective labour agreements or other rules must be complied with.
Can personal data of employees or freelancers be shared with public services?
First, the question arises as to whether the requested personal data can be shared, because personal data that have not (yet) been collected cannot be shared. In addition, it is unlikely that a public authority will request information relating to one specific person. If you do share personal data, there must always be a legal basis for doing so. In any case, do not share personal data with a public service simply because it is a public service.
Can employees or freelancers be subject to general and systematic health checks?
No. This seems to be a disproportionate measure in most circumstances. In the Belgian legislative framework, the occupational physician has a role to play here.
Can employees or freelancers be required to complete a medical questionnaire?
No. Employees or freelancers may be asked to voluntarily share certain information. Always keep the principle of data minimisation in mind and think about how long this questionnaire will be kept. Inform any participants in a transparent way. In the case of health data, you should also take the prohibition on processing such data into account.
(*) The above answers do not constitute legal advice. The answer depends in many cases on the circumstances. Please contact us with your specific question.
More information can be found on the websites below:
Do you still have questions about the processing of health data? Contact Timelex.