- 01 Apr 2020
Even before the coronavirus hit, it was difficult to navigate your way between the obligation of an employer to ensure a safe workplace and the obligation to protect the privacy of (sick) employees. The privacy legislation in the Netherlands and the privacy watchdog the Dutch Data Protection Authority (AP) are very strict when it comes to processing employee health information. With the advent of corona and the measures to be taken according to the government and RIVM, employers are facing new legal dilemmas. We hear questions such as: can I take people’s temperatures on entry? Can I pass on the name of an employee infected with corona to his colleagues, etc. Below you will find the answers to the most common questions.
Processing employee health data: a recap of the do’s and don’ts
Employers are not allowed to process employee data (for example, store, store, transfer, etc.) that relates to the health of the employee. This is even not allowed if the employee voluntarily provides this information to the employer. In the Netherlands, only the company doctor is entitled to process employee health data on the basis of a statutory task.
There are exceptions to the general processing limitations, for example in case of permission from the data subject or a legal obligation to process. Normally this does not help an employer, because an employer has no legal task with regard to the processing of health data and because we assume that an employee's consent in an employment relationship has no valid basis. Because an employee is always in a relationship of dependence with his employer, the permission cannot be given "freely" and this a requirement. Therefore: it is not permitted.
Does corona alter these facts?
The current question among many is whether the prevention of the further spread of the Corona virus and thus the protection of employees can be regarded as an exceptional situation and/or whether the importance of combatting the Corona virus can in some cases override the privacy obligations. After all, there is such a thing as the obligation of employers to ensure a safe and healthy workplace?
Let’s review the relevant grounds for processing:
- Is consent by the employee a valid ground in times of corona?
In our opinion, even in the corona situation, the employee's consent to have his health data processed (for example, the fact that he has a fever, has tested positive for corona, or belongs to a vulnerable group) is not valid. An employee in the present circumstances will likely feel obliged to agree to the processing of this information, because he wants for instance to prevent colleagues from getting infected and/ sick, so the permission cannot be given "freely".
- Is combatting epidemics an exception to the processing ban?
The EDPB (the European advisory body to the GDPR) published a statement on March 16 that specifically deals with the coronavirus. It emphasizes that the GDPR does not hinder measures in the fight against corona, because the GDPR provides a legal basis for processing in the context of epidemics, without permission being required. This applies, for example, when the processing of personal data is necessary for employers for reasons of public interest in the field of public health or to protect vital interests (Articles 6 and 9 GDPR).
In the Netherlands, however, these exceptions do not – legally – benefit us, since these have not been included in our GDPR Implementation Act. The protection of vital interests has been included in the Netherlands, but this exception only applies if the employee is physically or legally unable to give permission. This might occur in case of incompetence or someone on his deathbed. Therefore: these exceptions are of little use to an employer in the present corona situation.
What is possible?
We might imagine that, in exceptional cases, employers choose to invoke the general exceptions from the GDPR (protection of the public interest / vital interest of other parties involved), even though this is strictly speaking not legally possible in the Netherlands. In exceptional cases, an employer will be forced to make a choice between on the one hand combatting corona and protecting the health of its employees (which is also a legal obligation!) and, on the other, protecting the privacy of certain employees. Violation of both obligations entails separate labour law risks (such as claims for damages from employees, sanctions from the Labour Inspectorate and fines from the AP). However, in some cases it will not be possible for employers to be completely 'compliant' during the corona situation. If, as an employer, you still decide to process personal data concerning the health of employees in connection with corona, at least observe the following principles:
- do not process more data than required for the intended purpose (protection of employee health);
- keep the data only for as long as necessary and therefore delete all data after the corona epidemic has ended;
- inform employees that their personal data are processed
Should the AP decide to pursue privacy violations related to corona (note that there have been foreign supervisory bodies that have indicated that they will not do so), you will - as an employer – be able to show that you have done your utmost to limit the privacy violation. And the AP on its website seems to offer some leeway for a relaxation of the rules - unfortunately without further details.
Below the answers to six frequently asked questions:
1. We have an employee infected with Corona; how do we inform colleagues?
As stated, processing the fact that an employee is infected with corona is in principle nor permitted. Both registering this information and distributing this information to colleagues is a form of processing. However, colleagues have a considerable interest in knowing whether they have possibly been in contact with someone who has (apparently) been infected, for example if that colleague or his family members belong to a risk group.
You can inform colleagues within a team or the company about the fact that an employee has corona, if it is impossible to trace who that employee is. In that case, the AVG does not come into play. If this is possible (with large companies / departments), we recommend that you share the information anonymously. And if, due to the (small) size of the company, it is not possible not to mention the name, then strictly observe the above three principles. Incidentally, the employee himself is allowed to inform his colleagues about the fact that he has been infected with corona or poses a risk (for example because his partner works with corona patients).
2. May an employer take its employees’ temperature?
An employee's body temperature constitutes health data and processing it is in principle prohibited. The AP has confirmed that even in case of corona it is not allowed to take the temperature of employees.
This is different for external persons who wish access to the business premises: you can then ask the person concerned for permission. In that case, it is important to immediately delete the information obtained and not to save it.
It is conceivable that employees are also requested to measure their temperature, for example if this is done by a third party who is medically authorized to do so and who limits himself to reading the temperature, without storing information or by means of a temperature scanner, without physical contact taking place. You could take the position that no personal data is processed in that case. See next question.
3. May an employer ask an employee to check his/her health?
On March 20, the AP confirmed that an employer may request its employee that he/she closely monitors his or her health during the corona situation, especially if the employee cannot work from home but is present on the shop floor. The employee can in that case take his own temperature. You can also ask the employee to contact the company doctor, health and safety service or general practitioner for a check-up.
If the doctor suspects that your employee has the coronavirus, he will urgently contact the regional GGD. In consultation with you, the GGD can take measures for the workplace.
4. May we send a sick employee home?
Under normal circumstances, an employer is not allowed to inquire after an employee’s health (and to subsequently send the employee home). Given the present extraordinary circumstances, however, it is permitted to send an employee home if there is (a suspicion) that the employee is showing signs of a cold or the flu. This is in line with the advice issued by the AP.
5. May we ask an employee for his/her holiday destination?
Given the AP’s leniency in connection to questions into an employee’s heath situation, we expect that it will also be permitted to ask where an employee has been on vacation. The employer must ensure a safe and healthy working environment. If an employee has been in a severely affected 'corona area', the employer would want and must prevent this employee from possibly infecting colleagues. Therefore, the employer's duty of care should prevail. We also recommend that you follow the guidelines of the RIVM, whereby you instruct someone showing complaints within a period of two weeks following his return home, to contact his GP.
What data do we register/process when an employee reports ill?
In principle, it is not permitted to process an employee's medical data. The only data that can normally be recorded in the case of a sick employee is:
- The telephone number on which the employee may be reached and his/her (nursing) address;
- The expected period of illness
- The employee's current work activities and appointments
- Whether the illness is related to an accident at work. However, the employer is not allowed to ask whether the absenteeism is work-related.
In the current corona situation, both the duty of care of the employer and the privacy interest of a sick employee take up an important position. After all, the employer has a considerable interest in preventing the spread of the coronavirus among the employees. This situation is so dire and exceptional that the employer's obligation to ensure a safe and healthy working environment should prevail. Therefore, should health data be processed, always ensure to process the data in line with the purpose principles as mentioned at the beginning of the article. Make every reasonable effort not to share the name of the corona-infected employee, handle the information with highest level of care and remove all data immediately after the infection has ended.