COVID-19 and what it means in Relation to GDPR

Date 17 mar. 2020
Download PDF version PDF

Introduction

The recent outbreak of COVID-19 in Denmark has given rise to a number of questions in relation to the handling of personal data. The following is a summary of some of the specific considerations in relation to employers’ handling of their employees’ personal data during the COVID-19 outbreak.

 

Collecting Data regarding COVID-19

The situation with COVID-19 does not change the fact that all handling of personal data must be in accordance with the GDPR, EU Regulation 2016/679. Accordingly, all handling of personal data must follow the fundamental principles of the GDPR, such as purpose for handling, information to the person, and proportionality between purpose and sensitivity.


In order for the employer to take the necessary measures to avoid any outbreak or transmission of the COVID-19 among employees, the employer might want to know and collect more detailed information about the employees’ health than what is usual practice. However, it is important that the personal data collected and stored is only that which is actually required for the employer to secure the workplace, e.g. by preventing or limiting outbreaks.


Before collecting any additional information about the health of their employees, the employer should carefully consider which kind of additional information is actually required and why.


The types of information normally categorized as “not-sensitive personal data” is information such as name, age and travel information. Handling and collecting such type of data requires legitimate reasons for the employer.


Collecting more sensitive information such as information about the health situation of an employee ordinarily requires a specific written consent from the employee. However, even without such specific consent, the employer may be allowed to collect such sensitive data, if there are weighty arguments for this.


The employer may have very good arguments to collect health information from employees during this COVID-19 outbreak. Only by knowing about the actual health situation, the employer is enabled to take the appropriate measures. However, before collecting such information, the employer must carefully consider the purpose of collecting the specific pieces of information about the current health situation of an employee.


Provided that the request for information does not violate any special regulation on confidentiality, the Danish Data Protection Authority has stated that the following information may most likely be legitimate for the employees to collect:

  • Whether an employee has recently returned from a risk area
  • Whether an employee is placed in quarantine
  • Whether an employee is ill and showing symptoms of the COVID-19

Normally, personal data may not be transferred without prior consent. However, certain specific circumstances will allow for the employer to transfer the information mentioned above to third parties. This would be legitimate in a situation such as one where the employer receives information that an employee has been infected with the COVID-19, and the employer thus must take specific measures. In this case, the need to pass on the information to e.g. management or relevant colleagues will allow for this health information to be transferred to third parties.


If a situation arises where the employer must share health information about an employee, the employer should carefully consider the following:

  • Is there a legitimate need for storing and transferring the personal data?
  • How much information must be shared in order for the message to come through – is it possible to disclose less?
  • Is it necessary to disclose the name of the employee – or could the information be given on a no-name basis?

Concluding Remarks

The above is not an exhaustive list of GDPR relevant considerations to make during the COVID-19 outbreak. More considerations may be relevant in the individual companies.


Generally, we recommend that the individual company considers the necessary measures to take during the COVID-19 outbreak and informs the employees accordingly. Such measures could include e.g. rules for hygiene, rules for reporting of travel activities, restrictions on travelling, and rules for reporting of illness.



If you have any questions or would like further information on the above, you are welcome to contact partner Pernille Nørkær (pno@mwblaw.dk) or Junior Associate Sarah Veje Rasmussen (svr@mwblaw.dk).


The above is not legal advice and Moalem Weitemeyer Bendtsen does not warrant that the content of the above is correct. With the above, Moalem Weitemeyer Bendtsen has not assumed responsibility of any kind as a consequence of a reader's use of the above as a basis for decisions or considerations.