Covid-19: The data protection challenges for employers in France

published on 11 March 2020 | reading approx. time 2 minutes

The coronavirus (Covid-19) continues to expand all over the world. In France measures are taken by the authorities to contain the spread and mitigate the effects of the virus.

While companies must take measures to ensure the good health of their employees and to prevent the propagation of the virus, they must be careful not to violate the privacy of the data subjects and to comply with the GDPR.

The French data protection authority (the CNIL) has edited recommendations for employers about what they can do and what they cannot do in accordance with the GDPR and in order to respect the employees’ privacy. 

Some essential reminders

Information about employees’ health are classified as “sensitive personal data”, in the sense of article 9 of the GDPR, and the processing of these data is particularly supervised.

Employers can process medical data relating to a data subject where it is necessary for the employer to comply with its legal obligations in relation to health and safety. 

Even in case of an epidemic, key principles of the GDPR must apply:

• the retention period is limited and it does not exceed the period strictly necessary for processing;
• the legal basis of the processing must be indicated: in this case it should be a “legal obligation” (e.g. the legal obligation of the employer to ensure the good health of employees, Government measures), or the “legitimate interest” of the employer;
• the collection of personal data must respect the principle of minimization: e.g. it is possible to ask if employees return from a country “at risk” and to advice not to go to these areas but it is not possible to ask for the schedule of employees or to force them to declare whether any of their relatives have travelled to such destination;
• the security of the data shall be highly guaranteed and the identity of affected individuals should not be disclosed to third parties or to their colleagues without a clear justification;
• measures implemented to manage the virus, which involve the processing of personal data, should be documented in the name of the principle of accountability that applies;
• companies must be transparent regarding the measures they implement in this context and they must provide their employees information about the processing of their personal data, the purpose of the collection and how long it will be retained for. This information must be provided in a format that is concise, easily accessible, easy to understand, and in a clear and plain language.

What an employer can do in accordance with the GDPR?

If contamination is reported, employers can collect some data:

• The date and the identity of the person suspected of having been exposed;
• The organizational measures taken (containment, teleworking, orientation and contact with the occupational physician, etc.);
   

Employer will thus be able to communicate to the health authorities, at their request, the information relating to the nature of the exposure necessary for any health or medical care of the exposed person and also to limit contamination.

What the employer cannot do under the GDPR?

According to the CNIL, it is not possible to collect data in a systematic and generalized manner, or through individual inquiries and requests, to seek possible symptoms presented by an employee or his/her relatives.
 

For example, it is not possible to:

• Take daily temperature readings of its employees or visitors;
• Ask its employees for their medical records; 
• Collect and process information about the health of the relatives of employees.
   

These recommendations are likely to change as the spread of the virus progresses. In this regard, it is recommended to keep informed through the Government’s website and to be attentive to officials guidelines. The CNIL recommendations are accessible here and can evolve.