Home
published on 11 March 2020 | reading approx. time 2 minutes
The coronavirus (Covid-19) continues to expand all over the world. In France measures are taken by the authorities to contain the spread and mitigate the effects of the virus.
While companies must take measures to ensure the good health of their employees and to prevent the propagation of the virus, they must be careful not to violate the privacy of the data subjects and to comply with the GDPR.
The French data protection authority (the CNIL) has edited recommendations for employers about what they can do and what they cannot do in accordance with the GDPR and in order to respect the employees’ privacy.
Information about employees’ health are classified as “sensitive personal data”, in the sense of article 9 of the GDPR, and the processing of these data is particularly supervised.
Employers can process medical data relating to a data subject where it is necessary for the employer to comply with its legal obligations in relation to health and safety.
Even in case of an epidemic, key principles of the GDPR must apply:
If contamination is reported, employers can collect some data:
Employer will thus be able to communicate to the health authorities, at their request, the information relating to the nature of the exposure necessary for any health or medical care of the exposed person and also to limit contamination.
According to the CNIL, it is not possible to collect data in a systematic and generalized manner, or through individual inquiries and requests, to seek possible symptoms presented by an employee or his/her relatives.
For example, it is not possible to:
These recommendations are likely to change as the spread of the virus progresses. In this regard, it is recommended to keep informed through the Government’s website and to be attentive to officials guidelines. The CNIL recommendations are accessible here and can evolve.
Coronavirus: What you need to know
Leila Benaissa
Send inquiry