GDPR Compliance To-Do List for Employers Processing Coronavirus-Related DataApril 7, 2020 – Alerts
In a new guidance for employers, Hungary's Nemzeti Adatvédelmi és Információszabadság Hatóság Data Protection Authority provides a helpful to-do list to help companies comply with the EU's General Data Protection Regulation during the COVID-19 pandemic.
Process Only What You Need
- "It is an important expectation that the processing of personal data is warranted only if and to the extent that the purpose of data processing cannot be achieved by other means not requiring data processing, and it must be examined in every case whether there are efficient solutions that pose less threat to the privacy of the data subjects."
- Data to be processed (collected and stored) must be absolutely necessary and proportionate for the purpose to be achieved.
- Specifying basic hygienic measures, cleaning work implements and offices more thoroughly, providing disinfectants and requiring their more frequent use or regulating the order of receiving clients and using glass partitions at customer service desks may, in some cases, provide efficient solutions without the processing of personal data.
Specify the Purposes for Processing
- The data controller must accurately specify, first and foremost, the purposes of data processing and the legal basis for compliance.
- Data controllers must also provide for the transparency of data processing as well as the accuracy and security of the data. A complete Article 13/14 privacy disclosure is required.
Employers are responsible for ensuring safe working conditions that do not endanger health, and for planning and developing the related methods of data processing.
- Develop a pandemic/business continuity action plan (preventive steps to be taken to reduce threats, measures to be taken upon the eventual appearance of the infection, preliminary consideration of the data protection risks of the measures applied, issues of responsibility within the organization and building efficient and adequate channels of communication facilitating the provision of information to the data subjects);
- Draft and distribute to employees an information document concerning the most important issues to be known in relation to the coronavirus and who to turn to in the event of any alleged contact with the coronavirus or upon the onset of other conditions specified in the information material.
What can be recorded:
If an employee reports possible coronavirus exposure to the employer, or the employer deems that the suspicion of exposure can be established from the data provided by the employee, the employer may record:
- The date of the report
- The personal data of the employee concerned, to establish their identity
- Information on whether or not the employee's foreign travel (business or personal) involved destinations or dates deemed high-risk
- Data concerning contact with a person arriving from such locations
- Based on information made available to the employer, the measures taken by the employer (e.g. ensuring the possibility of visiting the company doctor, permission for a voluntary quarantine at home).
This can be collected by questionnaires if the employer concludes —based on a preliminary risk assessment carried out by the employer in advance — that the application of this method is necessary and it proportionately restricts the right of employees to privacy.
However, the questionnaires may not include data concerning the medical history of the data subject and the employer may not require employees to enclose health documentation.
- Requiring screening with any diagnostic device (in particular, but not exclusively, with a thermometer) or the introduction of mandatory measurement of body temperature generally involving all employees, called for by the employer, is excessive.
- If based on the report of an employee or in an individual case, upon consideration of all the circumstances, or on the basis of a risk assessment, the employer finds it absolutely necessary for certain jobs, particularly affected by exposure to the disease, the employer may require temperature taking, and it would then be carried out by a medical professional.
The relevant legal bases are GDPR Article 6(1)c) and GDPR Article 9(2)i) in conjunction with the Act on the Processing and Protection of Health and Related Personal Data, the Decree on epidemiological measures necessary to prevent infectious diseases and epidemics, which requires health care providers to report and keep records of infectious patients and persons under the suspicion of having an infectious disease, and the Order on reporting infectious diseases and the prevention of infections related to health care.
For Non-Employees, Employers Should:
- Provide a detailed notice that contains the most important information related to the coronavirus (source of infection, mode of spreading, period of incubation, symptoms, prevention), together with a requirement to immediately notify the access control staff about any presumed contact with the coronavirus or the onset of other conditions specified in the information material upon entering the site of the organization.
- Address additional measures in the business continuity action plan.
Odia Kagan is Chair of the firm's GDPR Compliance & International Privacy Practice. She can be reached at 215.444.7313 or [email protected].