COVID-19 and GDPR, can an employer ask where you have travelled?
The dangers caused by COVID-19 result in many employers unilaterally introducing measures to protect their employees from falling ill with the virus. For example, they measure their temperature before they enter the workplace or ask them to complete declarations stating where (in which country) and with whom they spent their holidays. As a result, a number of personal data is collected, including special categories of personal data (concerning health). An extraordinary situation, however, does not entitle employers to take completely arbitrary action.
What do the Personal Data Protection Office (“UODO”), National Labour Inspectorate (“PIP”) and Ministry of Family, Labour and Social Policy (“MPiPS”) say?
UODO states that personal data protection provisions must not hinder the implementation of activities in connection with the fight against coronavirus. Nevertheless, UODO refers to the provisions of the Special Act on preventing, counteracting and eradicating COVID-19, which enables employers to take actions recommended by the Chief Sanitary Inspector and the Prime Minister. UODO indicates that the Chief Sanitary Inspector or the state voivodship sanitary inspector acting under his authority may oblige employers to undertake certain preventive or inspection activities. However, UODO does not refer to employers’ admissibility to take actions at their own initiative. Neither do national regulations assist, because the Special Act remains silent in this respect.
The National Labour Inspectorate maintains that an employer is not entitled to independently assess the state of an employee’s health. There is also no legal basis for collecting information concerning the place where the employee has spent his/her holidays, and the employee is not obliged to disclose this.
According to the Ministry of Family, Labour and Social Policy, the employer should obtain the employee’s consent to measure his/her body temperature. However, the employee is obliged to cooperate with the employer to protect the life and health of employees. Such preventive action taken by the employer may be important in counteracting COVID-19. However, there is no degree of temperature set by the law provisions which would allow determining that an employee is sick or infected with COVID-19.
What do the regulations say?
The General Data Protection Regulation (“GDPR”) provides for certain derogations from the prohibition to process specific categories of personal data where this is necessary due to an important public interest in the field of public health (Article 9(2)(i) GDPR and recital 46 GDPR) or where this is necessary to fulfil a legal obligation to which the employer is subject (Article 9(1)(b) GDPR). Nevertheless, each of these provisions indicates that such entitlement should be derived from European Union or national law. Some seek the employer's rights that would allow him to take action to prevent the spread of COVID-19 in Article 207 of the Labour Code, according to which an employer must protect the health and life of workers by ensuring safe and hygienic working conditions. As UODO has not taken a position in this respect and taking into account the rigorous positions of PIP and MPiPS, this interpretation should be approached with caution.
Employers who would like to base processing of personal data concerning the employee's health on employee's consent should remember that pursuant to Labour Code provisions, this is allowed only at the employee’s initiative. This means that an employee should be guaranteed that this will be completely voluntary. The safest solution in this case appears to be to allow employees to measure their own temperature, e.g. by leaving a thermometer at the entrance to the workplace.
As regards the processing of the employee's ordinary personal data (e.g. concerning the place where the employee spent his/her holiday), it appears that the basis for such processing could be the employer’s legitimate interest (Article 6(1)(f) GDPR) based on the need to ensure employees’ safety. Nevertheless, taking PIP’s position into account, a more secure solution would be to obtain consent to the processing of such data. In relation to ordinary data, processing data on the basis of consent may take place at the employer’s initiative.
What is the solution?
If an employer decides to take certain measures to protect its employees from COVID-19, it is important that these measures are designed in a way that minimises the risk of exposure to allegations of violations of data protection regulations and violation of employees' personal rights, e.g. the right to privacy regarding where they spent their holiday/weekend.
The employer should primarily follow the principle of minimisation, i.e. collect only the data that is necessary to achieve the objective (e.g. instead of asking what country did the employee visit, asking him if he was in a high-risk country). Declarations collected from employees should be properly secured to prevent unauthorised access.
In case of more intrusive measures, such as testing employees’ temperature, it is important that the measurement results are not recorded anywhere and that the privacy of the worker is preserved when the temperature is being checked, so that third parties cannot access the test results. It appears that if an employer does not record the results of the temperature measurement anywhere, the provisions of GDPR will not apply, as there will be no automated processing of data and the data will not form part of a dataset (Article 2 RODO). Another issue, which will be discussed in a separate article, is what if an employee’s increased temperature makes the employer decide not to admit him/her to the workplace.
Karolina Romanowska