COVID 19 – CNPD Best Practices in relation to processing by employers of health data (update 23 December 2020)

In April 2020, we issued an article about the legal principles and CNPD recommendations in relation to processing by employers of health data in the context of the COVID-19 outbreak.

On 21 December 2020, the Commission Nationale pour la Protection des Données (“CNPD”) updated its recommendations1 . The main updates are as follows.

First, the CNPD acknowledges that the return to office policies (which will be held back given the new measures proposed on 23 December 2020 and adopted since then) multiplied the challenges faced by employers. Questions arise in the context of the measures to be adopted to limit the propagation of the virus while ensuring security at work and complying with the conditions under which personal data can be used.

With respect to duty of security, the CNPD encourages employers to consult, on a regular basis, information published by the Work Inspectorate, in particular information about the obligations they may have to comply with in times of sanitary crisis.

The CNPD recalls that employees who are sick must, in accordance with the Labour Code communicate to their employer only the potential sick leave to which they are entitled, without any details about the state of their health or the nature of the pathology (e.g. that they tested positive for COVID-19 or are showing symptoms).

The CNPD recalls that employers are not allowed to progress records about, or otherwise process, health data (including body temperature) relating to COVID-19 even regarding employees having voluntarily informed their employer that they have tested positive for coronavirus or are presenting symptoms. Moreover, contact tracing is reserved to the Health Inspectorate.

As regards temperature monitoring devices at building entrances, the CNPD insists again on the fact that, although it does not fall within its prerogatives to assess the legality of these devices from a labour law perspective, the opportunity and efficiency of temperature monitoring must be assessed carefully as not being a systematic symptom of COVID-19 and possibly also being a symptom of other illness. That said, monitoring temperature without such data linked to the identity of a specific individual being registered in any records is not a processing covered by the GDPR.

Finally, the CNPD recalls that only the relevant health authorities are allowed to collect, implement and process tests and medical forms containing data about employees.