COVID 19 - Legal principles and CNPD best practices in relation to processing by employers of health data

The COVID-19 outbreak and its rapid development into a global pandemic has led governments to adopt exceptional measures to restrain further development of the virus. Businesses and organisations are from now on required to implement business continuity plans. In that context, processing of personal data may be necessary for employers to respond to their legal obligation to ensure the safety and health of their employees in the workplace1 . The “Commission Nationale pour la Protection des Données” (“CNPD”) has therefore issued guidance on the collection of personal data in the current context. In particular, under the EU General Data Protection Regulation (“GDPR”), personal data concerning health is considered sensitive and therefore enjoys specific protection2 , to assure appropriate safeguards based on its high-risk potential.

Legal principles applicable to the processing of health data

The processing of health data (including disclosure to other employees if absolutely necessary) could only be based on:

  • “explicit consent” (consent being defined as the “freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”); or
  • the necessity “for the purpose of carrying out the obligations and exercising specific rights of the controller in the field of employment law” (e.g. security and health of the employees in general).

For each processing operation (collection, storage, disclosure, retention), a balancing of interests must be operated between the legitimate interest of the employee to keep their personal data private and the general obligation of the employers to ensure health and safety of their employees at work.

In the case of COVID-19, it may be considered that the health and safety obligation of the employer prevails over the protection of the employee’s personal data if and to the extent that the same result could not be achieved without collecting/disclosing the information.

Employees, however, must take all measures to preserve the health and safety of others and of themselves3 : they must, in principle, inform their employer if they suspect contact with the virus. Employers can of course recall this principle during a (dedicated) information campaign.

Employers must take all measures to be able to communicate, to health authorities who request it, the the nature of the exposure of its employees.

Recommendations issued by the CNPD

  • If a positive COVID-19 case is reported within a business or an organisation, employers may record and store the date and the identity of the data subject suspected of having been exposed as well as the organisational measures implemented.
  • Employers may communicate the nature of the exposure, to the extent necessary for any health or medical care of the exposed person, to the health authorities at the latter’s request.
  • Employers may remind employees that they must implement all means to preserve the health and safety of others and themselves4 . They must therefore in principle, inform their employer if they suspect COVID-19 symptoms.

Don’ts issued by the CNPD

  • Employers should not require employees to communicate daily health statements to them, such as their body temperature, nor should they establish medical forms to be filled out by the latter.
  • Employers should not have visitors or any other external person to sign a pre-established declaration certifying that they are free from any COVID-19 symptoms or that they have not recently travelled to a risk-zone.

Overall, the CNPD encourages businesses to raise internal awareness for inviting employees to carry out individual feedback of personal information in connection with possible exposure to COVID-19 subjects.

For the future, more flexibility could be introduced on the basis of Article 9(4) GDPR provides for the possibility for the EU Member States to maintain or introduce further conditions with regard to the processing of genetic or biometric data or data concerning health.

Please read our article about the further update on 23 December 2020 of the above mentioned guidance from the CNPD. 

This may also interest you :

1 Article L.312-1 Labour code.
2 Article 9 GDPR.
3 Article L.313-1 Labour Code.
4 Article L-313-1 Labour code.