Prevention of COVID-19 at the workplace and personal data processing
Under the current stressful conditions, most businesses struggle with the most critical issues such as the restriction of demand and the protection of the health of their employees. But even during difficult times, they must not forget their personal data protection duties.
Personal data relating to employee health protection
To create safe and healthy working conditions for employees is one of the basic duties of each employer. Right now, they above all must adopt appropriate measures to prevent the spread of the infection at the workplace and ensure the provision of sufficient information about the potential risks to all their employees.
From the personal data processing perspective, preventive measures involving, e.g., the determination of an employee’s state of health such as measuring the temperature of employees entering the employer’s premises or the determination of an employee’s movement in the preceding days and weeks may be quite problematic. Such information represents personal data not previously processed by employers.
On the commencement of any new personal data processing, it is always necessary to perform a standard evaluation, i.e., to determine the objective of processing (which is the protection of the health of employees, in this case). Considering the personal data minimisation principle, it is also necessary to determine the necessary processing scope, the period over which the data will be stored, and the most suitable legal title based on which the data will be processed.
Information about employees’ state of health belongs to a special personal data category -sensitive personal data - to which stricter processing rules apply. In addition to an employer’s legitimate interest, the legal basis for processing such personal data can also currently be the fulfilment of legal obligations (i.e. the above-mentioned employees’ safety and health protection) or the public interest in the protection of public health. Moreover, this legal title relating to anti-epidemic measures is directly stated in the preamble to the GDPR. However, we recommend that employers proceed as much as possible in cooperation with competent public health protection bodies.
Employers must inform their employees about any new personal data processing actions and reflect them in their records of processing activities pursuant to Article 30 of the GDPR.
Personal data of clients and other persons
In compliance with the government’s recommendations, many employees are currently on a home office regime. The issue of personal data protection is even more urgent where employees at home do not use company equipment and tools provided and secured by the employer (such as computers and mobile phones) but use their own devices for work (a BYOD regime).
It is advisable to set work rules in a manner to be able to distinguish when a device is used for business and when for private purposes. For example, a device’s security setting should also enable the saving of files on various disks to prevent any abuse of personal data. However, the constant monitoring of such devices is not a solution, as it would unreasonably interfere with the employees’ privacy.
We recommend that employers implement adequate security rules and prepare an internal guideline explaining these rules to their employees in a comprehensible manner. They should also assess the impact of these rules on the protection of personal data. Concrete employee duties should be specified in an agreement on the performance of work from home.