Since March 2020, the European Union has been experiencing a health crisis due to the coronavirus. In this context, Luxembourg's private and public entities have been facing increasingly complex challenges in their daily operations. New challenges surface throughout the deconfinement, especially due to employees returning to the workplace.
Professionals and individuals wish to know both which measures to put in place to limit the spread of the virus and ensure the safe return to work as well as which conditions apply to the processing of personal data, in particular health related data. The CNPD wishes to highlight certain rules in this context.
Healthy and safety obligations of employers
In a professional environment, private and public entities have a legal obligation to guarantee the health and safety of their employees/agents in the workplace (Article L.312-1 of the Labour Code). In order to limit risks, they should implement prevention, information and training actions and issue internal instructions to this end.
The CNPD invites employers to consult the online information published by the government and the Inspectorate of Labour and Mines (French) on a regular basis, in order to be aware of their obligations during the crisis.
In this context, private and public entities may process personal data in accordance with the GDPR when it is strictly necessary for compliance with their legal obligations. These entities may in particular:
- remind their employees and agents, whose work brings them in contact with other persons, of their obligation to inform either the employer or the Directorate of Health of the Ministry of Health – Health Inspection Division (hereafter “the Health Inspection”) of a contamination or a suspicion of contamination, for the sole purpose of enabling the latter to adapt working conditions,
- invite their employees to consult a doctor or refer them to the Health Inspection and encourage the use of remote working.
The CNPD wishes to highlight that the provisions of the Amended Act of 17 July 2020 on the measures to fight the Covid-19 pandemic concerning the CovidCheck system in the workplace were repealed on 11 February 2022. Employers are therefore required to delete the personal data collected on the basis of Article 3septies of the aforementioned Act of 17 July 2020.
Health and safety obligations of employees/agents
All employees/agents must use all means to protect the health and safety of others and themselves (Article L.313-1 of the Labour Code).
When an employee is ill (see Article L.121-6 of the Labour Code), the employee must, where applicable, inform the employer only of the employee’s incapacity to work, without providing any further information regarding his or her state of health or the nature of the illness (including the fact that the employee has tested positive for COVID-19 or has COVID-19 symptoms).
The processing of personal data by employers
Private and public entities may only process the personal data, which are strictly necessary for compliance with their legal obligations, in accordance with the Labour Code.
Thus, these entities may only process elements linked to the medical certificate, except for the elements processed on the basis of the above mentioned temporary measures.
However, public and private entities cannot put in place files or processing activities relating to health data linked to COVID-19 even if an employee voluntarily informs his or her employer that he or she has tested positive for COVID-19 or may present symptoms of the disease. Entities also cannot collect files or data relating to the body temperature of their employees or agents or to other diseases (the “comorbidities”) which may be aggravating factors in the event of a COVID-19 infection. Furthermore, it is not the role of the employer to carry out investigations or “contact tracing”. This task falls to the Health Inspection from the moment where an employee or agent tests positive for COVID-19.
The personal data relating to vaccinations
The collection of information relating to the vaccination status of employees, i.e. information about whether or not the person is vaccinated, constitutes processing of special categories of personal data, notably data concerning health, which is prohibited by Article 9.1 of the General Data Protection Regulation (EU) 2016/679 (“GDPR”), unless one of the exceptions set out in paragraph 2 of this article applies. In addition to complying with the requirements of Article 9 of the GDPR, the processing of special categories of personal data must be based on one of the lawful conditions for processing set out in Article 6 of the GDPR.
In principle, the employer should limit the processing of health data to sickness certificates received in accordance with the Labour Code or personal data processed on the basis of another legal obligation stemming from labour law.
Furthermore, Article 10 of the Amended Act of 17 July 2020 on the measures to fight the Covid-19 pandemic provides that the Director for Health and the vaccinator are responsible for the processing of personal data related to vaccinated persons. At present, the law does not require employers to process these personal data. Employers should therefore not record whether employees are vaccinated against COVID-19.
Taking the temperature at the entrance to the premises
In order to prevent contaminations and to exclude employees with a fever from the work place, a number of employers wish to systematically take the temperature of employees and visitors at the entrance to the employers’ premises.
While it is not the task of the CNPD to assess the lawfulness with regard to labour law of what an employer may require of its employees or of potential discrimination by the employer, the CNPD considers that employers should assess the possibility of taking temperatures and the efficiency thereof carefully, as fever is not a systematic symptom of COVID-19 and could be caused by another infection. Such a measure could thus interfere with the employee’s privacy.
Taking the temperature of visitors and employees/agents of a business or an administration, without recording the data concerning the temperature linked to the identity of the data subject or where the data are not intended to form part of a filing system, does not constitute processing as defined by the GDPR. As such, manually taking the temperature at the entrance of premises where no trace of it is recorded is not subject to the rules and principles of the GDPR. Likewise, the use of thermal cameras for preventive purposes, which under no circumstances allows for the identification of employees, agents or visitors who are visible in the field of vision of the camera, without recording data and without the possibility to reuse the images, does not fall within the scope of the GDPR.
It would be otherwise, if the employer were to create a file containing all the temperatures taken and the data concerning the identity of the controlled persons, or if the employer could view the images of the thermal cameras and identify the data subjects. Unless it is provided for explicitly by law, such processing activities would be disproportionate, as they would not respect the principle of data minimisation, given that less intrusive measures could be implemented by the employer in order to ensure the health and safety of employees at their workplace.
Tests and health questionnaires carried out by the employer
The CNPD reiterates that only the competent healthcare professionals may implement healthcare questionnaires, and collect and access notes and data from the questionnaires about employees/agents containing data relating to their state of health or information concerning, in particular, their family, their living conditions or their possible movements.
This also applies for medical, serological or COVID-19 screening tests. The results of these tests are subject to medical confidentiality: a healthcare professional can only inform private and public entities whether or not an employee is able to work. The latter may therefore only process this information and no further information concerning the health of the employee, in line with the procedures for other sick leave.
Private and public entities must therefore refrain from searching for possible symptoms suffered by one of the employees, an external person as well as those close to them either through a systematic, blanket collection of information or through individual enquiries or requests, even if an employee voluntarily brings such information to his employer.
Requests and recommendations from healthcare authorities
Finally, the Health Inspection, qualified to adopt appropriate measures within the limits of its remits, may collect data related to the health of individuals. This public authority is responsible for the evaluation and collection of information about coronavirus symptoms and of information on the recent movements of specific individuals.
While the current crisis requires all parties to be particularly careful, the CNPD invites all individuals and professionals to follow the recommendations of the Ministry of Health and to collect only the data relating to the health of individuals, which have been requested by the Health Inspection.