Coronavirus (COVID-19): Recommendations by the CNPD on the processing of personal data in the context of a health crisis

The European Union is currently experiencing a wide-ranging health crisis due to the coronavirus. In this context, Luxembourg's private and public entities are facing increasingly complex challenges in their daily operations.

Both professionals and individuals wish to know how data concerning employees/agents or external persons (visitors, customers, suppliers, etc.), unrelated to any medical care, may be collected and used, in order to determine whether the data subject has any symptoms of the coronavirus, was likely to have been exposed to the virus or has been to a risk zone. As the collection of personal data, including health-related data, may concern the private sphere, the CNPD wishes to highlight certain rules in this context.

What to do

In a professional environment, private and public employers have a legal obligation to ensure the health and safety of their employees/agents in the workplace (Article L.312-1 of the Labour Code). In order to limit risks, they should, in this regard, implement prevention, information and training actions and issue internal instructions.

In this context, employers can:

  • raise awareness and invite their employees/agents to provide information regarding a possible exposure to the employer or to the competent health authorities on an individual basis;
  • facilitate the transfer of information by setting up, if necessary, dedicated channels to guarantee the security and confidentiality of the data;
  • encourage the use of remote working and the use of occupational health.

Where notified, an entity may, as part of its health and safety obligations, collect and store:

  • the date and identity of the person suspected of having been exposed to the virus;
  • the organisational measures taken (containment measures, teleworking, contact with the occupational health service, etc.).

Employers will thus be able to communicate the elements related to the nature of the exposure, which are necessary for any health or medical care of the exposed person, to the health authorities at the latter’s request.

Employees/agents must implement all means to preserve the health and safety of others and themselves (Article L.313-1 of the Labour Code). As such, they must, in principle, inform their employer if they suspect that they have been exposed to the virus.

Finally, health data may be collected by the health authorities qualified to take the appropriate measures. These public authorities are responsible for the evaluation and collection of information about coronavirus symptoms and of information on the recent movements of specific individuals.

What not to do

While private and public entities may implement measures to limit the spread of the virus (e.g. travel restrictions or hygiene measures), such measures must respect the privacy of the data subjects.

Employers should therefore refrain from collecting information on possible symptoms experienced by an employee/external person and their relatives in a systematic and generalised manner, or through individual inquiries and requests.

For example, employers should refrain from:

  • requiring their employees to provide daily body temperature readings or to fill in medical forms or questionnaires, which have been drawn up in advance; or
  • requiring visitors or other external people to sign a standardised statement certifying that they do not have symptoms of coronavirus or that they have not recently travelled to a risk area, etc.

With regard to the confidentiality of the data, any data processing carried out in the context of preventing the spread of the virus must be done in such a way as to ensure the security of the data, in particular with regard to health data. The identity of the data subjects can therefore not be disclosed to third parties or the data subjects’ colleagues without clear justification.

These recommendations are communicated by the CNPD, without prejudice to more stringent measures that could be adopted by the State in the event of aggravated scenarios.

The CNPD therefore recommends all parties to consult the information available on the website

Dernière mise à jour