Coronavirus (COVID-19): Recommendations by the CNPD on the processing of personal data in the context of a health crisis

Since March, the European Union has been experiencing a health crisis due to the coronavirus. In this context, Luxembourg's private and public entities have been facing increasingly complex challenges in their daily operations. New challenges surface throughout the deconfinement, especially due to employees returning to the workplace. 

Professionals and individuals wish to know both which measures to put in place to limit the spread of the virus and ensure the safe return to work as well as which conditions apply to the processing of personal data, in particular health related data. The CNPD wishes to highlight certain rules in this context.

Healthy and safety obligations of employers

In a professional environment, private and public entities have a legal obligation to guarantee the health and safety of their employees/agents in the workplace (Article L.312-1 of the Labour Code). In order to limit risks, they should implement prevention, information and training actions and issue internal instructions to this end.

Article 1 of the Grand-Ducal Regulation of 17 April 2020 introducing a series of health and safety measures in the workplace in the context of the fight against COVID-19 (French) also sets out that the employer must adopt appropriate measures for the protection of the health and safety of employees, and ensure the adaptation of these measures to take into account the exceptional circumstances caused by the COVID-19 epidemic, and contribute to the improvement of the current situation.

As such, the CNPD invites employers to consult the online information published by the government and the Inspectorate of Labour and Mines (French) on a regular basis, in order to know their obligations during the crisis.

In this context, private and public entities may process personal data in accordance with the GDPR when it is strictly necessary for compliance with their legal obligations. These entities may in particular:

  • Remind their employees and agents, whose work brings them in contact with other persons, of their obligation to inform either the employer or the Direction of Health of the Ministry of Health – Health Inspection Division (hereafter “the Health Inspection”) of a contamination or a suspicion of contamination, for the sole purpose of enabling the latter to adapt working conditions,
  • facilitate this provision of information by setting up, if necessary, dedicated and secure channels,
  • invite their employees to consult a doctor or refer them to the Health Inspection and encourage the use of remote working.

Health and safety obligations of employees/agents

All employees/agents must implement all means to protect the health and safety of others and themselves (Article L.313-1 of the Labour Code). As such, they must in principle inform their employer if they suspect that they have been exposed to the virus. More specifically, Article 2 of the Grand-Ducal Regulation of 17 April 2020 introducing a series of health and safety measures in the workplace in the context of the fight against COVID-19 sets out that the employee must “…immediately report to the employer and/or to the safety officers and to the safety and health representatives any work situation where they have a reasonable ground to think they it presents a serious and immediate danger to safety and health in the context of the COVID-19 epidemic…”.

Under normal circumstances, when an employee is ill (see Article L.121-6 of the Labour Code), the employee must, where applicable, inform the employer only of the employee’s incapacity to work, without providing any further information regarding his or her state of health or the nature of the illness. However, in the context of a pandemic, such as COVID-19, employees whose work brings them in contact with other persons (colleagues and the public) should, every time he or she could have exposed these persons to the virus, inform the employer in the event of contamination or suspicion of contamination.

Where an employee works from home or in an isolated manner without being in contact with his or her colleagues or the public, the employee does not need to provide this information to the employer. In the absence of danger to others, the events linked to a possible exposure, especially a possible incapacity to work linked to it, should be processed in line with the normal procedure for sick leave.

The processing of personal data by employers

Private and public entities may only process the personal data, which are strictly necessary for compliance with their legal obligations, meaning necessary to implement organisational measures (e.g. remote working, exemption from work, referral to a doctor or the Health Inspection), training and information measures, as well as measures to prevent professional risks.

Thus, these entities may only process elements linked to the date, the identity of the person, the fact that the person has stated that he or she has been contaminated or suspects it, as well as the organisational measures implemented.

Where necessary, the above entities may transmit the elements necessary for the health care of the exposed person to the Health Inspection. In any event, the identity of the person, who could be contaminated, must not be communicated to other employees/agents.

However, public and private entities cannot compile files containing the body temperature of their employees or agents or diseases (the “comorbidities”) which may be aggravating factors in the event of a COVID-10 infection. Furthermore, it is not their role to carry out investigations or “contact tracing”. This task falls to the Health Inspection from the moment where an employee or agent tests positive for COVID-19.

Taking the temperature at the entrance to the premises

In order to prevent contaminations and to exclude employees with a fever from the work place, a number of employers wish to take the temperature of employees and visitors systematically at the entrance to the employers’ premises.

While it is not the task of the CNPD to assess the lawfulness with regard to labour law of what an employer may require of its employees or of potential discrimination by the employer, the CNPD considers that employers should assess the efficiency and the possibility of taking temperatures carefully, as fever is not a systematic symptom of COVID-19 or could be caused by another infection, which would thus interfere with the employee’s privacy.

Taking the temperature of visitors and employees/agents of a business or an administration, without recording the data concerning the temperature linked to the identity of the data subject or where the data are not intended to form part of a filing system, does not constitute processing as defined by the General Data Protection Regulation (GDPR). As such, manually taking the temperature at the entrance of premises where no trace of it is recorded is not subject to the rules and principles of the GDPR. Likewise, the use of thermal cameras for preventive purposes, which under no circumstances allows for the identification of employees, agents or visitors who are visible in the field of vision, without recording and without the possibility to reuse the images, does not fall within the scope of the GDPR.

It would be otherwise, if the employer were to create a file containing all the temperatures taken and the data concerning the identity of the controlled persons, or if the employer could view the images of the thermal cameras and identify the data subjects. Unless it is provided for explicitly by law, such processing activities would be disproportionate, as they would not respect the principle of data minimisation, given that less intrusive measures could be implemented by the employer in order to ensure the health and safety of employees at their workplace.

Tests and health questionnaires carried out by the employer

The CNPD reiterates that only the competent healthcare professionals may collect, implement and access notes or healthcare questionnaires from employees/agents containing data relating to their state of health or information concerning, in particular, their family, their living conditions or their possible movements.

This also applies for medical, serological or COVID-19 screening tests. The results of these tests are subject to medical confidentiality: a healthcare professional can only inform private and public entities whether or not an employee is able to work. The latter may therefore only process this information and no further information concerning the health of the employee, in line with the procedures for other sick leave.

Private and public entities must therefore refrain from searching for possible symptoms suffered by one of the employees, an external person as well as those close to them either through a systematic, blanket collection of information or through individual enquiries or requests.

Requests and recommendations from healthcare authorities

Finally, the Health Inspection, qualified to adopt appropriate measures within the limits of its remits, may collect data related to the health of individuals. This public authority is responsible for the evaluation and collection of information about coronavirus symptoms and of information on the recent movements of specific individuals.

While the current crisis requires all parties to be particularly careful, the CNPD invites all individuals and professionals to follow the recommendations of the Ministry of Health and to collect only the data relating to the health of individuals, which have been requested by the Health Inspection. 

Dernière mise à jour