Since March 2020, the European Union has been experiencing a health crisis due to the coronavirus. In this context, Luxembourg's private and public entities have been facing increasingly complex challenges in their daily operations. New challenges surface throughout the deconfinement, especially due to employees returning to the workplace.
Professionals and individuals wish to know both which measures to put in place to limit the spread of the virus and ensure the safe return to work as well as which conditions apply to the processing of personal data, in particular health related data. The CNPD wishes to highlight certain rules in this context.
Healthy and safety obligations of employers
In a professional environment, private and public entities have a legal obligation to guarantee the health and safety of their employees/agents in the workplace (Article L.312-1 of the Labour Code). In order to limit risks, they should implement prevention, information and training actions and issue internal instructions to this end.
As such, the CNPD invites employers to consult the online information published by the government and the Inspectorate of Labour and Mines (French) on a regular basis, in order to know their obligations during the crisis.
In this context, private and public entities may process personal data in accordance with the GDPR when it is strictly necessary for compliance with their legal obligations. These entities may in particular:
- Remind their employees and agents, whose work brings them in contact with other persons, of their obligation to inform either the employer or the Direction of Health of the Ministry of Health – Health Inspection Division (hereafter “the Health Inspection”) of a contamination or a suspicion of contamination, for the sole purpose of enabling the latter to adapt working conditions,
- invite their employees to consult a doctor or refer them to the Health Inspection and encourage the use of remote working.
Health and safety obligations of employees/agents
All employees/agents must implement all means to protect the health and safety of others and themselves (Article L.313-1 of the Labour Code).
When an employee is ill (see Article L.121-6 of the Labour Code), the employee must, where applicable, inform the employer only of the employee’s incapacity to work, without providing any further information regarding his or her state of health or the nature of the illness (including the fact that the employee has been tested positive fir COVID-19 or has other symptoms).
The processing of personal data by employers
Private and public entities may only process the personal data, which are strictly necessary for compliance with their legal obligations, in accordance with the Labour Code.
Thus, these entities may only process elements linked to the doctor certificate.
However, public and private entities cannot compile files or treatments relating to health data linked to COVID-19 even if an employee informs his employer voluntarily that he has been tested positive for coronavirus or that he thinks he may present symptoms of the disease. Entities also cannot collect files or data containing the body temperature of their employees or agents or other diseases (the “comorbidities”) which may be aggravating factors in the event of a COVID-19 infection. Furthermore, it is not their role to carry out investigations or “contact tracing”. This task falls to the Health Inspection from the moment where an employee or agent tests positive for COVID-19.
Taking the temperature at the entrance to the premises
In order to prevent contaminations and to exclude employees with a fever from the work place, a number of employers wish to take the temperature of employees and visitors systematically at the entrance to the employers’ premises.
While it is not the task of the CNPD to assess the lawfulness with regard to labour law of what an employer may require of its employees or of potential discrimination by the employer, the CNPD considers that employers should assess the efficiency and the possibility of taking temperatures carefully, as fever is not a systematic symptom of COVID-19 or could be caused by another infection, which would thus interfere with the employee’s privacy.
Taking the temperature of visitors and employees/agents of a business or an administration, without recording the data concerning the temperature linked to the identity of the data subject or where the data are not intended to form part of a filing system, does not constitute processing as defined by the General Data Protection Regulation (GDPR). As such, manually taking the temperature at the entrance of premises where no trace of it is recorded is not subject to the rules and principles of the GDPR. Likewise, the use of thermal cameras for preventive purposes, which under no circumstances allows for the identification of employees, agents or visitors who are visible in the field of vision, without recording and without the possibility to reuse the images, does not fall within the scope of the GDPR.
It would be otherwise, if the employer were to create a file containing all the temperatures taken and the data concerning the identity of the controlled persons, or if the employer could view the images of the thermal cameras and identify the data subjects. Unless it is provided for explicitly by law, such processing activities would be disproportionate, as they would not respect the principle of data minimisation, given that less intrusive measures could be implemented by the employer in order to ensure the health and safety of employees at their workplace.
Tests and health questionnaires carried out by the employer
The CNPD reiterates that only the competent healthcare professionals may collect, implement and access notes or healthcare questionnaires from employees/agents containing data relating to their state of health or information concerning, in particular, their family, their living conditions or their possible movements.
This also applies for medical, serological or COVID-19 screening tests. The results of these tests are subject to medical confidentiality: a healthcare professional can only inform private and public entities whether or not an employee is able to work. The latter may therefore only process this information and no further information concerning the health of the employee, in line with the procedures for other sick leave.
Private and public entities must therefore refrain from searching for possible symptoms suffered by one of the employees, an external person as well as those close to them either through a systematic, blanket collection of information or through individual enquiries or requests, even if an employee voluntarily brings such information to his employer.
Requests and recommendations from healthcare authorities
Finally, the Health Inspection, qualified to adopt appropriate measures within the limits of its remits, may collect data related to the health of individuals. This public authority is responsible for the evaluation and collection of information about coronavirus symptoms and of information on the recent movements of specific individuals.
While the current crisis requires all parties to be particularly careful, the CNPD invites all individuals and professionals to follow the recommendations of the Ministry of Health and to collect only the data relating to the health of individuals, which have been requested by the Health Inspection.