In the midst of the COVID-19 coronavirus pandemic and in an effort to limit and delay its spread, many companies are already processing various, new to date for businesses, personal data categories, including special categories of personal data, such as health data . The key issue that arises, however, relates to the extent and nature of the personal data collection on behalf of these companies, acting as Data Controllers.
Following the President of the European Data Protection Board (EDPB), Andrea Jelinek statement, “Data protection rules (such as GDPR) do not hinder measures taken in the fight against the coronavirus pandemic. However, even in these exceptional times, the data controller must ensure the protection of the personal data of the data subjects”, as well as the Guidelines issued yesterday by the Greek Data Protection Authority, according to which “protection of personal data is not an absolute right, but should be taken into account and weighed against other fundamental rights, in accordance with the principle of proportionality (paragraph 4 above) “, we are citing some cases on private-sector employment relations and the principles with which businesses should comply.
According to Law 3850/2010, as amended by Law 4578/18, which governs labor relations:
- on one hand, the employer is obliged to ensure the health and safety of his employees by taking the necessary protective measures to prevent them from creating a serious, immediate and unavoidable risk, thereby guaranteeing a safe and healthy working environment with the assistance of employees;
- on the other hand, employees are similarly required to apply health and safety rules for themselves and to the benefit of other persons affected by their acts or omissions, including their obligation to report immediately to the employer and/or to the performing physician duties all situations which may be reasonably considered to present an immediate and serious risk to health and safety, such as e.g. for any illness, stay or purpose to travel to areas exposed to the virus.
To the extent applicable law on the protection of personal data, companies shall be entitled to process data on the protection of the health of workers and on the basis of the principles set out in Article 5 of the GDPR, in accordance with the legal bases of the provisions of Articles 6. par. 1, in particular, ed. c ‘, d’ and e ‘, 9 par. 2, in particular, ed. b ‘, e’ and i’ GDPR and always under the guidance of the competent authorities.
Examples of processing of personal data and their compatibility with legislation on the protection of personal data:
It is critical for businesses to know if it is permissible, for example:
- to measure the body temperature of those who enter the business’s premises or
- to request the completion of a questionnaire regarding the health status of employees or their relatives, recent travel history to a foreign country with an increased risk of transmitting coronavirus, etc. It should be noted that questions regarding the private nature of a trip are prohibited in any case. or
- to inform other employees of the fact or identity of an already infected employee.
The employer-company, which in any case acts as the data controller, should take into account and comply with the principles of restriction of processing in conjunction with the principle of proportionality, the principle of secure processing (in particular confidentiality of information). At the same time the company should take all necessary technical and organizational security measures and undertake only the necessary and compliant with Articles 5 and 6 of the GDPR measures solely for the purpose of combating the consequences and preventing the spread of the virus. However, businesses should not in any case forget the principle of accountability to which every action is subjected.
Finally, it should be noted that the collection and general processing of personal data that are burdensome and constitute a restriction of individual rights, such as the measurement of body temperature before entering the work premises must take place, subject to all legal requirements, provided that any other appropriate measure has been previously excluded, and always in accordance with the provisions of the applicable data protection legislation.