On March 13, 2020, the Belgian Data Protection Authority (the “Belgian DPA”) released a statement regarding workplace-related processing of personal data in the context of the COVID-19 crisis (the “Statement”).
The key takeaways from Statement are:
- Under the EU General Data Protection Regulation (the “GDPR”), every processing activity must be lawful, even where such processing activities relate to preventive health measures. The Belgian DPA indicated that the “vital interests” legal basis should not be used systematically and cannot be interpreted broadly, even under the current circumstances.
- The Belgian DPA explained that the lawfulness principle also applies to the processing of sensitive data related to employees’ health. In this respect, companies and employers must keep in mind that the legal basis set forth under Article 9.2 (i) of the GDPR (i.e., the necessity of the processing for reasons of public interest in the area of public health) can only be relied on when acting upon explicit directives imposed by public authorities.
- The Belgian DPA stated that an assessment of health-related risks should only be performed by the business’ corporate doctor, who is competent to detect infections and inform the employer and the individuals who may have been in contact with the infected employee. Such information can be shared by the doctor with the employer based on Articles 6.1 (c) and 9.2 (b) of the GDPR (i.e., the necessity of the processing to protect the vital interests of the data subjects and for preventive medicine purposes).
Safeguards and General Principles
- The GDPR’s general data processing principles must be complied with when processing personal data to implement preventive measures related to COVID-19. In particular, companies and employers must ensure that their processing activities are proportionate and that they only collect data that is necessary to achieve the processing purpose (i.e., data minimization).
- Appropriate information must also be provided to data subjects such as employees or visitors regarding the processing of their personal data, the purposes of the processing and relevant retention period(s) (i.e., transparency).
- The personal data collected must be adequately protected (i.e., integrity and confidentiality).
The Belgian DPA also answered questions it recently received from Belgian citizens and companies. Notably, the Belgian DPA stated that:
- Companies can conduct body temperature controls with respect to their employees to the extent such checks are voluntary and the employer does not record the data generated by the checks (i.e., which therefore does not constitute a data processing activity within the meaning of the GDPR).
- Companies cannot force their employees to complete medical questionnaires or questionnaires related to employee’s recent travels. The Belgian DPA recommends that companies encourage their employees to voluntarily report any travels to risky areas or symptoms of the virus.
- Based on the principles of confidentiality and data minimization, companies cannot reveal names of infected employees but only inform other employees about an infection (without identifying those infected).
Any additional questions regarding the implementation of preventive measures related to COVID-19 can be sent to the Belgian DPA at firstname.lastname@example.org.