How do businesses and organisations fight the virus and be compliant with the GDPR rulebook?
Article 6 of the GDPR states that processing of personal data without consent is lawful where it is necessary
for compliance with a legal obligation to which the controller is subject, to
protect the vital interests of the data subject or of another natural person,
or for the performance of a task carried out in the public interest or in the
exercise of official authority vested in the controller.
Article 9 GDPR prohibits processing of special
categories of personal data (including biometric and health data) without
explicit consent. The following limited exceptions apply:
“to protect the
vital interests of the data subject or of another natural person where the data
subject is physically or legally incapable of giving consent;"
“for reasons of
substantial public interest;”
purposes of preventive or occupational medicine. . . medical diagnosis. . .
[or] the provision of health or social care or treatment;" and
“for reasons of
public interest in the area of public health, such as protecting against
serious cross-border threats to health."
The GDPR makes clear that processing special categories of personal data
without consent may be necessary for public health reasons but such
processing should not result in the data being processed for other purposes.
What can employers do?
As companies should take action to minimise the risk
of infection and to provide a healthy and safe work environment, they can
obtain information on whether an employee has travelled to a region with
confirmed COVID-19 cases.
Some systemic data collection may also be required,
such as through questionnaires to report on travel plans.
These subjects are covered by articles 6 and 9 of the
GDPR due to workplace health and safety.
The Netherlands Data Protection Authority (Autoriteit
Persoonsgegevens) have also published a Q&A on the coronavirus:
One of the most frequently asked questions is if the
employer can check the mailbox of a sick employee. The initial answer is yes.
Because of the interest of the employer to continue the business while its employee
is sick. Checking the e-mail account must however then be necessary and may
only relate to business e-mails.
What can’t you do?
Currently (production) companies are staying open and
are exploring the possibilities to prevent any further spread the virus by
reading the temperature of employees and/or visitors. The Netherlands Data
Protection Authority has stated that such measures are not allowed (and there
is no room for informed consent if such measures are mandatory). However, the
question remains whether the GDPR applies if such readings are anonymous and
the readings are not recorded (digitally or physically).
Privacy in health care
Medical health care providers are bound by medical
Only in exceptional situations can a healthcare
provider pass on your medical information. As a patient, you must be able to
count on your medical information staying confidential, so everything you tell
a healthcare provider in confidence remains confidential.
Medical confidentiality applies to, amongst others,
doctors, dentists, pharmacists, GZ-psychologists, psychotherapists,
physiotherapists, midwives and nurses. This is regulated by law. However, in
the current situation for COVID-19 there are exceptions such as the Public
Health Act. Under the latter Act, your healthcare provider must, for example,
report infectious diseases as COVID-19 directly to the Municipal Health Service