Privacy in a pandemic: a guide to health data processing rules in Europe

As employees start to return to work, many firms will be wondering what the rules are when it comes to collecting and processing health data and, crucially, conducting virus-related testing. We talk to a privacy expert to assess some of the rules emerging from different countries within Europe.

The spread of the novel coronavirus has had monumental ramifications on the day-to-day business operations of organisations across the industrial spectrum. Companies of all types and sizes have had to dramatically rethink their approaches to conducting business, with many having to employ robust remote working policies, pivot their revenue models, and instill new and innovative management practices.

Although as governments start to ease up on their restrictions and more employees start to physically return to work, many firms might be wondering what they're permitted to do in regard to the collection and processing of health-related data and carrying out virus-related testing. 

In the United States, the EEOC issued a guidance back in 2009 and updated on March 2020 in response to the COVID-19 pandemic, specifically confirming that the current pandemic permits employers to measure their employees' body temperatures before allowing them to enter the worksite. Outside the US, however, the situation is a bit more complex. This is especially true in Europe, where these kinds of practices are covered by the General Data Protection Regulation (GDPR), with even simple temperature checks being dependent on country-specific interpretations of these laws.

As essentially every country in Europe holds at least a slightly different interpretation and a specific set of laws governing what constitutes valid data collection and processing in relation to the pandemic, it can make for a confusing environment, especially for those businesses with a multiple locations/offices within different European countries. In order to cut through some of this confusion, we spoke to Paul Lanois, director of technology, outsourcing and privacy at law firm Fieldfisher. We consult with Lanois to assess some of the different approaches of countries within Europe when it comes to health data processing and specifically whether organisations are allowed to conduct temperature testing.

Overall, we found that there can be large discrepancies between any two individual approaches and it is thus hugely significant to take particularly close attention of the specific country and their relevant laws.


The restrictive countries


France's data protection authority, the CNIL, has issued guidance stating that employers "must refrain from collecting, in a systematic and generalised manner or through inquiries and individual requests, information relating to the search for possible symptoms presented by an employee / agent and his relatives. It is therefore not possible to implement, for example mandatory measurements of the body temperatures of each employee / agent / visitor which would be sent daily to their hierarchy, or even the collection of medical sheets or questionnaires from all of the employees / agents."

While that might sound a tad convoluted, according to Lanois, it essentially means that employers won't be able to conduct things like mandatory temperature checks at all.

"CNIL (is indicating) that the evaluation and collection of information relating to potential symptoms of coronavirus as well as information n on recent movements of affected individuals ‘are the responsibility of the public health authorities'," Lanois says.

"In oyher words, companies based in France may not create a mandatory body temperature measurement as a prerequisite to enter the workspace, according to the CNIL."



Luxembourg's data protection authority, the CNPD, has issued a similar statement to that of France's data protection authority, stating that "organisations may not collect, in a systematic and generalised manner, or through inquiries and individual requests, information relating to the search for possible symptoms presented by an employee / external person as well as their relatives".

However, there are some discrepancies here as Luxembourg's approach does not rule out the gathering of employee health data completely. Instead, the CNPD's position is that organisations may invite their employees and agents to voluntarily provide information regarding a potential exposure to the virus, either directly to the organisation or to health authorities.

"The difference (compared to France) is that the company may be able to rely on consent as the legal basis for processing the information, since the employee or agent voluntarily provides the information to the company, instead of the company automatically collecting the information from all employees," Lanois clarifies.



In the Netherlands, the Dutch data protection authority has confirmed that an employee cannot obtain information on the nature and cause of someone's illness, meaning they are not allowed to test for symptoms or the virus itself. Tests can only be carried out by (company) doctors or the employee/visitor themselves, with organisations forbidden from asking about results of these tests.

This extends to circumstances where the employee voluntarily tells his employer about his illness, as even in these situations, the Dutch data protection authority states that the employer cannot record or share such information. However, employers may reach out to the occupational health and safety department or a company doctor to check.

In light of the situation, one allowance that has been given to employers is the right to send employees home if they are showing symptoms of COVID-19 or when the employer is in doubt. The employer is also allowed to request that employees monitor their own health.



For Belgium's data protection authority (APD), "as soon as any preventive measures at work are accompanied by any processing of personal data, the provisions of the GDPR must be respected".

According to the APD's guidance, a simple temperature measurement is not a processing of personal data. Accordingly, a mere temperature measurement, which is not recorded, further processed, or combined with other personal information, does not fall within the scope of the GDPR. Although that last stipulation can be difficult to maneuver, given the additional measures being employed by some organisations such as CCTV and badging systems.

However, in Belgium, measurements are not to be recorded or stored - for example to keep a record of who was allowed or denied entry to the premises based on the temperature reading. Employers also must not publicly disclose or identify an employee that has tested positive for the virus, but can generically inform other employees that an infection has been recorded, without identifying the individual(s) in question. 

"The APD further provides that an employer cannot compel its employees to complete medical questionnaires. In addition, an employer may not disclose the names of the impacted individuals to any person, other than the company's doctor or the competent authorities," Lanois says.



Finally, Italy's data protection authority has indicated that employers must "refrain from collecting, in advance and in a systematic and generalised manner, including through specific requests to the individual worker or unauthorised investigations, information on the presence of any signs of influence in the worker and his or her closest contacts, or anyhow regarding areas visited outside the work environment".

Like the above countries, Italy has confirmed that the "investigation into and collection of information on the symptoms typical of Coronavirus and on the recent movements of each individual are the responsibility of healthcare professionals and the civil protection system". Accordingly, organisations in Italy may not conduct any "do-it-yourself (DIY) data collection" to detect COVID-19 cases.


The more 'permissive' countries


Denmark's data protection authority (known as Datatilsynet) has indicated that, "within the framework of the data protection rules, an employer can to a large extent record and disclose information that is not so specific and specific that it can be considered health information when the situation necessitates that."  Examples of such situations, the authority elaborates, include instances where an employee has returned from a so-called "risk area", when an employee is currently in quarantine at home (without stating the reason), or where an employee is ill (without stating the reason).

"According to the Datatilsynet, an organisation in Denmark may also record and disclose information that may be considered health information under data protection laws. This would include, for example, that an employee is infected with the coronavirus, as long as the necessary precautions are undertaken to ensure the confidentiality and security of the data. However, any such record must be factual and limited to what is necessary," Lanois continues.  

The Datatilsynet therefore provides that an employer should consider the following;

  • Whether there is a good reason to record or disclose the information in question
  • Whether it is necessary to specify the information, including whether the purpose can be achieved by "telling less"
  • Whether it is necessary to name names - e.g. the name of the person infected and / or in the home quarantine

Unfortunately, there is no specific legislation which allows/imposes the employer to take special measurements if an employee shows symptoms of coronavirus infection, according to Deloitte. Thus, this practice falls under a bit of a grey area, although organisations should take close reference of the above rules before carrying out any kind of new protective measures.



Poland's data protection authority (UODO) has stated that data protection provisions "cannot be an obstacle to the implementation of activities related to the fight against the coronavirus". Accordingly, the Inspector General of Health may issue decisions imposing certain preventive obligations on employers, and the Prime Minister can also impose certain obligations on companies.

In its statement, the UODO further clarified that the processing of health information by organisations is permitted by Articles 9 (2) and 6 (1) (d) of the GDPR, which allows the processing of "special categories of personal data" where such processing is "necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health". 

The UODO also referred to Recital 46 of the GDPR, which provides that that "the processing of personal data should also be regarded to be lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. […] Some types of processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters."

When it comes to temperature checks, the UODO issued a statement highlighting that provisions on the protection of personal data allow the processing of employee and visitor data, which includes temperature measurements or the implementation of questionnaires with disease symptoms. It references Article 9(2)(i) of the GDPR, here, which indicates that specific categories of data, such as health data, may be processed when it is necessary for reasons of public interest in the field of public health.



For Spain's data protection authority (AEPD), data protection legislation cannot be used to impede or limit the effectiveness of measures taken by competent authorities. The AEPD also refers to Articles 9 (2) and 6 (1) (d) of the GDPR, together with Recital 46 of the GDPR, as the legal basis for companies to process health-related data without the consent of the employees.

Measuring the body temperature is also deemed by the AEPD to be an appropriate measure to guarantee the health of all staff members and avoid contagions within the company.



Hungary has gone one step further towards providing circumstantial allowances over the course of the pandemic, making it quite an exceptional case compared to its counterparts. On 4 May 2020, Prime Minister Orbán issued Decree No. 179/2020 which contains several provisions directly affecting data protection in Hungary during the country's current state of emergency.

"In particular, the decree suspends data subject's rights pursuant to articles 15 to 22 of the GDPR in the context of the processing of personal data. The decree further provides that the one-month time limit for data controllers to provide the necessary information in response to a data subject access request will only begin after the termination of the state of emergency for any COVID-19 related data subject requests," Lanois explains.

Furthermore, if an employee reports or the employer suspects (based on provided information) COVID-19 exposure or infection, they may require employees to fill out questionnaires containing certain information, including travel destinations, dates, and connections with infected persons.

1 2 Page 1
Page 1 of 2