Employer’s Data Protection Challenges During the Coronavirus Pandemic
In our previous newsletter, we examined the most important labour law provisions, which became especially relevant due to the spread of the coronavirus. We would like to remind you, that in today’s extraordinary circumstances, employers must not only consider labour laws, but also comply with data protection regulations. This newsletter summarises the most imperative risks, and proposes measures to be taken, which are approved by the Hungarian National Authority for Data Protection and Freedom of Information (NAIH).
- Risks and Challenges
The European General Data Protection Regulation (GDPR) set strict conditions for data processing, and equipped national authorities with effective tools to enforce its provisions. As a result, enterprises must invest a significant amount of resources in order to ensure compliance with data protection provisions. The world of business perceives the strictness of the GDPR as an unnecessary burden. This is especially true for SMEs and those enterprises whose main area of activity bears no relationship with processing personal data, or those who only conduct data processing peripherally. Therefore, one may believe that the new data protection regulations needlessly hinder the implementation of the employer’s health and safety measures.
Luckily, this is not the case. During the drafting of the GDPR, European lawmakers considered risks such as an epidemic, which means that the GDPR does not hinder or prevent epidemic measures from being implemented (Section 46 of the Preamble of the Regulation explicitly describes this). However, this does not mean that by referring to extraordinary circumstances employers are allowed to collect and process any kind of data. The Regulation continues to severely sanction data processing which may not be considered as purposeful or justifiable, and also prohibits the employer from going beyond its role, utilising tools which only national authorities are permitted use.
A situation such as this requires the employer to process a wider range of data on employees than it usually does. In order to ensure uninterrupted communication and the upkeeping of regular operation, it becomes inevitable for the employer to collect and process personal phone numbers, e-mail addresses and other online contact details. Furthermore, depending on a given economic activity, it may become necessary to process several other kinds of personal data.
With regards to the above, our general advice is to ask for the assistance of a data protection expert when designing new workflows to be implemented. We recommend this in order to satisfy the principle of privacy by design, and through this to ensure compliance with further data protection principles. It is not recommended to appoint administrative staff or middle management to implement measures. It is a better choice to construct uniform, regulated workflows with the aid of an expert.
With regards to data protection, a further challenge stems from the recently popular decision of employers directing employees to work remotely. It is often the case that employees are forced to use their own devices for work – to a certain extent – instead of relying on the employer’s IT infrastructure. Such measures may pose severe data protection risks. In several processes, a greater data protection risk is one which may have an effect on the data processing’s legality. For instance, in case of data processing based on legitimate interest, the test for balancing interests may bear different results under a lower data protection level.
- Healthcare and Travel-related Data Processing
Recently, employers widely began to implement measures, which involve the processing of personal data concerning health. We would like to emphasise that personal data concerning health is classified as a special category under the GDPR. The processing of such data has strict conditions and boundaries. The data protection risk in this case is significantly greater, than when processing different categories of data.
It is not lawful for employers to conduct medical checks by themselves, or to request healthcare documentation from their employees. Conducting mandatory body-temperature tests, issuing compulsory health-related questionnaires, demanding data on medical history in any way, and other similar measures all count as an unlawful data processing, which the employers may not conduct. According to NAIH, an exception to this rule may only be granted on an individual basis for certain jobs that are considered to be highly susceptible to illness. Even in this case, several data protection provisions are to be complied with, and a healthcare expert must also be involved.
The processing of health-related data is not forbidden. The GDPR prescribes several legal grounds, based upon which the processing of special categories of data is permitted. It is important to mention that prior to beginning the processing of such data, it is essential to examine the necessary conditions for it. It is common practice that an employer orders an employee to fill out a declaration of consent and believes that the data processing is therefore legitimate. This will most likely result in an invalid declaration and illegitimate data processing, even if the data in question does not fall under a special category of data. We therefore recommend this practice to avoided.
A significant proportion of employers with larger workforces have recently ordered their employees to compulsorily fill out questionnaires with regards to whether the employee or any other person entering the premises of the workplace has recently visited a country affected by COVID-19 or whether they have symptoms of the coronavirus. These questionnaires may only be legitimate, if prior to their introduction, the employer has conducted the test for balancing interests, and is satisfied that the measure is necessary and is proportionately beneficial when considering the measure’s negative effects on the employees’ rights. As discussed above, questions may not inquire about medical history, and the processing of data collected through the questionnaire must be regulated.
A further question arises with regards to the legality of an employee’s ‘whistleblowing’ concerning another employee’s symptoms. Accepting these reports is not illegal. Based on the principles of Labour Law (duty of cooperation, good faith, fairness), employees are entitled to and obliged to submit a report to the employer regarding health risks they are aware of in the workplace. However, we believe that the process of submitting a report should be regulated in a way which complies with data protection principles, and does not result in the stigmatization and/or discrimination of employees who are perceived to be ill.
- Recommended Measures
Generally, we recommend that personal data should only be processed, if it is absolutely necessary. If there is an alternative, then that should be the preferred choice. Furthermore, when processing sensitive data, it is recommended to strive for a high level of compliance with the principle of transparency, and to and to provide clear information on all measures taken.
Recently, European data protection authorities began to publish their recommendations with regards to data protection questions related to the coronavirus epidemic. The interpretation of regulations varies greatly between different authorities. It is often the case that certain legal bases are legitimate in one Member State, but are not applicable in another and a number of Member States’ authorities declared that employers have limited means to conduct data processing. Concurrently, multiple authorities explicitly stated that the GDPR does not restrict entities in such situations. As such, we recommend multinational enterprises not to rely on the guidance and/or internal regulations issued by their corporate group or parent company. Hungarian corporations must comply with NAIH’s guidelines.
On a final note, we would like to direct your attention to NAIH’s recommendations for the measures to be taken by employers, which we summarised below:
NAIH recommends the development of a so-called pandemic or business continuity action plan. This plan this does not exclusively concern itself with data protection issues, but are drafted with consideration of the relevant data protection risks. Detailed informative prospectuses created for employees as a part of the plan don’t limit themselves to data protection issues only. Instead, they are to provide information regarding the coronavirus and guidance on how to deal with the risk of infection. In similar situations, NAIH considers it necessary for the plan to include provisions on the reorganisation of business and business travel, including the regulation of remote working. Additionally, NAIH considers it important that the action plan includes a notice for employees to immediately report any suspected infection and to consult the occupational physician or a general practitioner.
Just like with preparing the necessary labour law documentations, responding to our clients’ data protection inquiries is a top priority for us. We will do everything in our power to help you comply with regulations as soon as possible!
If we may be of assistance to you with regards to any of the above, please don’t hesitate to contact us!