COVID-19: WHAT ARE THE MOST IMPORTANT ASPECTS OF HEALTH DATA PROCESSING IN THE WORKPLACE?

1. When is the processing of personal data lawful in the COVID-19 emergency?

The EDPB (European Data Protection Board), in its statement of 19/03/2020, makes clear that the processing of personal data is permitted in accordance with Article 6 GDPR and Article 9 GDPR without the consent of the data subject for reasons of public interest in the field of public health such as protection against serious cross-border threats to health. The declaration of the EDBP, in relation to the processing of data in the working context in the event of emergencies makes, express reference to Recital (46) of the GDPR and therefore to the lawfulness of the treatment when it is carried out to control "the evolution of epidemics and their spread or in cases of humanitarian emergencies, in particular in cases of natural and man-made disasters", also referring to art. 9.2 letter i) and letter c) of the GDPR, in which it deals with treatment in situations of health emergency.

2. What is the employer's obligation towards the employee?

It is necessary to inform the interested parties in a clear and simple way about the methods, purposes and time of storage, avoiding disclosure to unauthorized parties through the provision of security measures and preferring anonymous data collection.

3. Is the employer allowed to collect health data in his company?

Yes, but only to the limits allowed by national law and in relation to the current emergency, always keeping in mind the principle of proportionality and data minimization, so that, in compliance with the legislation on health and safety at work, according to the EDPB employers will have to obtain personal data related to the infection for the purpose of fulfilling their duties and consequently organize their work.

4. What should the employer do if he knows of an infected case in his business?

The employer must inform the competent authorities of the presence of a case of COVID-19 infection and, avoiding communicating information not important for this purpose, also the other workers for the protection of their health and always with the adoption of appropriate safety measures.  If it is necessary to disclose the name, and if it is allowed by national law, it will be necessary to inform the person concerned in advance with respect for his dignity and integrity.

5. Have there been any other interventions, other than the EDPB, about how to deal with the health emergency regarding the processing of personal data?

The Italian Privacy Guarantor with a statement of 02/03/2020, to the data controllers, stresses the prohibition of autonomous initiatives to collect health data of users and workers that have not been normatively provided for or ordered by the competent bodies. Moreover, on 20/03/2020 the EDPS (European Data Protection Supervisor) intervened stating that COVID-19 is indicated as a "game changer" in the context of data processing and announced a new strategy for the next five years that will include a revision of the current EDPS Strategy.

The EDRI (European Digital Right) ,in a recent statement of 20/03/2020,  also calls to take the necessary measures to contain COVID-19 on the EU Member States, including some such as respect for fundamental rights such that any emergency measures that may violate these rights must be temporary, limited and controlled, the temporary nature of technical measures and transparency in the adoption of technical measures towards those concerned, no monetisation or gain from the collection of personal data obtained as part of such measures to combat health emergencies by companies