Download PDF vesrion

Due to the increase in the number of COVID-19 infections, entrepreneurs are considering protective measures they can take in their establishments. Such actions should comply with regulations, including those concerning the protection of personal data. However, it should be remembered that not only employers have responsibilities and such responsibilities for preventing the spread of the disease also lie with every employee and visitor. 


Increasingly, entrepreneurs are collecting statements from their employees, suppliers and visitors to their establishments in which they ask about recent trips (including to ”high risk” countries), direct contact with infected persons and the health of the person concerned (increased body temperature, cough, etc.).

At present, the Polish Labour Inspection takes the view (see website:,wyjasnienia-pip-w-zwiazku-z-koronawirusem.html) that the employer has no legal basis for collecting information on the employee’s place of rest. In our opinion, however, the employer may process employee’s personal data concerning his/her place of residence referring to the legitimate interests of the employer (Art. 6 (1) (f) GDPR) which in this case is the protection of health of the employees and other persons staying at the establishment. Another rationale legalising such request that can be taken into account in this respect is Art. 6 (1) (d) GDPR, i.e. processing of data necessary in order to protect vital interests of the data subject or of another natural person. Human health and life can certainly be considered as vital interests.

As far as health data are concerned, at present, the ”secure basis” for processing health data is the explicit consent of the person concerned (Art. 9 (2) (a) GDPR). Obviously, with regard to employees such consent can only be accepted if it is given to the employer on the employee’s own initiative (Art. 221b § 1 of the Labour Code). One may also consider to invoke the pre-requisite referred to in Art. 9 (2) (b) GDPR, i.e. if processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law that provide for appropriate safeguards for the fundamental rights and the interests of data subject.

Such an obligation may be considered, for example, the employer’s obligation to protect the health and life of employees by ensuring safe and healthy working conditions (Art. 207 § 2 of the Labour Code) or the employer’s obligation to take action in case of threat to life or health of employees (Art. 2092 § 1 of the Labour Code). In such a situation, the employer is obligated to inform the employees about the threat and take steps to protect the employees as well as issue appropriate instructions.


Also initiatives related to the non-contact measurement of employee’s body temperature or the use of thermal CCTV cameras are becoming increasingly popular. In our opinion, the result of the body temperature measurement will constitute information about the health of a given person and thus it will be a health-related (sensitive) data). As stated above, in our opinion, at the moment the basis for processing health data is undoubtedly the consent of such a person (Art. 9 (2) (a) GDPR). The rationale of Art. 9 (2) (b) GDPR may also be considered.

When using CCTV cameras for temperature measurement we also recommend that (i) this should be done with the greatest possible confidentiality with regard to the person undergoing such a test, in particular in such a way that other persons cannot see the results of the test (so that the data are not made available to other persons); (ii) the monitoring should not be continuous (the camera should be placed only at the entrance to the establishment); (iii) the temperature readings should not be recorded (”live” measurement).

We believe that a solution using temperature measurement cameras (with the above reservations) may be a better solution from a data protection perspective than, for example, using a non-contact thermometer. In the latter situation there is a risk that the result of the measurement may be visible to other people and we will have to deal with at least an accidental disclosure of such data to unauthorized persons (e.g. other employees) and an increased risk of violating the rights and freedoms of the person in whom an increased body temperature is detected.


On 8 March 2020, the Act on exceptional measures connected with the prevention, eradication, and control of COVID-19, other infectious diseases and crises caused by them (Journal of Laws of 2020, item 374) entered into force.

In order to control COVID-19, the Act allows the employer to delegate the employee to perform work outside his/her permanent place of work (remote work). The employee is obligated to follow such order.

The Act also provides, inter alia, for the possibility for the Prime Minister to impose obligations on entrepreneurs in connection with COVID-19 prevention (Art. 11.2 of the Act). Moreover, in the event of an epidemiological threat, epidemic or spreading of an infection or infectious disease, the Chief Sanitary Inspector will be able to impose on employers or companies decisions obliging them to undertake certain preventive or control measures (Art. 17 of the Act). The Inspector shall also have the right to issue recommendations and guidelines binding for these entities. If such decisions are issued in relation to a given entrepreneur, it will have the possibility to invoke Art. 6 (1) (c) GPRD, i.e. compliance with a legal obligation to which the controller is subject.


We wish to note that the employee (a person staying in Poland) is obligated to refrain from performing work that may involve the transmission of an infection or infectious disease to other persons if he/she is infected, suffering from an infectious disease or is a carrier (Art. 5 Sec. 2 of the Act of 5 December 2008 on the prevention and eradication of infections or infectious diseases).