COVID-19 AND GDPR

Download the PDF version here

Due to the increase in the number of COVID-19 infections, entrepreneurs are considering the protective measures they can take in their establishments. Such actions should comply with regulations including those concerning the protection of personal data. However, it should be remembered that not only do employers have responsibilities, but that such responsibilities to prevent the spread of the disease also lie with every employee and visitor. 

DECLARATIONS

Increasingly, entrepreneurs are collecting statements from their employees, suppliers, and visitors to their establishments, in which they ask about recent trips (including to ”high risk” countries), direct contact with infected persons, and the health of the person concerned (increased body temperature, cough, etc.).

At present, the Polish Labour Inspection takes the view (see the website: https://www.pip.gov.pl/pl/wiadomosci/108072,wyjasnienia-pip-w-zwiazku-z-koronawirusem.html) that the employer has no legal basis to collect information on the employee’s recent travels. In our opinion, however, the employer may process an employee’s personal data concerning his/her place of residence under Art. 6 (1) (f) GDPR. This refers to an employer’s legitimate interests to protect the health of employees and other persons working at the establishment. Another rationale to request information is under Art. 6 (1) (d) GDPR, i.e. the processing of data necessary to protect the vital interests of the data subject or of another natural person. Human health and lives can certainly be considered to be vital interests.

As far as health data are concerned, at present, the “secure basis” for processing health data is the explicit consent of the person concerned (Art. 9 (2) (a) GDPR). Obviously, with regard to employees such consent can only be accepted if it is given to the employer on an employee’s own initiative (Art. 221b § 1 of the Labour Code). One may also consider invoking the pre-requisite under Art. 9 (2) (b) GDPR, i.e. if processing is necessary to carry out the obligations and to exercise the specific rights of the controller or of the data subject in the field of employment and social security and social protection law that provide for appropriate safeguards for the fundamental rights and the interests of data subjects.

Such obligation may be considered, for example, the employer’s obligation to protect the health and lives of employees by ensuring safe and healthy working conditions (Art. 207 § 2 of the Labour Code), or the employer’s obligation to take action in case of a threat to life or employees’ health (Art. 209 2 § 1 of the Labour Code). In such a situation, the employer is obligated to inform the employees about the threat, to take steps to protect the employees, and to issue appropriate instructions.

THE TAKING OF SOMEONE’S BODY TEMPERATURE

Initiatives related to the non-contact measurement of an employee’s body temperature or the use of thermal CCTV cameras are becoming increasingly popular. In our opinion, the result of the body-temperature measurement will constitute information about the health of a given person, and thus it will be classified as health-related (sensitive) data. As stated above, in our opinion, at the moment, the basis to process health data is undoubtedly when the person consents (Art. 9 (2) (a) GDPR). The rationale given under Art. 9 (2) (b) GDPR may also be considered.

When using CCTV cameras to measure temperature, we also recommend that:

  • this should be done with the greatest possible confidentiality with regard to the person undergoing such a test; in particular, in such a way that other persons cannot see the results of the test (so that the data is not made available to other persons);
  • the monitoring should not be continuous (the camera should be placed only at the entrance to the establishment);
  • the temperature readings should not be recorded (there should only be “live” measurements).

We believe that a solution using temperature-measurement cameras (with the above reservations) may be a better solution from a data protection perspective than, for example, using a non-contact thermometer. In the latter situation, there is a risk that the result of the measurement may be visible to other people leading to the accidental disclosure of such data to unauthorized persons (e.g. other employees), and an increased risk of violating the rights and freedoms of the person in whom an increased body temperature is detected.

COVID-19 PREVENTION ACT

On 8 March 2020, the Act on exceptional measures connected with the prevention, eradication, and control of COVID-19, other infectious diseases and crises caused by them (Journal of Laws of 2020, item 374) entered into force.

To control COVID-19, the Act allows the employer to delegate the employee to perform work outside his/her permanent place of work (remote work). The employee is obligated to follow such order.

The Act also provides, inter alia, for the possibility of the Prime Minister to impose obligations on entrepreneurs in connection with COVID-19 prevention (Art. 11.2 of the Act). Moreover, if there is an epidemiological threat, epidemic or spreading of an infection or infectious disease, the Chief Sanitary Inspector will be able to impose decisions  on employers or companies obliging them to undertake certain preventive or control measures (Art. 17 of the Act). The Inspector also has the right to issue recommendations and guidelines that will be binding on those entities. If such decisions are issued in relation to a given entrepreneur, the entrepreneur  will have the possibility to invoke Art. 6 (1) (c) GPRD, i.e. compliance with a legal obligation to which the controller is subject.

EMPLOYEE OBLIGATIONS

We wish to stress that an employee (a person staying in Poland) is obligated to refrain from performing work that may involve the transmission of an infection or infectious disease to other persons if he/she is infected, suffering from an infectious disease, or is a carrier (Art. 5 Sec. 2 of the Act of 5 December 2008 on the prevention and eradication of infections or infectious diseases).