Covid-19: Personal Data Protection

PROTECTION OF PERSONAL DATA

When a coronavirus (COVID-19) pandemic was declared, a frequent employer or other data controller started to wonder whether it is possible to request information from their employees or visitors to assess the risk factors associated with an employee’s possible coronavirus infection and whether the request for such information in order to create safe working conditions for employees is compatible with the rules under the General Data Protection Regulation (hereinafter – GDPR).

In order to provide legal clarity, State Data Protection Inspectorate of the Republic of Lithuania (hereinafter – SDPI) has provided a list of data to
enable employers or other data controllers to process data relating to:

(i)           whether the person was traveling to a ‘country of risk’

(ii)         whether the person was in contact with a person traveling to a ‘country of risk’ or suffering from coronavirus;

(iii)         whether the person is at home due to quarantine (without giving a reason) and the quarantine period;

(iv)         whether the person is ill (without specifying a specific disease or other reason).

Among the above-mentioned information, an employer or other data controller has a right to collect information from employees or visitors whether they have symptoms of a coronavirus or a diagnosis of a coronavirus. Access to such information is made possible by the fact that this information is crucial for the employer in assessing whether additional protective measures are needed, such as obliging employees, who have worked with or contacted a sick person (having symptoms), to undergo quarantine, to provide conditions for telework or health checks, and so on. However, the SDPI emphasizes that the right of access to this information does not imply that employers or other data controllers can document the information received or compile relevant data files.

It is important to note that in this case, the employer or other data
controller acquires highly sensitive information about the employee or visitor and his / her state of health. Because of that it is advisable to avoid mentioning the name of the person suffering from (or suspected of having) coronavirus if there is no legitimate reason for declaring this information in order to protect the rights and legitimate interests of such persons.

Employers may also process such personal data related to the employee as the fact of opting for telework and other restrictions on the employee’s work. This right is derived directly from the employer's legal obligation (Art. 6 ph. 1 p. c,
GDPR) arising from the provisions of the Lithuanian Law on Safety and Health at
Work relating to the employer's obligation to ensure safe working conditions
for its employees, as well as the need to protect the vital interests of the
data subject or other person arising from the GDPR (Art. 6 ph. 1 p. d, GDPR).

It is important to note that if an employee chooses to work remotely (telework)
and it is necessary to monitor the employee's electronic communication,
information on telework and monitoring should be provided to the employee in
the telework rules or other similar policies.

Despite the broad rights of the employer or other data controller, there are still some limitations for collecting information about the employees or visitors.
Employers or other data controllers should not ask from employees or visitors
to provide their temperature readings, medical records, request to fill out
such questionnaires, etc., as this cannot be considered as an obligation of the
employer or other data controllers. Furthermore, where global measures to
control the current situation such as restriction of missions and meetings,
cancellation of events, ensuring certain hygiene requirements are in place, data controllers should not violate the right of their employees or other data subjects to the protection of personal data, for example, they should not be
required to provide personal data which is not necessary to ensure the
execution of the procedure established.

It should be noted that in this particular case the data subject cannot exercise
his/her right to request the erasure of the data ("the right to be forgotten"). This conclusion is reached given that Art 17 ph. 3  p. c of GDPR restricts the right of the data subject to demand erasure ("the right to be forgotten") when there is a public interest in public health. This regulation leads to the conclusion that the restriction of that right is in the public interest and allows adequate protection of the health and well-being of others.

Even in a pandemic situation, personal data protection should not be forgotten. Therefore, any personal data processed by employers or other data controllers must be provided to public authorities for public health purposes in accordance with GDPR requirements. It should also be noted that requests for personal data must be assessed on a case-by-case basis.

USE OF MOBILE LOCATION DATA

• Can Member State governments use personal data related to individuals’ mobile phones in their efforts to monitor, contain or mitigate the spread of COVID-19?

In some Member States, governments envisage using mobile location data as a possible way to monitor, contain or mitigate the spread of COVID-19. This would imply, for instance, the possibility to geolocate individuals or to send public health messages to individuals in a specific area by phone or text message. Public authorities should first seek to process location data in an anonymous way (ie. processing data aggregated in a way that individuals cannot be re-identified), which could enable generating reports on the concentration of mobile devices at a certain location (“cartography”).

Personal data protection rules do not apply to data which has been appropriately anonymised.

When it is not possible to only process anonymous data, the ePrivacy Directive enables Member States  to introduce legislative measures to safeguard public security (Art. 15).

If measures allowing for the processing of non-anonymised location data are introduced, a Member State is obliged to put in place adequate safeguards, such as providing individuals of electronic communication services the right to a judicial remedy.

The proportionality principle also applies. The least intrusive solutions should always be preferred, taking into account the specific purpose to be achieved. Invasive measures, such as the “tracking” of individuals (i.e. processing of historical non-anonymised location data) could be considered proportional under exceptional circumstances and depending on the concrete modalities of the processing. However, it should be subject to enhanced scrutiny and safeguards to ensure the respect of data protection principles (proportionality of the measure in terms of duration and scope, limited data retention and purpose limitation).

The Professional Partnership of Advocates “Deloitte Legal”, its employees or representatives are not responsible for the information and consultations provided here: www.deloittelegal.lt, i.e. advice should not be considered as professional legal consultation or service. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional legal advisor individually.