With the progression of the Coronavirus (COVID-19) pandemic, the question arises how data protection compliance can be ensured in these exceptional circumstances. Our Q&A provides you with answers.
The impact of the Coronavirus (COVID-19) pandemic on the everyday life of businesses is dramatic. Many companies act quickly and take incisive decisions, which, especially when processing of health data of employees, also require an assessment under applicable data protection laws. Our Q&A provides you with insights on what businesses must now observe.
Does the COVID-19 “state of emergency” override data protection law?
No, the opposite is true. Due to the enormous risks of COVID-19, companies will process highly sensitive health data of employees to an increased extent which will continue to be subject to data protection law. Due to the substantial public health risk of COVID-19, businesses may justify data processing under Art. 6, 9 GDPR (EU General Data Protection Regulation) and, if applicable, local laws. Such data processing may not be lawful without such a public health risk. In order that businesses can prove the lawfulness of data processing to supervisory authorities retrospectively, they should fulfil their accountability duty under Art. 5 (2) GDPR. In particular, decisions with relevance to data protection law must be justified and documented. Regarding the current Swiss data protection law, the information duty related to the processing of health data needs to be observed. In general, the principle of proportionality applies. In cases where health data is disclosed to third parties, this needs to be justified and documented appropriately.
Are businesses allowed to check the body temperature of their employees?
Data protection law does not restrict employers from checking body temperatures of their employees as long as no identifying information of the employees is collected. If businesses intend to document the measurements, the permissibility must be carefully assessed, taking into account the circumstances of the individual case. It is recommended to conduct a data protection impact assessment (DPIA) and to observe labor law provisions.
Can data protection law conflict with working from home?
Before allowing home office work, businesses should double check that home office work of their employees does not violate contractual obligations with third parties. For example, commissioned data protection agreements may contain corresponding restrictions. Violations can, in the worst case, lead to contractual penalties or extraordinary termination of data processing contracts by business partners. In addition, any accompanying measures regarding home office work that may lead to monitoring of the employee’s behavior, such as tracking of computer activities etc., need to be assessed carefully in order to comply with data protection and/or labor law. An additional aspect to consider are employees that may reside abroad (leading to cross-border data transfer).
What kind of security measures should businesses have in place for working from home?
If employees process personal data from home, they must also comply with the company’s internal technical and organizational measures (TOMs). For example, documents containing personal data must be kept confidential, i.e. out of reach of household members or visitors. It is the duty of every business to instruct its employees accordingly and to oblige them to comply with applicable TOMs. When introducing working from home, companies should also anticipate risks where a “Bring Your Own Device”-policy (BYOD) is applied. Technical measures to prevent business data from being copied or automatically synchronized to private home devices need to be implemented. Otherwise, occurrences such as the synchronization of the employee’s business address book to its private device and thus to its privately used applications may cause a data breach.
Are companies allowed to inform their employees about infected colleagues by naming them?
The disclosure of names of infected employees is a very severe intrusion of the rights of the affected employees and must be carefully assessed in each individual case. However, major risks for fellow employees and especially their elderly family members must be considered. Failure to mention the risk of infection can indirectly lead to the infection of members of risk groups whose mortality rate may be higher. Respective health risks can be individually taken into account in data protection assessments (especially regarding Art. 6, 9 GDPR or applicable local laws). The involvement of the data protection officer and the observance of the principle of proportionality is required. The principle of data minimization can also become relevant in terms of restricting the number of recipients of sensitive personal information.
Must businesses inform their employees about data processing concerning COVID-19?
Yes. If companies introduce new employee related data processing activities or adapt existing ones, the employees must be informed in advance based on GDPR and Swiss law. Obtaining an explicit consent may need to be considered as far as the overriding public interest in connection with a health emergency does not justify the planned processing activity. However, it needs to be observed that any consent must be given freely and in a manner that it can be withdrawn at any point in time.
To what extent must businesses adapt their data protection documentation?
The adaptation of internal processes due to COVID-19 measures also entails the updating of the data protection documentation, in particular the data protection impact assessments (DPIA) and the register of processing activities under GDPR (same applies for the upcoming revised Swiss Data Protection Act).
Why is it necessary to review and/or amend IT supplier contracts?
It has shown that COVID-19 measures may lead to an increased use of the IT infrastructure (e.g., due to home office work). In order to prevent negative impacts on the IT infrastructure, respective IT supplier contracts should be assessed with regard to the agreed quantity/quality of the performance (service levels) of the IT infrastructure and, if necessary, amended.
How can you best respond to COVID-19 risks from a privacy law perspective?
- Keep yourself and relevant stakeholders informed and consider the available guidance from the Data Protection Supervisory Authorities in connection with COVID-19.
- Do not assume that the current health emergency per se justifies extended data processing. There are legal limits as well as internal technical and organizational measures (TOMs) that need to be considered.
- Be aware of changes in your standard processes caused by COVID-19 measures. In general, every major deviation requires an assessment under data protection law. We recommend conducting privacy impact assessments as required.
How we can support you
We would be pleased to discuss with you through a webcast or call:
- How we can help you to adapt business processes to the COVID-19 risks in accordance with data protection regulations (e.g., implementing measures entailing the processing of sensitive personal data, such as health data).
- How we can help you to prepare required privacy related instructions and information for your employees and customers.
- how we can support you with conducting or updating data protection impact assessments (DPIA) when setting up new or amended processes.
- How we can support you with assessing data processing agreements with third parties regarding the permissibility of home office work (e.g., when client data is involved).
Feel free to contact us at any time!