Coronavirus – New guidelines on handling of health data from French regulator – France

• France

• Coronavirus - Country overview
• Coronavirus - Data and Cyber Security issues

10-03-2020

In the past few weeks we have observed various practices emerging in work places as precautionary measures, ranging from simple advices to employees to wash their hands and refrain from physical meetings, to a mandatory monitoring of employee’s temperature on a daily basis to track potential symptoms. However, even though the later has been practiced in various companies and reported in the news, and even though it may seem as a cautious practice from a health perspective, such practice may not be acceptable in France from a data protection perspective as breaching some of employees right to privacy.

The CNIL (French Data Protection Authority) confirmed it this past Friday: employees should not monitor employees’ health symptoms.

Even in the current health crisis context, employers should not monitor their employees to check for symptoms (either by imposing temperature checks to all employees, agents and visitors of the company, or by requesting employees to report their temperature or other health symptoms on a daily basis to their supervisor). Employers should also refrain from collecting health data through questionnaires circulated to all employees and agents.

Indeed, in general, the collect of personal data is only allowed when it fits in one of the 6 legal basis outlined in GDPR (EU regulation No. 2016/679) at article 6. This applies in particular to employers who are only allowed to collect certain kind of data for legitimate purposes, such as data for human resources purposes or in order to fulfil their legal obligations.

Data controllers (employers in this context) must be able to demonstrate that their processing of personal data is necessary, reasonable and proportionate to the intended purpose. Data controllers must also comply with the principle of data minimization, i.e. they should minimize the amount of data collected and in general should only collect whichever data is strictly necessary and relevant.

The collect of sensitive data, such as health data, is even more regulated. It is forbidden by principle, unless it meets one of the exceptions outlined in GDPR at article 9, such as when the processing is in the public interest and that it has been authorized by the data supervisory authority.

An important point to note is that while the data subject’s consent is usually a valid exception for the processing of sensitive data, such basis should not be relied on in an employment context. Indeed, the G29 guidelines on consent and on data processing at work indicate that due to the nature of the employment relationship, consent is deemed to be not freely given.

The CNIL’s position is that the current Coronavirus outbreak context does not justify the collect of sensitive data by employers or companies in general, including under a public interest or health prevention basis.

However, the CNIL reminds the practices that are allowed from a data protection perspective and that may even be the employers’ responsibility, in particular pursuant to article L.4121-1 of the French Labor Code.

As stated above, it is questionable for employers to impose mandatory checks for symptoms. However, employers may encourage their employees to share with their supervisor or with the competent health authorities any individual information with respect to a potential exposure to the virus. Employers may also facilitate the communication of such information through dedicated channels. They may encourage employees to work remotely or even impose remote working. In case they receive notice of a potential contamination, employers may process the date and identity of the individual who may have been exposed to the virus. They may also share relevant information regarding the risk of exposure to the competent health authority.

Each employee and agent also has the personal responsibility to preserve health and security in the work place, in particular pursuant to article L. 4122-1 of the French Labor Code. Therefore, employees must inform their employer in case they may have been exposed to the virus.

Click here to access the CNIL’s guidelines on the topic.

Please note that these guidelines are specific to France as the local implementation of GDPR may vary from one EU country to another. Therefore, the guidelines in other countries, including in neighboring EU countries, may differ.