Search
In addition to the strong restrictive measures implemented across countries to contain the coronavirus (COVID-19), businesses are introducing internal procedures and measures including screening methods, to avoid the spread of the virus to the office facilities. This practice poses questions relating to employment law and processing of personal data. Thus, this newsletter will assess the GDPR and employment law consequences of implementing control measures in Denmark.
COVID-19 was first reported on 31 December 2019 in Wuhan, China, and has since spread across the globe. On 30 January 2020, the World Health Organisation (WHO) declared the outbreak to be a public health emergency of international concern. To interrupt virus spread in the office space, companies have implemented restrictive measures. These include workplace shutdowns, temporary quarantines, social distancing and screening of employees. The measures may result in a collection of personal data from a wide range of individuals and consequently considerations of protection of personal data under the General Data Protection Regulation (the “GDPR”) will have to be taken into account. Thus, businesses are seeking to understand their rights and obligations during these circumstances and particularly which measures are possible in a legal context. As a result, the Danish Data Protection Agency issued a guidance on 5 March 2020 concerning employers’ control measures and rights and obligation in regards to registration and processing health related information about their employees.
When companies are implementing extraordinary measures to prevent the spread of COVID-19, they must be aware that if such measures include any collection and registration of information about:
Before implementing any preventive measures, the companies must assess whether such measures, like screening, comply with the GDPR.
In its guidance, the Danish Data Protection Agency states that to the extent, companies are only registering information about whether a person has been to specific destinations within a limited period of time, such data will not be regarded as sensitive personal data (or special categories of data as defined in the GDPR article 9). Thus, companies can process such data based on the legitimate interest assessment set out in GDPR article 6(1)(f).
Provided a company actively initiates collection of information from employees, the company must make sure to inform the individuals about such collection and processing of their personal data for the specified purposes and in this respect comply with the requirements set out in GDPR article 13. Many companies will already have notified the employees about collection and processing of information, as this is a usual procedure at workplaces, for instance when registering illness in order to administrate staff availability and internal resources. However, notification will generally be required, if information about specific destinations is collected, as this will be processing of new personal data and for a new purpose.
If companies are screening individuals by collecting data about an individual’s health, e.g. by taking their temperature or specifically stating that a person is infected with COVID-19, this will constitute processing of sensitive personal data (or special categories of data as defined in the GDPR). The processing of sensitive personal data generally requires the individual’s consent (if such consent can be obtained freely), unless one of the other derogations set out in GDPR article 9 applies.
In order to ensure administration of internal resources and staff availability, companies may also want to keep a log of employees in quarantine or infected with COVID-19. Keeping a log of employees in quarantine and/or infected with COVID-19, requires that it is necessary to know the specific disease in order to carry out the administration. Additionally, the guidance of the Danish Data Protection Agency states that it, in certain circumstances, can be possible for an employer to register and disclose information that an employee has caught COVID-19. The agency uses the example that it is necessary for the management and colleagues to be able to take necessary precautions. However, the Danish Data Protection Agency is also making it clear that the right to register and disclose health information must be subject to that:
Should the company find that they cannot reason the registration and/or disclosure with any of the above mentioned considerations the company will not be in compliance with GDPR if they register that an employee is infected with COVID-19 or in quarantine due to COVID-19.
In addition to the general principles outlined above, the company must also have a legal basis to collect and process the health data.
If the screening is done on employees, the processing will be permitted, if the processing is necessary for exercising specific rights of the data controller in the field of employment law, if such has a legal basis in member state law or collective agreements pursuant to member state law (GDPR article 9(2)(b)). In Denmark, the employer’s right to implement control measures follows from the employer’s managerial right and is codified in the agreement about control measures as of 27 October 2006 between the former LO and DA. The control measures must be relevant and proportionate to be legal. Employee involvement is crucial when implementing control measures and we recommend that the employer at companies with works councils, involve the works council. Under the agreement on control measures between LO and DA, control measures can only be implemented with a 6 weeks’ notice, unless compelling reasons demand immediate actions. A general wish to be cautious does not constitute a compelling reason, as this at least will require a reasonable suspicion that employees are e.g. coming into work sick. To the extent the screening measures are proportionate and otherwise comply with the requirements for implementing new control measures, it should be noted that screening in the form of measuring the employees’ temperature only in exceptional cases would be accepted as a proportionate.
Another derogation in GDPR article 9(2) is item (i), which stipulates that processing is not prohibited if the processing is necessary for reasons of public interest, in the area of public health, such as protecting against serious cross-border health threats, where such has a legal basis in member state law. In Denmark there are no specific rights for companies to collect and process personal data for the purpose set out in GDPR article 9(2)(i). Thus, Danish companies cannot apply this derogation.
To the extent, the screening measures cannot be implemented based on the employer’s right to implement control measures, it must be assed if consent, as set out in GDPR article 9(2)(a), can be obtained freely from the individuals. To the extent, the individuals are employees of a company implementing screening of employees’ health, the consent will not be regarded as freely, given the nature of the employee/employer relationship. It is likely that companies can implement screening measures based on the consent of other third parties, however, such screening measures will most likely not comply with the general principles of the GDPR, as the processing of such health data will not be regarded as proportionate.
Danish employers have a managerial right towards the employees and can thus structure work streams and impose control measures, provided the measures are fair, relevant and proportionate. The employer can generally take relevant measures to prevent the spreading of disease, including imposing restrictions on participation in business trips and meetings, under the authority of the managerial right. An employer can generally not limit the employees’ free time or which holiday destinations the employees travel to. An employer can however, choose to impose restrictions on e.g. access to premises if employees have traveled to red zone destinations.
The employer can instruct employees to refrain from coming into work if they have been exposed to potential infection. If the employer instructs an employee not to come to work, the employer will in most cases have to pay salary even though the employee is unable to perform work. If possible, the employer can instruct the employee to perform work from home.
If an employee is quarantined by the authorities or in voluntary isolation based on recommendations by the authorities this will be considered lawful absence meaning that the employee is not in breach of the employment agreement by his/her absence from work. However, if the employees are not ill they may, depending on the circumstances, not have a legal right to receive salary and the absence can be viewed as holiday or free time at the employees own expense. The Danish Ministry of Employment has announced that the Ministry considers quarantine ordered by authorities equal to illness and thus salaried employees are entitled to salary even if they are not ill. The Salaried employees that are ill are legally entitled to receive payment for the full duration of the absence due to illness.
Consequently, in accordance with the guidance from the Danish Data Protection Agency, companies can implement procedures to document if employees have been to destinations where the coronavirus has been detected. However, under Danish law and GDPR, companies cannot implement screening measures involving processing of health data. Additionally in regards to employment law, we recommend that employers, when considering whether or not to pay salary to employees in voluntary isolation, to consider the risk that the employees may choose to conceal information that would qualify them for isolation and keep coming into work, if they will not receive salary during quarantine related absence.
Read the guidance from the Danish Data Protection Agency here.