Skip to main content

How can we help you?

From a data protection perspective, employers can take measures to protect employees and ensure business continuity. Certain restrictions apply, but a lot can still be done.

In the present circumstances, companies will want to take measures to protect their employees and ensure business continuity. Recent guidance (original version in Dutch) from the Dutch Data Protection Authority (DDPA) can help businesses determine a strategy in this regard. 

May I test my employees for coronavirus?
As an employer you are not allowed to check your employees for the corona virus yourself. Only the (company) doctor may do so. The (company) doctor will share the outcome with the employee. If the employee is sick, he or she can call in sick through the usual procedure.

Measures in the workplace
If the doctor suspects that the employee has coronavirus, he or she will contact the competent Public Health Service (GGD) as soon as possible. In consultation with you, the Public Health Service can then propose measures for the workplace.

RIVM guidelines
The RIVM has issued instructions on how to deal with contacts at work and with clients. All employers are expected to follow these instructions to ensure that their employees are aware of the RIVM guidelines, and to make them available in all relevant languages. For more information, please see the section entitled "Current information about the novel coronavirus (COVID-19)" on the RIVM's website.

Sending a sick employee home
Does your employee seem to have a cold or the flu? Then you may send him or her home, in view of the exceptional circumstances resulting from the coronavirus crisis.

Employers are not normally entitled to ask employees about their health or test the health of their employees. Nor is it allowed to keep a record of the reasons for sick leave. This area is regulated by law.

However, the DDPA believes that employers may request that employees cooperate during the coronavirus outbreak. Employers may therefore send home an employee suffering from a cold or the flu, in view of the special circumstances resulting from the coronavirus crisis.

May an employer ask an employee to contact a doctor?
An employer can always ask its employees to contact the company doctor, the occupational health and safety service or a general practitioner for a check-up.

If the doctor suspects that the employee has coronavirus, he or she will contact the competent Public Health Service (GGD) as soon as possible. In consultation with you, the Public Health Service can then propose measures for the workplace. 

What are some measures a company can take which are in line with data protection laws?

  • Follow the DDPA's guidance (see above). The DDPA has also issued helpful tips to securely work from home (in Dutch).
  • Prepare a communications strategy, if you do not yet have one, for crisis situations. Should there be an infection or outbreak within the company, it is preferable to be in control of the message. This is relevant for COVID-19 as well as other situations (ransomware and other incidents).
  • Activate your business continuity plan. Such a plan is a best practice and even compulsory in certain critical industries such as the financial sector. The plan describes what to do if the offices can no longer be used and ideally should indicate alternative premises.
  • According to the Working Conditions Act (Arbowet), an employer is obliged to create a safe working environment. Acting as a 'good employer' implies abiding by existing and new guidelines issued by the government and/or the National Institute for Public Health and Environmental Protection (RIVM).
  • Teleworking does not equate loss of control, as long as you set clear rules beforehand (preferably have a teleworking policy in place) and abide by the applicable legislation. Time-tracking and IT monitoring tools are permitted under certain circumstances. In the Netherlands, you first need to properly inform employees of the possibility of monitoring, sometimes even involving the works council in a consultation process. Make sure you do so before you roll out a monitoring system. Discuss teleworking with your employees and if government and/or RIVM guidelines so allow, you may oblige employees in principle to accept teleworking provided you place the necessary means at their disposal (a laptop and other necessary tools).
  • Remote working can endanger business information and personal data, depending on the tools chosen. Make sure you don't lose the protection working in the office provides, such as the confidentiality of business information and the protection of personal data relating to your employees. Check carefully the terms of any screen-sharing or video conferencing tool you wish to use, as some allow the provider to reuse the shared content or to analyse conversations.
  • Revisit IT outsourcing arrangements. The last few weeks have shown that even when companies and organisations do not encounter problems themselves, their suppliers may, which could have an adverse effect on their business. Therefore, in the IT context, it is prudent to revisit outsourcing arrangements and verify the impact of potential delivery failures by external service providers.

What is the DDPA's approach during the current crisis?

The DDPA has announced (in Dutch) that in view of the ongoing coronavirus outbreak, it will grant organisations additional time to answer its questions. 
The DDPA recognises that the top priority is fighting coronavirus and saving lives, followed by preventing major economic and societal damage. The DDPA has stated that it will give organisations the necessary space to focus on the consequences of the coronavirus crisis and will extend deadlines, where necessary. The DDPA moreover mentions that it can help organisations come up with possible solutions, for instance with respect to means of communication.
This does not mean that privacy is no longer a concern. The DDPA mentions that the coronavirus crisis should not be used as an excuse to throw privacy completely overboard and should not lead to a ‘big-brother society’. 
What has the European Data Protection Board stated about the coronavirus crisis?

The EDPB has released a statement on the processing of personal data in the context of the COVID-19 outbreak (in English). The EDPB mentions that data protection rules, including the GDPR, do not hinder measures taken in the fight against the coronavirus pandemic. In addition, the EDPB provides guidance with respect to e.g. the lawfulness of processing personal data in the context of COVID-19, the use of mobile location data and the processing of employee data.

Would you like to keep up to date with our publications regarding COVID-19? Register here. We will send you a weekly update with the latest articles.

Cookie notice

Our website only uses cookies when you play video content. Video content is streamed from YouTube, YouTube is a Google service. Our website does not use tracking cookies and/or third party cookies when you do not play video content. Please read the privacy/cookie policy for more information.