From a data protection perspective, employers can take measures to protect employees and ensure business continuity. Certain restrictions apply, but a lot can still be done.
In the present circumstances, companies will want to take measures to protect their employees and ensure business continuity. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, "DDPA") provides guidance with respect to data protection and the coronavirus on a special section it published on its website (original version in Dutch). The section is regularly updated and currently includes specific guidance with respect to health and temperature checks, the use of telecom data, the coronavirus and the educational sector (especially the use of proctoring software), the use of mobile camera surveillance, working safely from home, access to medical files and the use of corona apps.
The DDPA’s guidance on health and temperature checks is especially noteworthy. Such checks will mostly involve the processing of health data, a category of special personal data. The processing of special personal data is in principle prohibited, but is allowed in specific situations set out in the General Data Protection Regulation (GDPR) and the Dutch GDPR Implementation Act (Uitvoeringswet AVG).
It follows from the current DDPA’s guidance, however, that merely reading a temperature of a thermometer (alleen aflezen van de temperatuur op een thermometer), without the intention to store (transfer, register) the measurements and without involvement of any automated processing (e.g. gates which open or a green light), does not constitute processing of personal data in scope of the GDPR (original guidance in Dutch). Such practice (whereby employees, visitors or customers are for instance given the option to measure their own temperature) therefore falls outside the scope of the DDPA’s supervision. This creates some leeway, although the DDPA stresses that it does not fully preclude privacy risks, such as violations of certain human rights (e.g. right to private life and right to physical integrity).
What are some measures a company can take which are in line with data protection laws?
- Visit the section about the coronavirus on the DDPA's website and follow the DDPA’s guidance (see above).
- Prepare a communications strategy, if you do not yet have one, for crisis situations. Should there be an infection or outbreak within the company, it is preferable to be in control of the message. This is relevant for COVID-19 as well as other situations (ransomware and other incidents).
- Activate your business continuity plan. Such a plan is a best practice and even compulsory in certain critical industries such as the financial sector. The plan describes what to do if the offices can no longer be used and ideally should indicate alternative premises.
- According to the Working Conditions Act (Arbowet), an employer is obliged to create a safe working environment. Acting as a 'good employer' implies abiding by existing and new guidelines issued by the government and/or the National Institute for Public Health and Environmental Protection (RIVM) – in accordance with guidance published by the DDPA.
- Teleworking does not equate loss of control, as long as you set clear rules beforehand (preferably have a teleworking policy in place) and abide by the applicable legislation. Time-tracking and IT monitoring tools are permitted under certain circumstances. In the Netherlands, you first need to properly inform employees of the possibility of monitoring, sometimes even involving the works council in a consultation process. Make sure you do so before you roll out a monitoring system. Discuss teleworking with your employees and if government and/or RIVM guidelines so allow, you may oblige employees in principle to accept teleworking provided you place the necessary means at their disposal (a laptop and other necessary tools).
- Remote working can endanger business information and personal data, depending on the tools chosen. Make sure you don't lose the protection working in the office provides, such as the confidentiality of business information and the protection of personal data relating to your employees. Check carefully the terms of any screen-sharing or video conferencing tool you wish to use, as some allow the provider to reuse the shared content or to analyse conversations. The DDPA’s specific guidance with respect to video conferencing tool selection is especially helpful in this respect (in Dutch).
- Revisit IT outsourcing arrangements. The last few weeks have shown that even when companies and organisations do not encounter problems themselves, their suppliers may, which could have an adverse effect on their business. Therefore, in the IT context, it is prudent to revisit outsourcing arrangements and verify the impact of potential delivery failures by external service providers.
What is the DDPA's approach during the current crisis?
The DDPA has announced (in Dutch) that in view of the ongoing coronavirus outbreak, it will grant organisations additional time to answer its questions.
The DDPA recognises that the top priority is fighting coronavirus and saving lives, followed by preventing major economic and societal damage. The DDPA has stated that it will give organisations the necessary space to focus on the consequences of the coronavirus crisis and will extend deadlines, where necessary. The DDPA moreover mentions that it can help organisations come up with possible solutions, for instance with respect to means of communication.
This does not mean that privacy is no longer a concern. The DDPA mentions that the coronavirus crisis should not be used as an excuse to throw privacy completely overboard and should not lead to a ‘big-brother society’.
What has the European Data Protection Board stated about the coronavirus crisis?
The EDPB has released a statement on the processing of personal data in the context of the COVID-19 outbreak on 19 March 2020 (in English). The EDPB mentions that data protection rules, including the GDPR, do not hinder measures taken in the fight against the coronavirus pandemic. In addition, the EDPB provides guidance with respect to e.g. the lawfulness of processing personal data in the context of COVID-19, the use of mobile location data and the processing of employee data. The EDPB has adopted two guidelines in view of the coronavirus, namely guidelines (i) on the use of location data and contact tracing tools in the context of the COVID-19 outbreak (in English) and (ii) on the processing of data concerning health for the purpose of scientific research in the con-text of the COVID-19 outbreak (in English). The EDPB has adopted two guidelines in view of the coronavirus, namely guidelines (i) on the use of location data and contact tracing tools in the context of the COVID-19 outbreak (in English ) and (ii) on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak (in English). Lastly, on 16 June 2020 the EDPB released two new statements. In one statement the EDPB emphasises, in view of the development of borders reopening, that data protection legislation must be respected when measures are put in place to mitigate the risk of the pandemic spreading (in English). The other statement relates to the data protection impact of the interoperability of contact tracing apps (in English).
Would you like to keep up to date with our publications regarding COVID-19? Register here. We will send you a weekly update with the latest articles.