We’re committed to giving legal insights and practical guidance on the impact of COVID-19 on Romanian businesses.
COVID-19 Resources

GDPR in Times of COVID-19

14 April 2020

The need to contain the coronavirus pandemic has raised various issues regarding the processing of health-related data at companies’ level, and we are witnessing significant differences in terms of approach undertaken by data protection authorities on this subject matter.

Even so, if we were to find a common denominator regarding what can and what cannot be done by companies in relation to processing of health-related data in the context of COVID-19 outbreak, the following conclusions may be drawn:

GDPR rules continue to apply and are not relaxed in the context of the pandemic; special care must be given in this regard to make sure that companies, depending on their specific commercial pattern, identify a valid legal ground on which processing of personal data is performed, and that they process only personal data which is strictly necessary for a particular purpose;

companies must make sure to have in place privacy notices which detail how personal data of employees will be used, in a concise, transparent, intelligible and easily accessible form, using clear and plain language;

companies should refrain from collecting (in advance and in a systematic and generalised manner, including through specific requests to the individual employee or unauthorized investigations), information on the presence of any signs of infection in the employee and his or her closest contacts, or anyhow regarding areas outside the work environment;

especially, companies should not take measures such as:

mandatory body temperature readings of each employee or visitor;

collection of medical forms or questionnaires from all employees; or

requiring visitors or other external persons to sign a standardised statement certifying that they do not have symptoms of coronavirus or that they have not recently travelled to a risk area;

instead, companies may:

raise employee awareness and invite employees to report information about themselves in connection with potential exposure to COVID-19 to the employer or the relevant health authorities;

facilitate the transmission of such information by setting up, if necessary, dedicated channels; and

facilitate remote working methods;

in the event employees report suspected exposure to COVID-19, companies may record:

the date and the identity of the person suspected of being exposed, and

the organizational measures implemented in this regard;

companies should avoid disclosing the names of infected persons to the other employees; however, in order to protect the rest of the employees, they may inform the latter without mentioning the identity of the infected persons.

Consequently, companies should not implement measures to fight against the coronavirus pandemic that would infringe the employees’ right to privacy. Any action undertaken for this purpose should be balanced and carefully assessed in terms of its adequacy and necessity.