Short Reads

How to cope with data protection rules in times of the coronavirus pandemic?

How to cope with data protection rules in times of the coronavirus pa

How to cope with data protection rules in times of the coronavirus pandemic?

24.03.2020 BE law

Privacy issues are very pertinent in the fight against the coronavirus. Also in times of a global pandemic, general data protection restrictions must be respected. This section will focus on a number of considerations that can be taken into account.

Does an individual's health status involve personal data?

The General Data Protection Regulation (“GDPR") defines personal data as any information relating to an identified or identifiable natural person. The GDPR clarifies that a natural person can be identifiable, directly or indirectly, by identifiers such as a name or an identification number, but also by factors specific to the physical, physiological, genetic or mental status of that natural person.

Within this category of personal information, the GDPR qualifies certain types of data as “sensitive data", which deserve a more rigorous protection than other types of information. Such sensitive data include genetic data, biometric data and data concerning the health of the person involved. Consequently, any information relating to an individual's health status, including whether he/she is infected by the coronavirus, will be considered sensitive information and stringent rules must be abided by.

Can an employer ask for an individual's (health) information in relation to the coronavirus?

In case an employer wishes to ask for its employee's health status, it is advisable to refer the employee to the prevention advisor-doctor. In addition, an employer can collect a family member's health data if the family member has consented or if the collection is necessary for reason of public interest in the area of public health (such as protecting against serious cross-border threats to health) as an implementation of explicit directives imposed by the competent authorities. In any event, the individual whose information is collected must be properly informed about the processing (see below).

In case the employer needs to know non-health related information, such as contact details or location details, the employer may collect such data if there is a valid legal ground, e.g. in the employment contract or if the collection is necessary for the employer's or other person's legitimate interest. There is no need to run such collection via the prevention advisor-doctor, although such might be the most pragmatic way to operate.

In any case, whether or not the information is relating to an employee or its family member, proportionality must be safeguarded, as emphasized by the European Data Protection Board. Only information strictly necessary for the prevention, detection or handling of the coronavirus pandemic may be collected. For example, only a list of the person's contacts of the last few days may be collected, but no information relating to his/her contacts over the past months. In addition, the French and Belgian data protection authorities have advised that employers must refrain from systematically collecting all types of (health) data which go beyond the suspected exposure to or contamination by the virus. Mandatory body temperature readings or the collection of medical information through questionnaires will not pass the European data protection test.

Lastly, the (health) information collected in light of the prevention or detection of contamination may not be used for another purpose. For example, in case the employer collects an employee's location data during the past week, this information may not be used to track the employee's whereabouts relating to the employee's mileage allowance. Such will lead to a breach of the applicable data protection rules.

Can a company carry out checks on visitors?

Mainly, the same reasoning as to employees' (health) checks can be applied to checks on visitors. Although a company may have a legal ground to check a visitor's health status (e.g. body temperature), e.g. because the visitor has consented or such may be necessary for reasons of public interest in the area of public health, the need for proportionality will probably limit (body) controls on visitors. Consequently, only under certain conditions, including collecting information proportionately and after providing transparent information on the data collection, body temperature checks may be conducted on visitors.

Surely, you can ask visitors to leave the premises if they feel like they are at risk. In addition, visitors can be requested to abide by the health and safety standards of the company when on site, such as hand washing policies. Hence, it is important to use clear and concise guidelines to inform visitors as to what is expected from them (e.g. by using pictograms).

Can a company track location data to check where its users have been?

Data of device users, such as employees, clients or visitors, can also be relevant in the fight against the coronavirus. For instance, a company can track its users' whereabouts through different apps, or taking it even further by inferring with whom the user has been in contact.

In the absence of derogating legislation, such tracking actions will need the consent of the user. Again, proportionality must be safeguarded, whereby no more information may be collected than necessary for the purpose served, and the user must thereby be properly informed about the tracking actions taken. It must also be examined whether or not a less intrusive method could be used to divert where the user has been and with whom he potentially has been in contact (e.g. through anonymous data).

Can a company share the information with others?

The information the company has collected, whether it concerns its employees, family members, visitors, users or other individuals, may be shared with other parties under certain conditions.

The individual concerned must be properly informed about the third parties that will be receiving his information, such as governmental bodies, hospitals or other authorities. The company must also assure that only the information relevant for the purposes pursued by the third party is shared. For instance, location details and symptoms of the coronavirus may be necessary to share, but by also sharing an individual's full medical history, a breach of the relevant data protection rules may occur. Moreover, from a practical point of view, in times of immense influxes of data relating to the coronavirus, this additional information is not deemed helpful for the authorities.

In any event, the employer may not divulge the names of the individuals. The employer should only share information with other employees without mentioning the identity of the person(s) concerned.

Are there any practicalities that a company can take into account?

Given the dramatic spread of the coronavirus, the need for actions can be very urgent. Nevertheless, the (data protection) rights of the individuals involved must be respected. Especially the communication of prior, accurate and transparent information regarding the data collected, the purposes and the third parties with whom the data will be shared is important. This can happen ad hoc at the moment of the investigation, or more broadly, through an update of the company's privacy policy. Furthermore, a valid legal basis must be present. Since an employee's consent is considered to not be “freely given", as expressed in the GDPR, an employee's consent can never be used as a valid ground. Other legal grounds, such as necessary for reasons of public interest or to comply with a legal obligation, may be appropriate. In addition, it is also important to adopt adequate security measures and confidentiality policies ensuring that information is not being disclosed to unauthorized parties.

Lastly, in case deviations are deemed necessary, it is important that the circumstances and justification for such deviations are recorded, and that the DPO or privacy responsible as well as the Committee for Prevention and Protection at Work are consulted.


This article provides some general insights on different legal questions. These insights do not constitute legal advice and may not be relied upon as if they were legal advice. The outcome of any legal analysis will strongly depend both on the specific facts and circumstances of each case and on the particularities of the sector and legal relationship involved. Our legal experts in the various domains concerned are available to assist you with the analysis of your questions and provide specific advice tailored to your case and circumstances.


Related news

03.04.2020 NL law
COVID-19 and the Financial Markets

Short Reads - As COVID-19 spreads across the globe, companies face various legal issues related to the disease and its spread. These issues result in disruption to business, alongside the related regulatory and contractual implications. The crisis is severely affecting financial institutions and financial markets too. Both the Dutch and European financial regulators are closely monitoring the situation given the continuing impact of the COVID-19 pandemic on the financial markets.

Read more

02.04.2020 NL law
Stibbe in Amsterdam answers questions from consumers, small business foundations and NGOs about the coronavirus

Inside Stibbe - In a special Q&A (in Dutch), lawyers from our Amsterdam office share their legal expertise and strive to provide answers to questions put to us by consumers, self-employed persons, enterprises large and small, foundations and NGOs as a result of the corona crisis.

Read more

03.04.2020 NL law
Volledig virtuele AVA of ledenvergadering wordt mogelijk; instellen van noodwet goedgekeurd door Ministerraad

Short Reads - Vandaag heeft de Ministerraad ingestemd met toezending naar de Raad van State van een noodwet. Deze noodwet zal het voor alle rechtspersonen mogelijk maken om een volledig virtuele algemene vergadering of ledenvergadering te houden. Nederland volgt daarmee andere Europese landen zoals Italië, Frankrijk, Duitsland en Luxemburg.

Read more

01.04.2020 BE law
Tijdelijke werkloosheid – Maatregelen aangaande telewerk, physical distancing in essentiële en niet-essentiële bedrijven – Sociale verkiezingen

Articles - Elisabeth Matthys en Dieter Demuynck bespreken tijdelijke werkloosheid ten tijde van de Covid-19 crisis. Daarnaast verklaren ze de maatregelen aangaande telewerk en physical distancing in essentiële en niet-essentiële bedrijven, en gaan ze dieper in op de impact van de crisis op de organisatie van de sociale verkiezingen.

Read more

This website uses cookies. Some of these cookies are essential for the technical functioning of our website and you cannot disable these cookies if you want to read our website. We also use functional cookies to ensure the website functions properly and analytical cookies to personalise content and to analyse our traffic. You can either accept or refuse these functional and analytical cookies.

Privacy – en cookieverklaring