Short Reads

How to cope with data protection rules in times of the coronavirus pandemic?

How to cope with data protection rules in times of the coronavirus pa

How to cope with data protection rules in times of the coronavirus pandemic?

24.03.2020 BE law

Privacy issues are very pertinent in the fight against the coronavirus. Also in times of a global pandemic, general data protection restrictions must be respected. This section will focus on a number of considerations that can be taken into account.

Does an individual's health status involve personal data?

The General Data Protection Regulation (“GDPR") defines personal data as any information relating to an identified or identifiable natural person. The GDPR clarifies that a natural person can be identifiable, directly or indirectly, by identifiers such as a name or an identification number, but also by factors specific to the physical, physiological, genetic or mental status of that natural person.

Within this category of personal information, the GDPR qualifies certain types of data as “sensitive data", which deserve a more rigorous protection than other types of information. Such sensitive data include genetic data, biometric data and data concerning the health of the person involved. Consequently, any information relating to an individual's health status, including whether he/she is infected by the coronavirus, will be considered sensitive information and stringent rules must be abided by.

Can an employer ask for an individual's (health) information in relation to the coronavirus?

In case an employer wishes to ask for its employee's health status, it is advisable to refer the employee to the prevention advisor-doctor. In addition, an employer can collect a family member's health data if the family member has consented or if the collection is necessary for reason of public interest in the area of public health (such as protecting against serious cross-border threats to health) as an implementation of explicit directives imposed by the competent authorities. In any event, the individual whose information is collected must be properly informed about the processing (see below).

In case the employer needs to know non-health related information, such as contact details or location details, the employer may collect such data if there is a valid legal ground, e.g. in the employment contract or if the collection is necessary for the employer's or other person's legitimate interest. There is no need to run such collection via the prevention advisor-doctor, although such might be the most pragmatic way to operate.

In any case, whether or not the information is relating to an employee or its family member, proportionality must be safeguarded, as emphasized by the European Data Protection Board. Only information strictly necessary for the prevention, detection or handling of the coronavirus pandemic may be collected. For example, only a list of the person's contacts of the last few days may be collected, but no information relating to his/her contacts over the past months. In addition, the French and Belgian data protection authorities have advised that employers must refrain from systematically collecting all types of (health) data which go beyond the suspected exposure to or contamination by the virus. Mandatory body temperature readings or the collection of medical information through questionnaires will not pass the European data protection test.

Lastly, the (health) information collected in light of the prevention or detection of contamination may not be used for another purpose. For example, in case the employer collects an employee's location data during the past week, this information may not be used to track the employee's whereabouts relating to the employee's mileage allowance. Such will lead to a breach of the applicable data protection rules.

Can a company carry out checks on visitors?

Mainly, the same reasoning as to employees' (health) checks can be applied to checks on visitors. Although a company may have a legal ground to check a visitor's health status (e.g. body temperature), e.g. because the visitor has consented or such may be necessary for reasons of public interest in the area of public health, the need for proportionality will probably limit (body) controls on visitors. Consequently, only under certain conditions, including collecting information proportionately and after providing transparent information on the data collection, body temperature checks may be conducted on visitors.

Surely, you can ask visitors to leave the premises if they feel like they are at risk. In addition, visitors can be requested to abide by the health and safety standards of the company when on site, such as hand washing policies. Hence, it is important to use clear and concise guidelines to inform visitors as to what is expected from them (e.g. by using pictograms).

Can a company track location data to check where its users have been?

Data of device users, such as employees, clients or visitors, can also be relevant in the fight against the coronavirus. For instance, a company can track its users' whereabouts through different apps, or taking it even further by inferring with whom the user has been in contact.

In the absence of derogating legislation, such tracking actions will need the consent of the user. Again, proportionality must be safeguarded, whereby no more information may be collected than necessary for the purpose served, and the user must thereby be properly informed about the tracking actions taken. It must also be examined whether or not a less intrusive method could be used to divert where the user has been and with whom he potentially has been in contact (e.g. through anonymous data).

Can a company share the information with others?

The information the company has collected, whether it concerns its employees, family members, visitors, users or other individuals, may be shared with other parties under certain conditions.

The individual concerned must be properly informed about the third parties that will be receiving his information, such as governmental bodies, hospitals or other authorities. The company must also assure that only the information relevant for the purposes pursued by the third party is shared. For instance, location details and symptoms of the coronavirus may be necessary to share, but by also sharing an individual's full medical history, a breach of the relevant data protection rules may occur. Moreover, from a practical point of view, in times of immense influxes of data relating to the coronavirus, this additional information is not deemed helpful for the authorities.

In any event, the employer may not divulge the names of the individuals. The employer should only share information with other employees without mentioning the identity of the person(s) concerned.

Are there any practicalities that a company can take into account?

Given the dramatic spread of the coronavirus, the need for actions can be very urgent. Nevertheless, the (data protection) rights of the individuals involved must be respected. Especially the communication of prior, accurate and transparent information regarding the data collected, the purposes and the third parties with whom the data will be shared is important. This can happen ad hoc at the moment of the investigation, or more broadly, through an update of the company's privacy policy. Furthermore, a valid legal basis must be present. Since an employee's consent is considered to not be “freely given", as expressed in the GDPR, an employee's consent can never be used as a valid ground. Other legal grounds, such as necessary for reasons of public interest or to comply with a legal obligation, may be appropriate. In addition, it is also important to adopt adequate security measures and confidentiality policies ensuring that information is not being disclosed to unauthorized parties.

Lastly, in case deviations are deemed necessary, it is important that the circumstances and justification for such deviations are recorded, and that the DPO or privacy responsible as well as the Committee for Prevention and Protection at Work are consulted.


This article provides some general insights on different legal questions. These insights do not constitute legal advice and may not be relied upon as if they were legal advice. The outcome of any legal analysis will strongly depend both on the specific facts and circumstances of each case and on the particularities of the sector and legal relationship involved. Our legal experts in the various domains concerned are available to assist you with the analysis of your questions and provide specific advice tailored to your case and circumstances.


Related news

03.07.2020 NL law
E-book NOW-2: Tweede tijdelijke noodmaatregel overbrugging voor behoud van werkgelegenheid

Articles - Op 17 maart 2020 kondigde het kabinet het eerste noodpakket aan met steunmaatregelen om de economische gevolgen van de coronacrisis te dempen. Onderdeel van dit noodpakket zijn onder andere de Eerste tijdelijke noodmaatregel overbrugging voor behoud van werkgelegenheid (“NOW-1”) en de Tijdelijke overbruggingsregeling zelfstandige ondernemers (“Tozo-1”).

Read more

07.07.2020 NL law
Inwerkingtreding Tijdelijke Wet COVID-19 Justitie & Veiligheid

Short Reads - Op 24 april 2020 is de Tijdelijke Wet COVID-19 Justitie & Veiligheid (“de Noodwet”) in werking getreden. Aan de hand van de Noodwet kunnen rechtspersonen tijdelijk afwijken van wettelijke en statutaire bepalingen en kunnen bepaalde termijnen worden uitgesteld. De Noodwet is een antwoord op de beperkingen die gelden als gevolg van de uitbraak van COVID-19. De Tijdelijke wet COVID-19 Justitie en Veiligheid is een verzamelwet.

Read more

25.06.2020 NL law
Een groene encyclopedie voor de financiële sector

Short Reads - Op 22 juni 2020 is de Europese taxonomieverordening (Verordening (EU) 2020/282) gepubliceerd. De verordening wordt gezien als een mijlpaal voor de verduurzaming van de financiële sector. De Europese Commissie ziet het herstel en de wederopbouw van de economie na de coronacrisis als een kans voor een fundamentele verandering naar een duurzame economie.

Read more

07.07.2020 NL law
Inwerkingtreding deel Implementatiewet Herziene aandeelhoudersrechtenrichtlijn

Short Reads - In onze Corporate Update van 6 februari 2020 bespraken wij de inwerkingtreding van de Wet tot implementatie van de Herziene aandeelhoudersrechtenrichtlijn (“SRD II”) (“Implementatiewet”) op 1 december 2019. De bepalingen over de identificatie van aandeelhouders, de uitwisseling van informatie met aandeelhouders en de facilitering van (stem)rechten treden op 3 september 2020 in werking.

Read more