French Data Protection Authority Issues COVID-19 Guidance on Personal Data Collection

Due to the Coronavirus pandemic, some companies have been quick to address issues related to the protection of their employees. The French Data Protection Authority (Commission Nationale Informatique et Libertés CNIL), has issued guidance setting forth best practices in line with the application of the General Regulation on the Protection of Personal Data (GDPR) outlining the best practices to adopt with regard to the collection of personal data, in particular health data.

An employer can:

• Legitimately inform and sensitize his personnel to inform a possible exposure to COVID-19 or directly to the competent health authorities;
• Promote methods of teleworking and encourage the use of occupational medicine;
• In the event of a report, the company may record the date and identity of the person suspected of having been exposed and the organizational measures taken (e.g., containment, teleworking, contact with the occupational physician, etc.).

Companies will be able to communicate with the relevant health authorities, at their request, any information relating to the nature of the exposure which is necessary for any health or medical care of the exposed person. Moreover, the employee must also inform his employer in case of suspicion of contact with the virus, as this is indeed part of his individual obligation to protect the health and safety of others and himself.

An employer cannot:

• Systematically and generally collect, or through individual inquiries and requests, information relating to the search for possible symptoms presented by an employee and his/her relatives.

Indeed, although the current exceptional context, this does not authorize the employer to take measures likely to undermine the privacy of the persons, in particular by collecting health data which would go beyond the management of suspected exposure to the virus. Moreover, health data, protected by the GDPR, are also covered by the medical secrecy provided in the French Public Health Code. It is therefore strictly prohibited, in accordance with the GDPR, to implement, for example:

• Mandatory body temperature readings for each employee/visitor to be sent daily to his or her hierarchy;
• Or the collection of medical records or questionnaires from all employees.

Only health authorities are authorized to collect such data.

In this respect, Ordinance No. 2020-386 of 1 April 2020 specifies that as part of their missions and prerogatives, occupational health services should participate in the fight against the spread of the coronavirus, in particular by:

• Disseminating prevention messages to employers and employees against the risk of contagion;
• Supporting companies in defining and implementing adequate prevention measures against this risk;
• Supporting companies that, as a result of the health crisis, have had to increase or adapt their activity.

It should be noted that differences exist between the different jurisdictions on this issue. For instance, in Germany, employees may, under their general duty of loyalty to the employer, be required to answer questions about their health (and do so truthfully) if there are specific (COVID-19-related) symptoms of illness. Companies must therefore be aware of the regulations governing to their activity.

TIP: Companies must therefore remain particularly vigilant in collecting health data of and cannot, on the ground of the risks associated with COVID-19, deviate from the recommendations of the CNIL and the health authorities.

To receive the most recent articles from our French L&E lawyers, please subscribe to our newsletter.