The purpose of this discussion is to provide - on the one hand - an updated picture of recent provisions on work and personal data, as well as - on the other - of the operational guidelines to be respected in the workplace to pursue the best application of the legislation on protection of personal data, this being a very difficult task since, with the spread of the coronavirus epidemic in Italy, different provisions have followed one another, not always in line with each other, and which we will in detail analyze below.
It is, however, possible to identify the different provisions, similar concepts allow companies to implement the most appropriate behaviors from time to time.
1) The information note of the Guarantor of 2 March 2020
2) The law decree n. 14 of 9 March 2020
3) The protocol of March 14, 2020
4) The Statement of the European Data Protection Committee of 16 March 2020
1) The information note of the Guarantor of 2 March 2020
Following the spread of the epidemic, the Privacy Guarantor with an information note inhibited the use of do-it-yourself initiatives in data collection, specifying that public and private subjects must comply with the indications of the Ministry of Health and institutions competent.
The guarantor considered it necessary to clarify the terms of the matter as numerous subjects (both public and private) began to ask request collection, upon registration of visitors and users, information about the presence of Coronavirus symptoms and news on last trips, as a preventive measure from contagion
Many requests were also received from public and private employers, who asked the Guarantor for the possibility of acquiring a "self-declaration" from employees regarding the absence of flu symptoms, and events relating to the private sphere. Such requests did not await a response and soon became a common practice throughout national territory thus making the intervention even more necessary, in light of the practice becoming common also in various companies that had prepared similar questionnaires. .The Authority has specified in this regard that this behavior is absolutely illegitimate.
It must be noted, however, that this indication is in contrast with the previous orientation disseminated by the consultants who, instead based on the combined provisions of Articles 2087 cc and art 9 GDPR, had deemed possible a similar control by the employer, thus favoring the proliferation of the most widespread questionnaires.
The Guarantor, in contrast to this previous orientation, considered that the employer has duties, but these duties can be exercised only and exclusively through the most appropriate tools provided by the law.
This approach is in line with the Government's attempt to identify a common line, avoiding uneven practices between the various areas of our territory.
In conclusion, "employers must therefore refrain from collecting, a priori and in a systematic and generalized way, even through specific requests to the individual worker or unauthorized investigations, information on the presence of any flu symptoms of the worker and his closest contacts or in any case falling within the non-working sphere ”, explains the Guarantor.
The requirements of the Guarantor can be summarized as follows: / What to do
- anyone who has stayed in the areas at epidemiological risk in the last 14 days, as well as in the municipalities identified by the most recent regulatory provisions, must notify the local health authority, also through the general practitioner, who will carry out the required checks;
- the obligation to report to the employer any situation of danger to health and safety in the workplace remains unaffected;
- in the event of suspicion of contact between the employee who performs duties in contact with the public, a suspected case of Coronavirus is reported, the same, also through the employer, will communicate the circumstance to the competent health services and comply with the indications of prevention provided by the health professionals consulted.
- it is advisable to update the "Risk Assessment Document" (so-called DVR) making explicit mention of the epidemic risk;
- must refrain from collecting, a priori and in a systematic and generalized way, also through specific requests to the individual worker or unauthorized investigations, information on the presence of any flu symptoms of the worker and his closest contacts or in any case falling within the non-working sphere. The purpose of preventing the spread of Coronavirus must in fact be carried out by subjects who institutionally exercise these functions in a qualified way.
- they can invite their employees to make the aforementioned communications, where necessary, facilitating the methods of forwarding them, also by setting up dedicated channels;
- must communicate to the bodies in charge any change in the "biological" risk deriving from the Coronavirus for health in the workplace and other obligations related to health surveillance of workers through the competent doctor, such as, for example, the possibility of subject the most exposed workers to an extraordinary visit.
- they must not replace health workers and the system activated by civil protection which is responsible for ascertaining and collecting information relating to the typical symptoms of the Coronavirus and information on the recent movements of each individual.
- must, as data controllers, scrupulously comply with the indications provided by the Ministry of Health and the competent institutions for the prevention of the spread of Coronavirus, without carrying out autonomous initiatives that include the collection of data also on the health of users and workers who are not legally provided for or ordered by the competent bodies.
2) The law decree n. 14 of 9 March 2020
Art. 14 dictates extraordinary provisions on the processing of personal data in the emergency context.
It provides that for reasons of public interest and, in particular, to guarantee protection from the health emergency caused by the spread of COVID-19 through adequate prophylaxis measures, as well as to ensure the diagnosis and health care of the infected or the management emergency services of the National Health Service, the subjects operating in the National Civil Protection Service, as well as the offices of the Ministry of Health and the Higher Institute of Health, the public and private structures operating within the National Health Service and all subjects implementing the extraordinary measures, may carry out processing, including communication between them, of personal data also relating to articles 9 and 10 of the gdpr that are necessary for the performance of the functions attributed to them in the context of the emergency determined by the spread of COVID-19 . These subjects may omit the information referred to in article 13 of the same regulation or provide simplified information, after oral communication to the interested parties of the limitation. Authorizations can be granted in the same way.
It specifies the rule that the communication of personal data to public and private subjects, other than those referred to in articles 9 and 10 of regulation (EU) 2016/679, is carried out, in cases where it is essential for the purpose of carrying out the activities '' related to the management of the health emergency in progress.
The rule specifies that the processing of personal data is carried out in compliance with the principles of Regulation (EU) 2016/679, adopting appropriate measures to protect the rights and freedoms of the data subjects and limited to the period of the state of emergency, at the end of which they will be adopted suitable measures to bring the processing of personal data carried out in the context of the emergency back to the scope of ordinary competences and the rules governing the processing of personal data.
For some, this provision represents a step backwards in the protection of privacy, however it should be noted that the overriding interest at this time and which is worthy of protection is public health, therefore, always respecting the dignity of people, the norm allows, in totally exceptional and emergency cases, to temporarily derogate from the good rules of the GDPR.
In conclusion, if the company falls into one of the categories referred to in the aforementioned art. 14, in case of need, can carry out the management in the manner described above.
3) The protocol of March 14, 2020 - for the contrast and containment of the spread of the Covid-19 virus in the workplace
The social partners have reached a protocol that provides operational guidelines aimed at increasing, in non-health workplaces, the effectiveness of precautionary containment measures to counter the COVID-19 epidemic. The document confirms the provision of the reduction and / or temporary suspension of activities, together with the possibility for the company to resort to agile work and social safety nets.
The declared objective of the Protocol is to combine the continuation of production activities with the guarantee of health and safety conditions in the workplace and working methods. As part of this objective, the continuation of production activities can in fact take place only in the presence of conditions that ensure adequate levels of protection for workers.
Set below are the operational implications of the Protocol within the company.
Information that the employer must provide to workers
The first point of the Protocol is dedicated to workers.
The company must inform all workers and anyone who accesses the company premises of the content of the provisions of the Authorities, delivering and / or posting at the entrance and in the most visible places of the company premises, the appropriate information documents from which it is clarified:
a) the obligation to stay at home in the presence of fever (over 37.5 °) or other flu symptoms and to call your family doctor and health authority;
b) the impossibility of accessing the workplace, or of staying there and having to promptly declare where, even after entry, dangerous conditions exist (symptoms of flu, temperature, coming from areas at risk or contact with positive people virus in the previous 14 days, etc). In such cases, in fact, the provisions of the Authority require you to inform the family doctor and the Health Authority and to remain home.
c) the commitment to comply with all the provisions of the Authorities and the employer in accessing the company (in particular, keep a safe distance, observe the rules of hand hygiene and behave correctly in terms of hygiene);
d) the commitment to promptly and responsibly inform the employer of the presence of any flu symptoms during the performance of work, taking care to remain at an adequate distance from the people present.
The second point of the protocol is dedicated to the methods of entry into the company.
- The employer must inform the workers in advance, and those who intend to enter the company, of the foreclosure of access to those who, in the last 14 days, have had contact with subjects who tested positive for COVID-19 or come from areas at risk according to WHO indications.
- Even the entry of external visitors (cleaning company), provided that it should be reduced as much as possible, must be subject to company rules:
- Upon access, workers can be subjected to body temperature control in real time. In the event that the relief is higher than 37.5 °, access to the workplace is not allowed.
- The person who develops fever and symptoms of respiratory infection in the company will be temporarily isolated (according to the provisions of the health authority) and the company will immediately proceed to notify the competent health authorities and the emergency numbers for COVID-19 provided by the Institutions.
- In the case of temporary isolation due to exceeding the temperature threshold, as well as in the event that the subject / worker communicates that he has had, outside the company context, contacts with subjects who tested positive for COVID-19, it is necessary to guarantee confidentiality and the dignity of the worker.
- Similarly, in the case of removal of the worker who develops fever and symptoms of respiratory infection during work, it is necessary to ensure the confidentiality and dignity of the same.
Information on the protection of personal data
The detection of body temperature constitutes a processing of personal data and, therefore, must take place in compliance with the European Regulation on the protection of personal data (EU Reg. 2016/679).
The Protocol also suggests the operational methods of data processing:
1) detect the temperature and do not record the acquired data.
2) provide information on the processing of personal data pursuant to art. 13 GDPR
As for the contents of the information, the Protocol specifies that::
- with reference to the purpose of the processing, the prevention of COVID-19 contagion may be indicated,
- with reference to the legal basis, the implementation of anti-contagion security protocols may be indicated pursuant to art. art. 1, no. 7, lett. d) of the Prime Ministerial Decree of 11 March 2020 (art.6, letter e), as well as art. 9, lett. b), GDPR;
- with reference to the timing of any data retention, it is possible to indicate the end of the state of emergency.
The Protocol reminds that the data can be processed exclusively for the purpose of preventing the contagion from COVID-19 and must not be disseminated or communicated to third parties outside the specific regulatory provisions.
With reference to the legal basis, the above processing represents an explicit derogation from the prohibition pursuant to Article 9, par. 1, GDPR to process the specific categories of personal data - including data relating to health - attributable to the case of par. 2, lett. b), of the same article where "the processing is necessary to fulfill the obligations and exercise the specific rights of the data controller or of the data subject in the field of labor law and social security and social protection, to the extent authorized by the law of the Union or of the Member States or by a collective agreement under the law of the Member States, in the presence of appropriate safeguards for the fundamental rights and interests of the data subject. "
The security measures
The Regulatory Protocol also suggests defining the appropriate security and organizational measures to protect the data.
In particular, from the organizational point of view, it is necessary to identify the persons in charge of processing and provide them with the necessary instructions. For persons in charge we mean professionals subject to professional secrecy. In fact, the Protocol specifies that "the competent doctor reports particularly fragile situations and current or previous pathologies of the employees to the company and the company provides for their protection in respect of privacy, the competent doctor will apply the indications of the Health Authorities".
As for the measures, whoever carries out the aforementioned treatments must always operate with reference to the provisions of paragraph 1 of art. 25 GDPR in relation to the pseudonymisation of data, as well as all the provisions of art. 32 GDPR.
On the release of the epidemiological risk declaration
In this regard, the Guarantor intervened and specified that, if a declaration is requested certifying the non-origination from areas at epidemiological risk and the absence of contacts, in the last 14 days, with subjects tested positive for COVID-19, it is the same Protocol to remind you to pay attention to the regulations on the processing of personal data, since the acquisition of the declaration constitutes data processing.
To this end (in accordance with the so-called minimization principle pursuant to Article 5, paragraph 1, letter c), GDPR) it is suggested to collect only the necessary, adequate, and relevant data with respect to the prevention of contagion from COVID-19.
The employer and / or the company, therefore:
- if he requests a statement on contacts with people who tested positive for COVID-19, he must refrain from requesting additional information about the person who tested positive,
- if he requests a declaration on the origin from areas at epidemiological risk, he must refrain from requesting additional information regarding the specificities of the places.
4) LThe Statement of the European Data Protection Committee of 16 March 2020 GDPR and coronavirus: the intervention of the EDPB
On March 16, 2020, the President of the European Data Protection Committee (EDPB) expressed herself, through the issuance of a Statement, on how to apply the legislation on the protection of personal data in the context of the coronavirus crisis.
This intervention was necessary to harmonize the previous indications provided by the numerous European Guarantors, who recently have expressed themselves, often in discordant way, on the matter. First, the EDPB has clarified that the privacy legislation does not constitute a limit to the adoption of measures to combat the coronavirus pandemic. Indeed, the Committee underlines how the European Regulation offers various legal bases that can be used, as an alternative to consent, to be able to process personal data as a measure to contain the contagion.
The EDPB indicates in particular that the processing could be justified if:
a) “necessary for reasons of public interest in the public health sector”;
b) "necessary to protect a vital interest of the data subject or of another natural person"
c) "necessary to fulfill a legal obligation"
Therefore, the Committee seems to be in line with the urgent measures which, in recent days, could seem, at first glance, to have compressed the sphere of rights linked to the protection of personal data.
By issuing the Statement, the EDPB seems open to the possibility of allowing companies to collect the personal data of their employees and others, including health data, to prevent the spread of the virus, at least if this happens according to criteria of proportionality and respect for the dignity of each individual.
In light of the regulations and indications set out above, and while waiting for more detailed information, both at national and EU level, it is recommended to limit the treatments to those deemed strictly necessary, and to always carry them out in compliance with the provisions of the GDPR legislation as well as with respect for human dignity.
Bologna - June 20, 2020
Avv. Chiara Salerno
– Studio Legale de Capoa e Associati – Bologna – firstname.lastname@example.org