Series on Data Protection and Corona – Part 5: Data Protection compliant remote work

25. March 2020

The corona virus (SARS-CoV-2) is currently omnipresent. In order to slow down the spread of the virus, many companies, offices and employers are switching to having their staff work remote. But even in times of pandemic crisis and in the home office, the conditions for compliance with existing data protection laws must be in place and need to be considered. The responsibility of the company or employer (as a controller) and thus, if applicable, the personal liability of the management still remains.

For the period working at home, the employer should establish strict and transparent rules to clarify his rights and obligations as well as for his employees, regardless where and on which end device the employees work. Therefore, each employer should take appropriate and proportionate measures in order to make sure, that he and his employees will act in compliance with the requirements of the GDPR during the whole period of state emergency within the EU.

Due to the fact, that data processing at home carries a higher risk of data loss and data breach. It is recommended to consider the following measures below and further, to agree in such measures in writing, especially in order to avoid unnecessray misunderstandings and liability issues:

  • to provide employees with business terminal (mobile) devices for work in the home office, in order to be able to update the devices on regular terms or for setting up firewalls and anti-virus protection and unauthorized access,
  • to prohibit the use of private devices and, as far as possible, to technically prevent this.

The measures above can be implemented in the company or office, further precautions and instructions are required in the employee’s home workplace, such as:

  • the employer should set up a guidline on the handling of documents and how they are to be deconstructed (e.g. shredding and not misued as scap paper),
  • employees should be aware of measures to protect confidential data and information. Third party access, such as privacy filter or a password-protected screen saver in order to avoid “shoulder surfing” etc.,
  • the employee should prevent the viewing and access by third parties, such as aligning the monitor, using a privacy filter or setting up an automatic, password-protected screen saver,
  • the workplace should be in a separate room,
  • employees who do not live alone should always lock their mobile devices or laptops when leaving,
  • business related documents or mails should not be forwarded to private mail accounts or mailboxes,
  • employees should set up secure passwords (the password should contain at least 8 characters, consisting of a combination of letter, numbers and special characters).

The series on data protection and corona will be continued tomorrow with a blogpost regarding the statement of the Global Privacy Assembly on “Data Sharing Practices to Fight the Corona Pandemic”.

For up-to-date information (in German) you are welcome to follow us on Twitter.

We wish you all the best, stay healthy and protect yourself and others.

Series on Data Protection and Corona – Part 4: Processing of health data in context of preventive measures against corona infections

24. March 2020

Stopping the spread of the corona virus as far as possible, or at least slowing it down, is the top priority these days. For this reason, as far as possible many employers instruct their employees to work remote from home in order to reduce the risk of infection. However, this approach does not work for all businesses, such as the pharma industries, utilities (e.g. power plants) or grocery stores, food retailer and supplier. Therefore, there is a strong interest of such businesses that neither the present employees nor visitors (or customer) are infected with the virus.

In terms of infection prevention purposes, information on the state of health of individuals are an important means to help preventing people from getting infected with the virus and thus “flatten the curve”. Such health information fall under the so-called special categories of personal data according to Art. 9 of the EU General Data Protection Regulation (GDPR) and hence are subject to a particularly high level of protection. Therefore, when requesting information about an employee’s or visitor’s health, there are a number of things to be considered.

What are health data?

First, it needs some more clarification on the term ‘health data’: According to Art. 4 No. 15 GDPR, health data are personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.

The term health data thus not only covers disease-specific information about the data subject, such as a viral infection or drug consumption, but already the general statement as to whether someone is healthy or not. Information that may not directly indicate an individual’s state of health in the first place is also to be considered health data if, in fact, the context in which the information is to be used leads to a conclusion about an individual’s health condition.

When can health data be processed?

It remains to be clarified when health data can be processed for infection prevention purposes under the GDPR. First of all, it is very likely that consent to the processing of health data for infection prevention purposes cannot be obtained freely given and would thus be invalid in nearly all practically relevant cases. However, without the consent of the data subject the processing of health data is only permissible in the exceptional cases according to Art. 9 para. 2 GDPR.  In the following this blog post therefore rather focuses on the options that are available without consent regarding the group of employees and visitors.

When is the employer allowed to collect and process health data of employees with regard to the corona virus, according to the GDPR?

Health data can be processed in the context of employment in the non-public sector to the extent that it is necessary for reasons of public interest in the area of public health (Art. 9 para. 2 lit. i) GDPR and local EU member state law, such as section 53 of the Irish Data Protection Act 2018 or § 22 para,. 1 lit. c) of the German Federal Data Protection Act) and/or to the extent that it is necessary for the fulfillment of rights and obligations in the context of the employment (Art. 9 para. 2 lit. b) GDPR together with a local EU member state law, such as the Irish Safety, Health and Welfare at Work Act 2005) as, e.g., the Irish and Hungarian Data Protection Authorities both stated (for the list of authority statements see our previous blog post part 1).

However, the employer has a duty of care, particularly with regard to the protection against the corona virus, which applies not only to the individual employee, but also to all employees as a whole. Accordingly, the employer is obliged to take proportionate measures to protect the health of its employees during working hours. In particular, this also includes measures against diseases such as the corona virus that are  notifiable under the local infection protection laws of EU member states.

Please note that, in accordance with the principle of data minimization, only the information that consists the strictly necessary health data is to be collected and processed. Therefore, it is recommend that employers should make use of other preventive measures (e.g. by teaching employees on infection prevention or providing them with hand disinfection or protective clothing) before considering means of data processing. Moreover, such health data is to be treated strictly confidential, both for the protection of the individual employee and to maintain the industrial peace and the operation of the company. If the employer should process personal data which are not health data, he can – after careful examination – also rely on Art. 6 Para. 1 lit. f) GDPR.

Does the employee have to report an infection?

The employee is also obliged to inform the employer of a corona infection, because of his fiduciary duty to the employer. This principle of loyalty also authorizes the employee to disclose personal data of other individuals in the business environment with whom he has had contact. This disclosure to the employer and the following assessment and storage of such information by the employer can be based on a legitimate interest of the employer under Art. 6 para. 1 lit. f) GDPR as well as on Art. 6 para. 1 lit. c) GDPR.

When is a company allowed to collect and process health data of visitors of its premises?

Since companies regularly welcome visitors and guests, there is also a strong interest of companies in taking precautionary measures to contain the virus. If health data would need to be processed for this purpose, this can be done after careful examination on the basis of Art. 9 para. 2 lit. i) GDPR and, if any, local EU member state law (such as mentioned above). In the case of other measures in which personal data other than health data are processed, the employer may rely on his legitimate interest pursuant to Art. 6 para. 1 lit. f) GDPR (cf. BfDI).

What measures are permitted with regard to the containment of the corona virus?

Examples of permissible measures “against” employees:

  • measures without data protection reference, such as hygiene regulations, general instructions (e.g., to stay at home if symptoms occur), cancellation/postponement of business trips, instruction to work remote from home, regularly inform about relevant news about the virus,
  • request for information on infection in case of justified suspicion,
  • requesting infected employees for information about contacted persons in the company environment,
  • request for information about whether they have been to a risk area after vacation or business trips,
  • processing of such information that have been proactively communicated by the employee, e.g. that there has been contact with a (potentially) infected individual,
  • obtain consent to store emergency contacts and private contact details for notification purposes, in case of emergencies and operational changes due to the corona virus.

Examples of non-acceptable measures “against” employees:

  • mandatory comprehensive questionnaires to the entire workforce (e.g. series of unreasonable surveys),
  • interviewing other workers to see if anyone of the staff has symptoms.

Examples of permissible measures for visitors or guests of the company:

  • measures without data protection reference, such as hygiene regulations, restriction of visiting possibilities, a notice to postpone the visit if having symptoms,
  • request for information on infection in case of justified suspicion,
  • requesting infected visitors or guests for information regarding contacted persons in the company.

Examples of unacceptable actions towards visitors or guests of the company:

  • general (comprehensive) request for health information without justified suspicion.

The series on Data Protection and Corona will be continued tomorrow with a blog post on Data Protection compliant remote work.

For up-to-date information (in German) you are welcome to follow us on Twitter.

We wish you all the best, stay healthy and protect yourself and others.

Series on Data Protection and Corona – Part 3: Information Obligations, Measures and their assessment regarding Data Protection

23. March 2020

In the wake of the currently daily changing information about the COVID-19 virus, companies and employers are facing new challenges. On the one side, keeping their day to day business intact while preventing the spread of the pandemic, and on the other, comply with their obligations in regards to the processing of personal data.

While in the current situation it seems much more important to establish measures to keep the new Coronavirus from spreading, it is as important not to forget the data protection issues arising with such measures. In order to have the implemented measures working, it is to be expected that the employer is processing sensitive data, more importantly health data. However, these sensitive data cannot simply be processed without legal grounds, and following data protection obligations, especially information obligations.

In the following, we would like to inform about how to deal with the information obligations in Art.13 GDPR and potential legal grounds for the processing of personal data, which comes with the measures taken by employers or companies.

Information obligations and measures against employees

In order to fulfill the information obligations in case of employees, it is important to recognize the difference between measures where only general personal data is being collected and processed, and measures which require the collection and processing of sensitive data, in light of the current situation specifically health data.

If an employer asks his employee for information on their last trip or if they have been to a high risk country, the processing would only touch general personal data. The legal basis for the processing of this personal data would be Art. 6 I lit. f GDPR. In such a case, the processing will be based on the balancing of interests in favor of the company and their obligation to ensure employees’ safety.

Concerning measures which collect and process sensitive health data, as for example inquiries about symptoms or fever measurement at the entrance to buildings, the requirements of the GDPR are higher. It is generally not allowed to process health data, unless the law gives an exemption. In Germany, the legal basis for such measures would be Art.9 II GDPR, §26 BDSG. It is also important to note, that these types of measures cannot be made mandatory for the entirety of the staff, as stated by the different supervisory authorities in their statements.

It is important to keep in mind that Art.9 II GDPR is an opening clause, giving the different countries the opportunity to implement exemptions in national laws. Please refer to your country’s supervisory authority for potential exemptions in your country.

Furthermore, the supervisory authorities of different countries have already published a statement on potential measures and their legal basis, a list of which you can find in our first blog post of this series.

Information obligations and measures against third parties

In case of third parties, for example visitors or external clerks, employers cannot default to their obligation to ensure safety in the same way as they can with employees. Measures against third parties are therefore more delicate in their approach.

It is generally not possible to use Art. 9 II lit. a GDPR as legal basis, since the consent cannot be freely given under the aspect of insufficient information. Therefore, in Germany, the collection and processing of general and sensitive personal data in regards to third parties finds its legal basis under Art. 9 II lit. i GDPR, § 22 lit. d BDSG and Art. 9 II lit. g GDPR, §22 lit. c BDSG respectively.

Information necessary for Information Notices

First off, as presented above, it is necessary to differentiate between information obligations and measures against employees, and respective obligations and measures against third parties, e.g. visitors. Each requires a respective information notice in order to keep the different categories of data subjects compliantly informed.

During this ongoing pandemic situation, the different supervisory authorities, and in particular the German Data Protection Commissioner, have made it clear that, while there may be changes in regards to certain processing activities, the information obligations of processors will not become more lenient.

One of the main aspects remains the transparency (Art. 5 I sentence 1 lit. a GDPR), which finds its implementation in Art.13 and Art.14 GDPR. While the measures against the spread of the pandemic play an important role and broaden the processing permission of certain personal data, the data subjects need to be continuously informed about these measures, the processing and their legal grounds.

Overall, it is recommended to keep any information notices short but precise. Due to the nature of the crisis and the ever changing situation, giving the necessary requirements of information on the processor and the nature of the processing helps to prevent confusion and keep everything concise.

In particular, in a first instance of the obligations from Art.13 GDPR, it is necessary to define the purpose of the processing. Due to the health implications and broad risk of the virus, the purpose for the processing consists of the containment of the pandemic. Secondly, there needs to be a legal basis. For measures of processing and legal basis respectively, please refer to the points above. Not to forget, it is required to precisely list the different personal data collected.

If the processing follows the balancing of interests in Art.6 I lit. f GDPR, it is further necessary to present the assessments made. While the data subjects’ interest of non-processing of their personal data stands, the employer’s interest to keep their employees from getting infected and further spreading the virus outweighs the data subjects’ interest in this case.

Furthermore, it is imperative that the personal data collected in these cases are not transferred, neither to third parties, nor to third countries. The nature of these personal data is highly sensitive, and therefore not to be disclosed.

Accordingly, it is to be expected that the retention period for such personal data has to be kept relatively short. In any case, it is recommended that the retention of the collected data should not exceed 8 weeks. This time frame can vary depending on the duration of the pandemic outbreak, and therefore can be adjusted, but a deletion has to occur latest with the end of the pandemic.

Overall, due to the daily changing nature of the situation, it is important to keep up to date with supervisory authorities’ statements and handling of the arising issues. We recommend keeping informed about the different legal opinions of the authorities in regards to certain measures, while these very new circumstances unfold, and potentially adjust information notices as the need arises. You may also find further information on the processing of personal data in connection to the new Coronavirus in our previous blog post.

The series on data protection and corona will be continued tomorrow with a contribution on the subject of the processing of health data to protect from corona infections.

For up-to-date information (in German) you are welcome to follow us on Twitter.

We wish you all the best, stay healthy and protect yourself and others.

Series on Data Protection and Corona – Part 2: Data processing in connection with the coronavirus

20. March 2020

In the course of the coronavirus, the employer is in a field of tension between, on the one hand, the protection of his own employees, the safeguarding of the operational procedures and the containment of the pandemic, and, on the other hand, the requirements that are placed on him in regard to data processing, in particular the processing of health data.

Some may not consider compliance with data protection requirements to be of paramount importance in the current situation.

Nevertheless, the data processing, especially the processing of sensitive data, should comply with the data protection requirements of the DSGVO and national data protection implementation law.

In Part 1 of the series we gave you a short overview on statements of the European Data Protection Authorities (DPA), which have been published by now. With this blog post we want to inform you on data processing in connection with the coronavirus.

Measures required by data protection law

The necessary measures to be observed and carried out in case of data processing relating to coronavirus do not differ fundamentally from those which must also be taken in any other data processing. The statements of the DPAs also do not indicate any relaxation with regard to data protection regulations.

These required measures include, among others:

  • the comprehensive information of the concerned data subjects according to Art. 13 (in this context, reference is already made to tomorrow’s article, which deals with this topic in detail),
  • the secure storage of personal data – further information on this will follow in the course of this article,
  • the maintenance of a records of processing activities pursuant to Art. 30 para. 1 GDPR.

Secure storage of personal data

If the data processing is based on a legal basis from Art. 9 para. 2 DSGVO several data security measures must be taken into account to ensure the security of the data processing.

Without claiming to be exhaustive, the following measures will be discussed here, with examples given:

  • Sensitisation of those involved in processing operations;
    • data protection training of the employees involved in data processing,
    • raising awareness of the particular importance of sensitive data, such as health data,
    • Reference to compliance with data protection standards, even in times of the Corona crisis.
  • Designation of a data protection officer;
    • if you are unsure whether and how you process personal data, appoint a data protection officer,
    • o If you have already appointed a data protection officer, please contact him or her and ask for support.
  • Restriction of access to personal data within the responsible body and by contract processors;
    for example, through:

    • Introduction of an access concept and adherence to the ‘need-to-know principle’ – make sure that the circle of people with access rights is as small as possible,
    • Locked storage of paper-bound documents, e.g. in a safe or at least a lockable cabinet (the power of the keys should of course also be limited),
    • Password-protected digital documents (restrictive passing on of the password under consideration of the ‘need-to-know principle’).

The series on Data Protection and Corona will be continued tomorrow with a blogpost on “Tips for Information Notices”.

For up-to-date information (in German) you are welcome to follow us on Twitter.

We wish you all the best, stay healthy and protect yourself and others.

Series on Data Protection and Corona – Part 1: Statements of the European Data Protection Authorities

19. March 2020

The Coronavirus is omnipresent at the moment and affects each and every one of us.

Even if it is not obvious at first, data protection and the Coronavirus certainly have points of contact, namely when personal data is processed in relation to the virus. This can be the case both in the employment context and also in relation to visitors and suppliers to a company. For example, in order to protect their own employees, one company may conduct access controls at the entrance to the company’s premises, while another company may ask their own employees about symptoms of the virus.

We would like to discuss these and other topics related to “Data Protection and Corona” with you in the next few days.

Today we would like to start this series by summarising the statements made so far by various European data protection authorities.

Legal basis for processing

The legal basis for the respective collection or processing of personal data within ann EU context can be found in the EU General Data Protection Regulation (GDPR) in conjunction with the respective national/state data protection laws and technical laws.

The legal basis for processing personal data follows from Art. 6 GDPR and for processing sensitive personal data, like health data, from Art. 9 GDPR.

Consent, pursuant to Art. 6 para. 1 s. 1 lit. a) GDPR and Art. 9 para. 2 lit. a) GDPR, should only be used as a legal basis if the data subjects have been fully informed about the data processing and have given their voluntary consent to a measure.

For the processing of personal employee data by public employers, the legal basis will be Art. 6 para. 1 s. 1 lit. e) GDPR. In this case, the data protection authorities recognise a measure in the public interest. Non-public employers act within the scope of their obligations arising from the employment relationship, Art. 6 para. 1 s. 1 lit. f) GDPR. In this context, special regulations from a member state’s collective bargaining law, labour law and social law may also need to be consulted. In the case of sensitive data processing the escape clause of Art. 9 para. 2 lit. b) GDPR in conjuction with the respective member state law must be observed.

In relation to processing the personal data of third parties, e.g. guests or visitors, measures taken by public authorities must be based on Art. 6 para. 1 s. 1 lit. c) and e) GDPR, and if necessary, in conjunction with the respective member state laws. For measures taken in the non-public sector, Art. 6 para. 1 s. 1 lit. f) may serve as a legal basis. When processing sensitive data of third parties, Art. 9 para. 2 lit. i) in conjunction with member state laws may be applicable.

List of Statements

In the following, we provide you a comprehensive list of statements made by various European data protection authorities on the processing of personal data in light of the Coronavirus up to this point:

The series on Data Protection and Corona will be continued tomorrow with a blogpost on “Data Protection in connection with the coronavirus”.

For up-to-date information (in German) you are welcome to follow us on Twitter.

We wish you all the best, stay healthy and protect yourself and others.

CNIL announces focus for Control Procedures in 2020

16. March 2020

The french Commission Nationale de l’Informatique et des Libertés (CNIL) has announced their focus in regards to the Control Procedures they intend to take in 2020.

Out of 300 Control Procedures done in one year, in 2020 at least 50 of those are going to be focused on three prioritized themes: health data security, geolocation and cookies compliance. The CNIL decided on prioritizing these areas because of the high relevance all of them have on the daily life of the french citizens.

Especially in regards to health data because of the sensitive nature of the data collected, as well as geological data, due to the never ending new solutions to transportation or enhancements to daily life, it is important to keep an eye on the scope of the data processing and the private sphere which is affected.

Regarding cookies and other tracers, CNIL continues to underline the importance in regards to profiled advertisement. On top of the planned Control Procedures, the CNIL intends to publish a recommendation in the spring of 2020 with regards to cookies. It will keep an eye on the implementation of the recommendation, and give companies a 6 months period to adjust and implement them.

The CNIL also stated that in addition they will continue to work together with other national Data Protection Authorities, in order to ensure the regulation of transnational data processing.

Greek Data Protection Authority releases Guidance on Cookies

On 25 February 2020, the Hellenic Data Protection Authority (DPA) published a guidance on Cookies and other tracking tools. Previously, the Authority had found that Greek websites and service providers have been largely failing to comply with the rules on the use of Cookies and other trackers set out by the ePrivacy Directive and the GDPR, and reaffirmed by the European Court of Justice’s ruling on Planet 49.

The guidance states that it will be relevant to HTTP/S Cookies, Flash Cookies, local storage applying to HTML 5, device fingerprinting, OS identifiers, and material identifiers.

The Greek DPA reiterated that, generally, providers are obliged to obtain the user’s consent if they are using any tracking tools – irrespective of whether the processing of personal data is taking place. It also outlined that technically necessary trackers are exempt from the obligation to consent. Furthermore, the guidance goes into detail on how information and consent can be made available on websites specifically.

Lastly, the Authority has given Greek website providers a grace period of two months to implement the provisions of this guidance and thereby become compliant with the European rules on tracking tools.

EDPB publishes GDPR Implementation Review

The European Data Protection Board (EDPB) released a review dated from February 18th, in a contribution to the evaluation of the General Data Protection Regulation (GDPR), which has reached its 20th month of being in effect.

Overall, the EDPB stated that it has a positive view of the implementation of the legislation in the different European Countries over the past 20 months. Furthermore, it deems a revision of the legislative text as likely, but not yet necessary in the near future.

The EDPB praised the Data Protection Authorities and their work up til now, saying it hopes that the cooperation between them will create a common data protection culture and consistent monitoring practices. But the report also mentioned that Supervisory Authorities in the countries face restrictions due to different national procedures and practices, which can hinder the cooperation. Furthermore, the EDPB sees a need to increase the funding for Supervisory Authorities to improve and support their duties.

On another note, the EDPB has acknowledged the challenges of implementation for Small to Medium sized Enterprises (SMEs). It says it is aware of these challenges, and works together with Supervisory Authorities to facilitate the supporting tools they have put out in order to support SMEs.

Lastly, it raised concerns about the timeframe of the new ePrivacy Regulation, and urged lawmakers to bundle their focus and efforts to carry on with its development.

Dutch DPA fines Tennis Association

12. March 2020

The Dutch Data Protection Authority has fined the Royal Dutch Tennis Association (“KNLTB”) with EUR 525,000 for selling personal data of more than 350,000 of its members to sponsors who had contacted some of the members by mail and telephone for direct marketing purposes.

In 2018, the KNLTB illegally provided personal data of its members to two sponsors for a fee. One sponsor received personal data from 50,000 members and the other sponsor from more than 300,000 members. It turned out that the KNLTB sold personal data such as name, gender and address to third parties without obtaining consent of the data subjects.

The KNLTB found that it had a legitimate interest in selling the data. However, the data protection authority rejected the existence of a legitimate interest for the sale of the data and therefore decided that there was no legal basis for the transfer of the personal data to the sponsors. The KNLTB has objected to the fine decision. The Dutch Data Protection Authority will assess this.



German Robert-Koch-Institute discusses mobile phone tracking to slow down the spreading of the Coronavirus

9. March 2020

According to a news report by the German newspaper “Der Tagesspiegel”, a small group of scientists at the Robert-Koch-Institute (RKI) and other institutions are currently discussing the evaluation and matching of movement data from mobile phones to detect people infected with the Coronavirus (COVID-19).

The scientists, who are trying to slow down the spreading of the disease, complain about the problem of the time-consuming and vague questionings of infected people on who they came in contact with. The evaluation and matching of mobile phone data may be more accurate and could speed up the process of identifying infected people, which could be essential for saving lives.

In a comment, the German Federal Commissioner for Data Protection Ulrich Kelber expressed that this procedure may cause large data protection issues, especially with regards to having a legal basis for processing and the proportionality of processing according to the GDPR.

Pages: Prev 1 2 3 4 5 6 7 8 9 10 ... 50 51 52 Next
1 7 8 9 10 11 52