Teleworking, health data & tracking: the challenge to comply with the GDPR

The world has been experiencing for several months a huge and unprecedented health crisis due to the COVID-19, which is likely to last several months, if not years. In this context, Luxembourg companies are facing complex operational and compliance challenges, and individuals as citizens are seeing a lot of questions and concerns raised both in the press and by regulators, about how measures taken by governments to control this pandemic can challenge their rights and freedoms to privacy.

For this reason, Grant Thornton Luxembourg has launched a series of Webinars about different topics around the COVID-19 crisis, implications for businesses and how best to deal with it.

Missed our webinar on GDPR on May 7^th? Find below tips and best practices from our seasoned practitioners!

Health data: limitations imposed on employers to processing this information

Corporates strive to protect their employees. At times, they need information about their health. There are however, limitations to what they can, and cannot do.

Do’s

• Raise awareness, and encourage staff to communicate if they have been exposed to Covid-19 to their employers as well as the relevant health officials
• Ease the transmission of such information by instilling secure communication mechanisms that ensure the confidentiality of staff
• Encourage remote working and rely upon « médecine du travail »
• In case you are notified that a fellow colleague has been exposed to Covid-19, take careful note of:

- The time and date the person may have been exposed

- Organisational and security measures taken to mitigate risk (isolation, teleworking, reaching out to the médecine du travail team, etc.).

Don’ts

• Divulge the identify of such persons to third parties or fellow colleagues without a clear justification
• Require staff to share their temperature or fill in medical questionnaires
• Ask visitors to attest they are free of symptoms, or seek to know their travels
• Have weak security measures in place. To preserve the confidentiality of persons, this last point is paramount, especially when it deals with health data. 

Teleworking: managing the fine line between professional and private data

A large number of corporates have also enabled their employees to “telework” i.e. work from home. When it comes to remaining compliant with the GDPR, what does this imply? What is one permitted to do? How should one manage security, the separation between professional and private data where personal devices are used, and increased threats from hackers?

• The employer should refrain from monitoring their employees when organizing working conditions, including via video or other means; 
• When processing personal data, including sensitive data, the latter should respect the following principles: 

- necessity, 

- proportionality,

- accountability, and 

- be guided by principles designed to minimize any risks regarding employees’ right to privacy. 

• The employer should not process personal data beyond what is necessary.  

Geolocation: privacy considerations behind tracking in the COVID-19 world

Tracking: what is it? In the Covid-19 context, it means using individuals’ location data and health data to monitor and attempt to contain the virus from spreading. Whereas tracking is already used in several countries throughout the world, we explore the thought process of the French data protection supervisory authority (CNIL) who the French government consulted on the contemplated use of the app, StopCovid. This case study enables one to understand how difficult it can be to balance the health of a nation’s citizens with the principles enshrined in the GDPR.

​CNIL recommendations summarised:

• Use StopCovid based on consent – Ensure no negative repercussions if not used
• Ensure transparency to instil trust
• Ensure data minimisation by promoting the use of pseudonyms
• Ensure limited data retention periods
• Ensure purpose limitation is adhered to:

→ Contact tracking = YES

→ Geolocate infected persons = NO

→ Ensure respect of confinement obligations = NO

Are you keen to know more about this topic?

View our GDPR Webinar recording

Contact our experts Lionel Gendarme, Advisory Partner and DPO of Grant Thornton Luxembourg, and Shariq Arif, Advisory Manager and external DPO for clients, to learn how we can help you address this critical topic.

Warning

The knowledge provided by this WebEx is purely informative. Although we do the utmost to ensure that this information is correct, we decline any responsibility as to possible damages, losses, losses of earnings, direct or indirect induced by its use​