GDPR implications of measures in the field of labor and social protection during the state of alert

Pursuant to article 71 paragraph (2) of Law no. 55/2020 establishes the obligation of public institutions and authorities, economic operators and professionals (the persons concerned by the legal provisions) to ensure on entering the worksite, the epidemiological screening and mandatory disinfection of hands, both for personnel and visitors. The measures to be applied during the state of alert have been adopted by order of the relevant ministers, at the proposal of the National Committee for Special Emergency Situations (CNSSU).[1]

Compliance with the obligation to ensure the epidemiological and observational screening might raise certain concerns regarding personal data protection. Further we will assess what issues might occur and how employers can overcome them.

Health data (including body temperature) represent personal data to the extent that these a record is kept and, together with other data associated with an individual, they allow for the identification of the respective individual. Health data is considered sensitive and processing can only take place subject to fulfilling certain conditions, in accordance with the law. From a compliance perspective with the General Data Protection Regulation (GDPR), even if the law imposes on employers the obligation to perform epidemiological screening, these remain responsible for the conditions in which they process the respective data.

The new provisions of Order no. 874/81/2020 issued by the Health Ministry mentions that the epidemiological screening “does not imply registration of the personal data”. However, practical implementation of measures raises certain issues and questions regarding those cases where a record is necessary either as a logical consequence of the application of legal provisions, or for the proper functioning of the person concerned by the law. We recommend special attention to legal obligations in the case of health data processed as a result of the epidemiological screening, to the extent that a record is kept of the individuals considered suspect of or whose body temperature exceeds 37,3°C and who have been directed to a medical consult.

Although the law imposes certain measures, such as taking body temperature, implementation will need to take into account the GDPR principles, such as transparency, data minimization (setting out the data strictly necessary to perform their activity and comply with legal obligations), storing such data for a limited period of time, applying appropriate technical and organizational measures for sensitive data protection, including by ensuring restricted access.

First of all, we recommend that the persons concerned by the legal provisions inform in advance their employees and visitors with respect to the measures taken and the legal grounds, ideally by means of a public displayed notice in a visible place upon entrance to the premises.

Please note, that in no case will a record be kept of the body temperature of all persons subject to the epidemiological screening, in case no other measure is imposed with respect to these.

From a practical standpoint, one will have the issue of internal records reflecting the motifs for absence from the workplace (namely registration or not of health data as a motif), respectively the follow-up on the conclusions of the medical consult, as the case may be. Considering that the law does not give additional details, in case the medical consult will not result in a medical leave being prescribed, one will ask if the employee needs to present a medical certificate of good health in order to come back to the workplace (thus adding to the health date being processed by the employer).

By corroborating with other employment law provisions and especially regarding occupational medicine, employers can find legal grounds for practical measures in implementing the new legal obligations, depending on the particularities of each. From a practical standpoint, solutions will differ in the case of employers who have designated occupational medicine medical personnel in the workplace, and those without such specialized resources.

With respect to epidemiological screening with respect of visitors, we consider that the cited norm contains a contradiction, since it provides that no personal data will be recorded, while also providing that persons with no suspect symptoms (including body temperature) will be allowed on the premises “after registration of the office/room/department where they are going”. From the perspective of data protection regulations, an analysis is necessary with respect to record keeping and the motivation for such measure. We mention that it is always preferable to find an alternative measure which avoids personal data records, especially sensitive data.

We also mention that the epidemiological screening measure is now imposed by law during the state of alert. Following the end of the state of alert and in the absence of future express legal provisions to impose similar measures, employers will need to resume the analysis of GDPR compliance if they intend to continue implementing such protective measures. We also add that many EU member states have discouraged the systematic collection of employee health data by the employers.

[1] The relevant orders in this matter are: (i) In the field of labour and social protection, the measures were adopted by Order no. 3577/831/2020 regarding measures taken to prevent contamination with the new coronavirus SARS-CoV-2 and to conduct workplace activities in conditions of safety (hereinafter “Order 3577”), a joint order of the Minister of Labour and Social Protection and the Minister of Health; (ii)  Order no. 874/81/2020 on the establishment of the obligation to wear a protective mask, epidemiological screening and hand disinfection measures (“Order 874”) which details, among others, the procedure which must be followed for epidemiological screening; (iii) Order 1731/832/2020 of the Minister of Economy, Energy and the Environment (hereinafter “Order 1731”).