Polish Supervisory Authority’s Guidance

On March 12, the Polish supervisory authority (the President of the UODO) issued a statement on data processing in light of the coronavirus pandemic. This statement (available in Polish here) is short on certain details and it is, therefore, of little guidance. It is silent on particular questions which have plagued most employers since the outbreak of the coronavirus pandemic, for example, the burning issue of whether employers may take employees’ or visitors’ body temperature and perform other medical check-ups.

According to the statement, the personal data protection provisions may not – in and of themselves – hinder the implementation of the disease containment measures. Therefore, the recent Act on Counteracting COVID-19 [1] should not be considered as contradicting the data protection principles and as violating the GDPR. The Polish regulator also noted that the GDPR does acknowledge situations related to protecting health and preventing infectious diseases from spreading (Article 9(2)(i) and Article 6(1)(d)) and allows lawful processing of personal data where it is necessary to protect interests essential to a data subject’s life, for example, where processing is necessary for humanitarian purposes, including monitoring epidemics and their spread.

The statement points to the powers of the Chief Sanitary Inspector (or a Voivodeship Sanitary Inspector) to order entrepreneurs, by way of a decision, to take certain preventive or control measures and to cooperate with other public administration bodies and those of the Chief Sanitary Inspectorate, as well as [2] to the power of the Prime Minister (at the voivode’s request, having informed the minister competent for economic matters) to issue orders, binding on entrepreneurs, toward counteracting the spread of the virus. However, it dissembles the issue of whether entrepreneurs can take any such specific preventative or control measures on their own initiative and to what extent. The statement is merely a general recommendation to the effect that, when implementing any measures or taking any action with the view to counteract the spread of the coronavirus, entrepreneurs should follow the announcements of the Chief Sanitary Inspectorate and that all issues related to containing the disease should be first reported to the Chief Sanitary Inspectorate (GIS), as the competent authority.

European Data Protection Board’s Statement

A week after the statement of the President of UODO (on March 19, 2020), the Chair of the European Data Protection Board (EDPB) issued its own statement on personal data processing in the context of the COVID-19 outbreak (available here).

Much like the Polish regulator, the EDPB stated that the EU data protection rules do not stand in the way of measures taken to contain the coronavirus pandemic. The fight should be supported in the best possible way, as it is in humanity’s interest to curb the disease and to use modern techniques to fight it. However, even under such extraordinary circumstances, personal data must be protected and lawful processing must be assured at all times.

Any measure taken to arrest the pandemic must be aligned with the laws generally in effect and they may not be irreversible. A state of emergency may legitimise certain restrictions of liberties, though they must be commensurate with the situation and temporary. Personal data necessary to attain such objectives should be processed for specific and explicit purposes and data subjects must be provided with transparent information on the processing activities and their main features (i.e. retention periods and processing purposes). Such information should be easily accessible, clear and intelligible.

Adequate security measures and confidentiality policies ensuring that personal data is not disclosed to unauthorised parties should also be in place. Measures implemented to manage the COVID-19 emergency and the underlying decision-making process should be duly documented.

As for processing personal data in the context of employment, the EDPB indicated that the GDPR allows competent public health authorities and employers to process personal data in an epidemic, in accordance with and within the confines of the national laws. It pointed out the legal grounds which might be relied on when processing personal data during the COVID-19 spread. For example, the EDPB stated that, when processing is necessary in furtherance of a material public health interest, there is no need to seek individual consent. In the context of employment, processing personal data may be necessary for an employer to meet certain legal obligations, such as ensuring workplace health and safety, or for the general public interest, such as controlling diseases and other health hazards. It also emphasized that the GDPR allows processing certain special categories of personal data, such as health data, where it is necessary for a material public health interest (Article 9(2)(i)), on the basis of EU or national law, or where vital data subject interests must be protected (Article 9(2)(c)), because Recital 46 explicitly refers to epidemic control.

What, Then, Is the Conclusion?

Although the Polish supervisory authority did not address any particular questions regarding processing health data in the employment context, its statement, and that of the Chair of the EDPB, seems to provide sufficient guidance for employers who wish to implement measures toward containing COVID-19. Whatever action employers intend to take in order to counteract COVID-19, it must be in accordance with the applicable laws. Inasmuch as the data protection rules set forth in the GDPR do not hinder measures taken in the fight against the coronavirus pandemic, those measures must, nonetheless, be aligned with the core personal data protection principles. Although the regulators acknowledge the need to contain the disease, and the necessity to implement any and all measures to that end, those measures cannot violate the basic EU data processing principles and employers will always have to weight up the general workplace safety amid the COVID-19 outbreak against the rights and freedoms of individual employees.

In our next entry we will address the most frequently asked questions regarding personal data processing in the context of employment which have not been explicitly addressed in the supervisory authority’s statement.

[1] The Act of March 2, 2020 on Special Solutions toward Preventing, Counteracting and Combating COVID-19, other Infectious Diseases and Related Emergencies.

[2] Article 17 of the Act on Counteracting COVID-19.