Here are the most frequently asked questions regarding personal data processing in the context of employment which have not been explicitly addressed in the supervisory authority’s statement on data processing in light of the coronavirus pandemic (mentioned in our previous post). Our answers draw on core data protection rules, binding labour law provisions, Chief Labour Inspectorate guidance and the EDPB Chair statement.
1) What are the possible legal grounds for processing employees’ personal data by employers?
Processing employees’ ordinary personal data could be based either on Article 6(1)(d) of the GDPR, i.e. “the necessity to protect the vital interests of the data subject or of another natural person”, or on article 6(1)(f) of the GDPR, i.e. the “legitimate interest” of the employer.
Special Categories of Personal Data
Special categories of employees’ personal data (for example, health data, such as body temperature) could be processed in Poland on several legal grounds:
- Article 9(2)(h) of the GDPR, stating “the necessity for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional”. However, it should be emphasized that this ground applies only to processing by a professional or another person subject to professional secrecy. Hence – in the context of employment – relying on this ground would require an employer to hire a physician or a nurse who would take the body temperature or conduct a medical check-up onsite. Unless such professional is hired, an employer may not process personal data on this ground.
- Article 9(2)(i) of the GDPR, stating “the necessity for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy”.
To date, no EU nor national law constitutes grounds for processing this type of data, nor are there any specific measures to safeguard those fundamental rights and freedoms. Neither the Regulation of the Minister of Health of March 20, 2020, which introduced the state of epidemic within the Republic of Poland, nor the Act on Counteracting COVID-19 contain any provisions which would impose the obligation to undergo medical examinations and other preventive measures and treatments by sick and suspected individuals. Therefore, it is not a viable option for Polish employers to rely on this legal basis.
- Article 9(2)(b) of the GDPR, stating “the necessity for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law”.
In Poland, there is no specific provision which would allow employers to take employees’ body temperature. However, Article 207 of the Polish Labour Code does vest in the employer the responsibility for workplace health and safety. An employer shall protect the health and life of employees by ensuring safe and healthy working conditions, in particular, by organising work in a manner that ensures healthy and safe working conditions and responding to needs relating to health and safety at work and adapting measures introduced to improve the current level of health and safety of employees to changing working conditions. At the same time, Article 211 of the Polish Labour Code obliges employees to cooperate with employers in discharging occupational health and safety duties. Based on those Labour Code provisions, employers should be able to justify the implementation of whatever preventative measures they deem necessary and proper to contain the coronavirus pandemic.
2) Is temperature/medical testing of employees permitted and, if so, on what terms?
This is unclear. The data protection supervisory authority’s statement is silent as to whether employers could conduct temperature or medical check-ups of employees and visitors. The EDPB’s statement, on the other hand, indicates that employers should only require health information or perform medical check-ups to the extent allowed under national laws.
The Polish Labour Code, in principle, does not permit employers to conduct any medical check-ups of their employees. This aligns with the guidelines issued by the Chief Labour Inspectorate (available in Polish here), according to which any evaluation of employees’ health condition may be made only by a healthcare professional. If an employer, nonetheless, proceeds to make such determination, this could be viewed as mobbing or harassment. An employer may not order an employee to undergo a medical check-up (for example, upon return from a COVID-19 affected area), unless such screening coincides with the periodical medical examination required under the Labour Code.
However, pursuant to the Polish Labour Code (Article 22.1b, an employer may process (i.e. collect) special categories of personal data of its employees (such as body temperature) if such data is voluntarily provided on an employee’s initiative. This could obviously only be the case if the body temperature is taken of an employee’s volition. Therefore, employers might try to introduce body temperature measurements, provided that such procedure is optional and an employee is free not to submit to it.
Alternatively, an employer might also request that the Chief Sanitary Inspector or a Voivodeship Sanitary Inspector issue a decision obliging an employer to adopt such preventative measure with respect to its employees, as provided for in Article 17 of the Act on Counteracting COVID-19 and as indicated in the statement of the President of the UODO. It is yet to be seen whether employers will go down that road.
As for visitors, an employer could conduct body temperature checks either based on their voluntary consent (Article 9(1)(a) of the GDPR) or pursuant to Article 9(1)(b) of the GDPR read with article 207 of the Polish Labour Code, which holds an employer liable for occupational health and safety. In other words, an employer could argue that only visitors who undergo the temperature check-up (and whose temperature stays within acceptable parameters) will be allowed onto its premises.
3) Can an employer share information about confirmed workplace COVID-19 cases with other employees/visitors?
Only to a limited extent. Obviously, an employer is obliged to inform its staff or any visitors about any COVID-19 cases at the workplace and take whatever protective measures are necessary. However, it may not communicate to them more information than is absolutely necessary, i.e. the identity or the health condition details of the infected employee. The disclosed information should be kept to a minimum, the infected employees should be informed in advance and their dignity and integrity should be protected at all times. Usually, it will not be necessary to disclose the identity of the infected employee.
4) Can an employer order an employee to work remotely?
Yes. Pursuant to Article 3 of the Act on Counteracting COVID-19, in order to contain the coronavirus, an employer may instruct an employee to work (as specified in the employment contract) outside its usual place of work for a fixed period (in other words, to work remotely).
5) How should an employer proceed during remote work, so as not to violate data protection regulations? What safeguards should I recommend to employees?
On March 18, the President of the UODO issued a short guidance on how to protect personal data while working remotely. The statement outlines best practices for using devices, email and accessing cloud services and networks when working remotely. The major takeaways are:
- Devices and software used for remote working should be properly updated and secured with an anti-virus system
- Any applications and software not compliant with the security policies implemented within a given organization should not be installed
- The workstation should be appropriately separated and the equipment used for work should be protected against unauthorized access by unauthorized persons
- Effective access controls (such as multi-factor authentication and strong passwords) and, where available, encryption to restrict access to the device and to reduce the risk if a device is stolen or misplaced should be used
- When a device is lost or stolen, immediate steps to ensure a remote memory wipe, where possible, should be taken
- Correspondence should be send from official work emails and, if this is not possible, the contents and attachments should be encrypted; personal data and confidential information should not be used in subject lines
- Before sending an email, one should ensure one is sending it to the right recipient, particularly for emails involving large amounts of personal data or sensitive personal data
- Trusted access to networks or so-called “cloud” services should be used; all the rules of secure logging and data sharing should be followed at all times
- When working without cloud or network access, one should ensure any locally stored data is adequately backed up in a secure manner.