Ensuring occupational safety and protecting employees’ health have been of the utmost importance for many employers over the past few weeks. With the rapid spread of Covid-19, employers were forced to adopt strict preventive measures to ensure a safer working environment within their workplaces. While the most obvious solution was the adoption of home office schemes, not all jobs can be performed remotely.
Employers as GPs?
Employers understand that once an infected employee enters the workplace, other measures may not automatically stop the virus from spreading. Therefore, some businesses have introduced body temperature checks on employees upon arrival at work, intended to identify cases of possible infection. However, at the same time, there are valid concerns about whether such measures are invading employee privacy.
Preventive measures adopted by employers are certainly commendable, but are they correct, or even obligatory? Under Section 102 of the Czech Labour Code, employers are obliged to take measures aimed at risk prevention to ensure a safe working environment and conditions. However, what may seem like a reasonable measure at first sight is, in fact, a very tricky issue. Why? Because employers can never substitute for an employee’s GP – the only professional able to declare an employee unfit for work.
Two important questions have to be addressed. Firstly, is temperature measurement by employers breaching data privacy laws, namely the GDPR? Secondly, what happens if an employee arrives to work with a temperature?
Legitimate Interest of the Employers
Czech data protection experts have been waiting for more than two months since the first case of Covid-19 in the Czech Republic for the Office for Personal Data Protection of the Czech Republic (“the OPDP”), the Czech data protection authority, to finally comment on this issue.
In its statement, the OPDP pronounced the processing of temperature measuring data as lawful for the purposes of legitimate interests pursued by the employer under Article 6(1)(f) of the GDPR in conjunction with Article 9(2)(b) of the GDPR. The latter provision enables the processing of sensitive data for the purposes of exercising specific rights of the controller or the data subject in the field of employment. According to the OPDP, this provision will help employers to comply with its duty of prevention.
Therefore, from the OPDP’s perspective, the answer to the first question – is temperature measurement by employers breaching data privacy laws? – is a definite no.
Home Office As The Only Way
Concerning the second question, the OPDP expressly stated that, from the data protection perspective, it is legitimate for the employer to take further measures based on the finding of elevated temperature and agree with the employee, for instance, on the home office regime.
It is, unfortunately, not clear whether the home office agreement is the only suitable solution for the employer. The home office option does not provide an answer when an employee does not agree with the employer on a home office regime and simultaneously refuses sick leave. As already mentioned above, an employee may only be declared unfit for work by a GP. Consequently, the employer would be probably forced to send the employee home while paying him/her full salary compensation.
Assess, assess, assess!
The OPDP, however, added that the data controller must continuously assess – in terms of the nature of the workplace – the number and concentration of employees or other persons present at the workplace as well as the current development of the pandemic. This includes preliminary consultation with medical staff members.
It is not entirely clear whether ‘assessing’ means the execution of the Data Privacy Impact Assessment (“the DPIA”) under Article 35 of the GDPR. From our point of view, the DPIA is at any rate recommendable.