Last week, I published information from both Singapore and the U.S. to compare how they are handling disclosure and privacy issues in light of the COVID-19 pandemic. Today, let’s look at France and Denmark.
France
Kristof Van Quathem and Dan Cooper of Covington and Burling write:
On March 6, 2020, the French Supervisory Authority (“CNIL”) released a statement on processing personal data in light of COVID-19.
The CNIL notes that while everyone should take measures to prevent the spread of the virus, such efforts must comply with applicable data protection rules, in particular when collecting and processing sensitive health data. As a result, employers should not collect in a generalized manner information about possible symptoms of the disease from employees and their relatives. For example, it does not feel it is appropriate for employers to subject employees and visitors to regular temperature checks or to collect health data from them through questionnaires. The CNIL’s position, in this respect, is similar to the guidance released by Italy’s Garante, which we discuss here in a separate post.
The CNIL also notes that pursuant to applicable labor laws, an employer is required to guarantee the security and safety of its employees and is thus allowed to:
- invite employees to report possible individual risks of exposure;
- provide dedicated channels for reporting concerns; and
- promote schemes to enable staff to work remotely.
Relevant information may be shared with competent authorities, like local health authorities and disease control centres.
Read more of their post on InsidePrivacy.
Denmark
Dan Cooper and Luca Tosoni of Covington and Burling write:
On March 5, 2020, the Danish Supervisory Authority (“Datatilsynet”) issued a guidance document in which it clarifies how companies should process the personal data of their employees in the context of the coronavirus (“COVID-19”) crisis (see here, in Danish). This follows the publication of a similar guidance by the Italian Supervisory Authority (“Garante”) (see our previous blog here).
Datatilsynet’s approach seems more flexible than the Garante’s. According to Datatilsynet, an employer may, to a large extent, collect and disclose information on its employees, if the circumstances make it necessary, and provided that such a collection or disclosure is not prohibited under employment or health law and that the information in question is not very detailed and specific.
For example, Datatilsynet takes the view that, in the context of the COVID-19 crisis, an employer may lawfully record and disclose: (i) whether an employee has visited an epidemiological risk area; (ii) that an employee is at home in quarantine (without stating the reason); and (iii) that an employee is ill (without stating the reason).
Read more of their post on InsidePrivacy
Full Disclosure: As a reminder, Covington & Burling have represented this blog, this blogger, and DataBreaches.net, pro bono, for more than a decade now. Their commitment to privacy and to protecting media is enduring and powerful.