CNIL Updates Data Protection Guidance for Employers in the Context of Lifting COVID-19 Containment Measures
On May 7, 2020, the French Data Protection Authority (the “CNIL”) updated its previous guidance for employers relating to the processing of employee and visitor personal data in the context of the COVID-19 outbreak, in particular, in the context of lifting containment measures (the “Updated Guidance”). Some employers may consider implementing systematic body temperature checks at the entrance to their premises. Similarly, employers may wish to assess employees’ exposure to the virus or their health statuses when they return to work. The Updated Guidance analyzes some of these practices and outlines the principles applicable to data processing activities.
The Updated Guidance reminds employers and employees of their respective safety obligations:
In accordance with Articles L.4121-1 and R.4422-1 of the French Labor Code (the “Code”), employers are responsible for the health and safety of their employees. As part of this obligation, employers may take the following measures:
Remind employees, who work in contact with others, of their obligation to report internally (to the employer) or to the competent public health authorities that they are infected or suspect they have been infected with COVID-19 for the sole purpose of allowing the employer to adapt the working conditions;
Facilitate the transmission of such information by setting up, if necessary, dedicated channels; and
Facilitate remote working methods and encourage the use of occupational medicine.
In the event employees report (suspected) infections, employers may only process the following information: (1) the date and the identity of the employee in question; (2) the fact that the employee reported the infection or suspected infection; and (3) the organizational measures implemented by the employer.
In accordance with Article L.4122-1 of the Code, each employee must ensure that he or she maintains not only his or her own health and safety, but also the health and safety of anyone with whom the employee may be in contact in the course of his or her professional activities. In the context of the current health crisis, this implies that employees who work in contact with others (colleagues and the public) must inform their employer in the event of infection or suspected infection with COVID-19 whenever they may have exposed some of their colleagues to the virus. Employees who work remotely or do not have contacts with other colleagues or the public do not have such an obligation.
Body Temperature Checks
The Updated Guidance stresses that, unless explicitly contemplated by a law, employers are currently not allowed to take the following measurements:
Body temperature readings of employees or visitors, if those readings are recorded by automated means or in a paper record; or
Automated capture or scanning of body temperature through tools such as thermal cameras.
However, employers would be allowed to check temperatures at the entrance to their premises, using a manual thermometer (such as a non-contact infrared thermometer), if no temperature data is recorded and there is no internal or external reporting of that information. The Updated Guidance explains that if these conditions are met, employers are not processing any personal data and therefore the checks would not be subject to the EU General Data Protection Regulation (“GDPR”).
Serology Tests and Health Status Questionnaires
In addition, employers are not allowed to conduct serology tests to detect COVID-19 or require their employees to complete health status questionnaires. The Updated Guidance reminds businesses that only competent health personnel (such as occupational doctors) may collect, implement and have access to medical forms or questionnaires that contain data on employees’ health statuses or information relating to their family situations, living conditions or possible travels. Similarly, the results of serology tests are subject to medical professional secrecy. Employers may only know that employees are fit or unfit to work.
Business Continuity Plans
Employers may need to establish a business continuity plan that aims to maintain the critical activities of their organization in times of crisis. The plan must specify all necessary measures to protect the safety of employees, and identify the critical activities that need to be maintained, as well as the people necessary to ensure business continuity. The organization may then create a data file in order to set up and maintain the plan. Only necessary personal data must be processed to that end.
Read the CNIL’s Updated Guidance (in French).