News

End of the state of emergency and processing employees’ medical data

Although the state of emergency declared by the Czech government ended on 17 May 2020, due to the continued presence of COVID-19 in the Czech Republic a number of extraordinary measures remain in place as enacted by the Czech Ministry of Health to promote public health and limit the spread of the disease. Considering these measures and the current epidemic in the Czech Republic, Czech employers are now looking for ways to minimize the risk of COVID-19 spreading among their employees and keep their enterprise running safely.

Is it permissible from the standpoint of legal regulations on personal data protection to measure employees’ temperatures when entering the workplace or test employees for SARS-CoV-2?

Act No. 262/2006, the Labour Code (specifically Section 101 and 102) generally instructs employers to create a work environment and work conditions that are safe and non-hazardous to health through appropriate organization of occupational health and safety and enacting measures to avoid risks. However, the Labour Code does not explicitly state what specific measures employers should take to meet this obligation. 

With regard to measuring temperatures, the Czech Personal Data Protection Office (hereinafter the “PDPO”) stated several days ago that if the data on an employee with a higher-than-normal temperature measured upon entering the workplace with thermal cameras or frames with temperature-measuring sensors is recorded and kept on file with other data allowing identification of the employee, then it is considered personal data processing pursuant to Regulation No. 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data (hereinafter the “GDPR”). Information on an employee’s temperature or infection with SARS-CoV-2 also falls under the special category of sensitive personal data pursuant to Article 9(1) of the GDPR, as it is medical information on the employee. This means that the employer can only process this information if it has sufficient legal grounds (i.e. not only under Article  6 of the GDPR, but also Article 9(2) of the GDPR).

The measures by the Czech Ministry of Health currently in force explicitly instruct certain categories of employers (such as food service operators, barbers, etc.) to restrict workers (thus also employees) with a temperature of 37 °C or more from entering the workplace. These groups of employers are therefore authorized to process the data on employees’ temperatures in order to meet their obligations under labour law and public health pursuant to Article 6(1)(c) in conjunction with Article 9(2)(b) and (i) of the GDPR.

In other cases legal regulations do not explicitly instruct employers to process their employees’ temperatures. Considering the current extraordinary situation involving the epidemic, however, the PDPO concluded that in these cases processing employees’ temperatures can be considered processing on the basis of the employer’s legitimate interests consisting of 
exercising special rights in the area of labour law pursuant to Article 6(1)(f) in conjunction with Article 9(2)(b) of the GDPR, as it helps the employer meet its obligation to prevent risks to its employees’ health.

With regard to testing employees for SARS-CoV-2, the UK Information Commissioner’s Office has addressed this question specifically. It stated that the legal grounds for processing personal data in connection with this testing can be the employer’s legitimate interests consisting of meeting obligations or exercising special rights in the area of labour law pursuant to Article 6(1)(f) in conjunction with Article 9(2)(b) of the GDPR. 

Whichever of the above cases applies, however, employers must always analyze whether the measures they are considering adopting are truly necessary for their activities, especially considering the nature of the workplace, the number and concentration of workers, and current developments in COVID-19 infections, and whether they can be replaced by other, less invasive measures. Only if an employer conclues that the measure is truly necessary, states
the grounds for its planned measures and meets the other conditions stipulated for processing sensitive personal data, it will be possible to conclude that the personal data processing is in accordance with legal regulations.

Employers must continue assessing the necessity of the measures and discontinue them as soon as they are no longer necessary. The PDPO has also pointed out in this regard that measures that can be considered necessary under the current, extraordinary circumstances will no longer be justifiable after the situation returns to normal. Employers will also need to take this into account when making their assessments.

Employers should also keep in mind that they may be processing significant amounts of sensitive personal data on their employees, and so they may be required to perform a data protection impact assessment pursuant to Article 35 of the GDPR (hereinafter “DPIA”). Preparing a DPIA is especially relevant if the employer is considering testing its employees without being directly required to do so by legal regulations.