The French data protection authority (CNIL) and other European data protection authorities were required to give their opinion in order to clarify the measures that could be put in place to limit the spread of the virus in compliance with the GDPR and national laws.
On 6 March, the CNIL issued a statement reminding employers of what they are allowed and forbidden to do concerning the processing of personal data of their employees, agents or visitors.
Although the CNIL recognises the employer's obligation to put in place measures to protect the health and safety of its employees (such as the implementation of actions to prevent occupational risks), it states that the employer must not infringe on the privacy of the data subject. It is not allowed to collect health data that would go beyond the management of suspicions of exposure to the virus, such as the systematic and widespread collection of information relating to the search for possible symptoms presented by an employee or his/her relatives.
On the other hand, it is possible for health authorities, qualified to take appropriate measures, to collect health data. The CNIL specifies that the evaluation and collection of information on coronavirus symptoms and information on the recent movements of certain people is the responsibility of these authorities.
The European Data Protection Board (EDPB) also adopted, on 19 March, a statement on the processing of personal data in the context of the Covid-19 epidemic.
Thus, the EDPB recalls the legal basis of the GDPR on which employers and competent public health authorities can rely to process data, including health data, in the context of the Covid-19 crisis, without the need to obtain the consent of the data subject.
Indeed, as regards health data, the EDPB states that employers could base such processing on the derogation of Article 9(2)(c) of the GDPR relating to the protection of the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent, or on the derogation of Article 9(2)(i) of the GDPR relating to reasons of public interest in the area of public health.
In addition, the CNIL announced on 25 March that the publication of the final version of its recommendation on cookies and other tracers, which was initially scheduled for early April 2020 following the public consultation held in early 2020, would be postponed to take account of the current context. The date of publication will be set in the light of developments of the situation.
Finally, in order to facilitate research projects on Covid-19, the CNIL announced on 26 March that it would instruct with priority, within extremely short deadlines, requests for authorization in the event that the planned data processing does not comply with the CNIL's reference methodologies, for which a mere declaration of conformity is sufficient.
♦ ♦ ♦
Gide's IP-TMT practice group is available to answer any questions you may have in this respect. You may also get in touch with your usual contact at the firm
This legal update is not intended to be and should not be construed as providing legal advice. The addressee is solely liable for any use of the information contained herein and the Law Firm shall not be held responsible for any damages, direct, indirect or otherwise, arising from the use of the information by the addressee.
>> Click here to read the legal updates of Gide's multidisciplinary taskforce set up to answer all your legal issues relating to Covid-19.