COVID-19 and employers: data protection rights and duties

The phased deconfinement that we are experiencing does not mean that the COVID-19 pandemic has disappeared. We are all aware that a second wave cannot yet be ruled out and that it must be avoided at all costs. In this context, the question arises as to what measures employers can, respectively should and should not take to protect their employees as some of them are preparing to return to the workplace.

In addition to everyone’s duty to contain the pandemic and thus contribute to protecting the population as a whole, regardless of any employment relationship, art. 328 of the Swiss Code of Obligations requires the employer to take the necessary measures to protect the health of his employees, including those that are applicable in the state of the art. If compliance with the measures ordered by the Federal Council is a matter of course, the question arises as to whether the employer is entitled to go beyond them.

If additional measures are contemplated within companies, however, these measures must be taken in accordance with the rules imposed by data protection laws, which in Switzerland are governed by the Federal Data Protection Act (DPA).

In this context, the Federal Data Protection Commissioner published a press release on 17 March 2020 reminding that the processing of data to fight the pandemic by private individuals must be carried out in accordance with the principles enshrined in Article 4 of the DPA. In this respect, the measures taken must be proportionate and must not go beyond what appears necessary to achieve the desired objective, i.e. to protect employees and, more generally, to prevent the spread of the pandemic.

As soon as the data collected are sensitive, only the consent of the employee can, in principle, make such processing lawful. Fortunately, however, Article 13 of the law provides that an overriding public interest justifies such processing, notwithstanding the absence of consent by the individual. It is not difficult to argue that such an interest exists at least for the time being, and presumably until the pandemic is not permanently under control.

As such, the following appear to be admissible and in accordance with the principle of proportionality:

• In principle, the temperature of any person entering the premises (including visitors) should be checked if no record is kept of it, since in reality no data processing is then taking place. We specify “in principle” since, as this is not a systematic symptom in persons with COVID-19, it could be seen as an infringement of personal freedom that may cast doubt on its admissibility and to which any person, if he or she so wishes, could probably object.
• The collection of health data when the employee returns to work on site, as long as this data relates exclusively to COVID-19 in order to protect the employee himself, his colleagues and the general public. In this context, the implementation of a floating window, for example, consisting of a form drawing the employee’s attention to his obligations and inviting him to answer a few targeted questions, appears acceptable in Switzerland from our point of view.
• The invitation to the employee to communicate any suspicion of contamination to his employer without delay, to enable the employer to take the necessary measures to protect his co-workers if necessary.

However, we do not consider the following measures to be permissible:

• The recording of the temperature reading on a file, as it then constitutes, once linked to an individual, sensitive personal data.
• Inviting an employee to fill out a form as mentioned above each day or at each login. In our opinion, if the use of such a form appears acceptable when the employee returns to the site or on a reasonable periodicity (for example every month), to do so every day appears excessive. Invite the employee to communicate immediately to his employer any change in his answers, since they are then likely to suggest possible contamination.
• Inviting an employee who is teleworking to complete such a form. As long as the employee does not return to the workplace, the collection of such data does not appear necessary; it is sufficient to invite the employee to fill out such a form when he or she returns to the site.
• Inviting an employee to communicate his or her movements abroad, at a time when certain borders are about to open. In our view, inviting the employee to inform the employer without delay of any changes in the answers to the form, or even to complete such a form at reasonable intervals, appears to us to be a sufficient measure.
• Requiring its employees to download a tracking application. Notwithstanding the fact that the Federal Data Protection Commissioner, in a press release dated 13 May 2020, considered the application envisaged in Switzerland at this stage acceptable in view of the requirements of the DPA.

In any event, it will be ensured that the collection of this data is accompanied by the technical and organizational measures, i.e. security measures necessary to prevent access by anyone.

It should be noted that for the entities subject to the GDPR, the European Data Protection Committee issued a statement on 16 March 2020 reminding that the processing of health data appears admissible when reasons of public interest in the field of public health so require; for the rest, the Committee referred to the laws applicable in the various Member States and guidelines issued by the various authorities on this subject (see, for example, for France, the reminder updated by the CNIL on 7 May 2020, as well as a country-by-country overview of these directives).

WILHELM Attorneys-at-Law advises you in matters of data protection and labour law.