Coronavirus and the GDPR: privacy on the work floor

Published on 16 March 2020 categories , , ,

The upcoming period, many people will be doing their work at the kitchen table or on the couch. The Dutch stay at home due to the coronavirus. The advice to employers is to let employees work at home as much as possible until 6 April 2020. In addition, employers are requested to spread the working hours of employees as much as possible. Employers are responsible for providing a healthy and safe working environment. Depending on the situation, refusing access to the workplace may be part of this responsibility. But in which manner can employers give effect this?

Employer may not process health data

Data on employees’ health are particularly sensitive and are given additional protection under the General Data Protection Regulation (GDPR). Within this framework, the GDPR provides employers the option to process only the necessary information about sick employees. For example, information to assess whether wages should continue to be paid.

It is not permitted to process information about the nature and cause of an employee┬┤s illness. An employer is also not allowed to ask for it. That is up to the occupational health and safety service/company doctor. However, certain information may be requested and registered, such as the telephone number where the employee can be reached, the (nursing) address, how long the employee thinks the illness will last and what his/her current work and appointments are. As an employer, it is important to know how long the employee thinks his/her absence will last. But it is not necessary to know what illness someone has and why. Therefore, an employer is not allowed to ask about this.

The Dutch Data PRotection Authority also applies this strict approach when it (presumably) concerns the Coronavirus: `As an employer, you hardly ever have the right to process health data of your employees yourself. However, you can call in the occupational health and safety service or company doctor to check for corona. Furthermore, it is especially important to follow the current advice of your regional Public Health Service and the National Institute for Public Health and the Environment. ‘According to the supervisor, this means that the employer may not keep a record of where employees have been on holiday. Employers are also not allowed to measure and/or record the temperature of employees. The advice of the Data Protection Authority therefore boils down to the current advice of the regional Public Health Service and the National Institute for Public Health and the Environment. Employees who suspect that they have the coronavirus must contact the regional Public Health Service themselves. The Public Health Service can then, in consultation with the employer, take measures for on the work floor.

The data protection authority of Belgium also takes the same strict approach to employee health data.

Position EDPB

On 16 March 2020, the European supervisors, united in the European Data Protection Board (EDPB), published a statement on the processing of health data in the context of the coronavirus. The EDPB stresses that data protection rules (such as GDPR) do not hinder measures taken in the fight against the coronavirus pandemic. The GDPR also provides for the legal grounds to enable the employers to process personal data in the context of epidemics, without the need to obtain the consent of the data subject. This applies for instance when the processing of personal data is necessary for the employers for reasons of public interest in the area of public health or to protect vital interests (Art. 6 and 9 of the GDPR) or to comply with another legal obligation. The EDPB thus seems to see more options for employers.

The issue here is that the exceptions mentioned by EDPB only apply once they have been implemented into national legislation (the Dutch GDPR Implementation Act). This is not the case for the Netherlands, at least not for this situation. For example, the Dutch GDPR Implementation Act does stipulate that health data may be processed to protect vital interests, but only if the data subject is physically or legally unable to give his or her consent.


The employer and the employee are both obliged to behave like a good employer and a good employee. This is stated in Dutch law. What this means depends on what is reasonable. For example, the social and personal interests involved in the situation must be taken into account. In that context, employers already take the necessary preventive measures, such as working from home, spreading the work hours and postponing staff parties and events. The question then arises as to what can reasonably be expected of employees in this context. For example, it is not inconceivable that employees who have recently visited one of the risk areas will inform their employer about this or consult the (company) doctor.





Related posts