2 minute read 6 Apr 2020

Data Protection during COVID-19 crisis

By Michael Hofmann

EY Luxembourg Partner, Executive Member of the Board of Managers, EY PFS Solutions

2 minute read 6 Apr 2020
Related topics COVID-19 Cybersecurity

We are currently facing a challenge in the fight to contain the coronavirus (COVID-19) and several countries are implementing emergency measures to contain the pandemic, while European countries are currently at the epicenter of the outbreak.

Companies are looking to adopt measures that support business continuity, while adequately protecting the health and safety of workers, customers, etc. and complying with broader public health protocols. The pace of response is moving quickly, as the impact of the pandemic spreads rapidly.

As organizations implement emergency measures, it is important to consider the privacy implications of any action taken. In the European Union, any measure involving the processing of personal data may give rise to data protection compliance issues that must be managed in accordance with the General Data Protection Regulation ("GDPR").

This article is a compilation of the various guidelines for Data Protection Authorities (DPAs), with a brief summary of each and focusing the analysis on the stipulations published by the Commission Nationale pour la Protection des Données (CNPD), the Luxembourgish DPA.

The Luxembourgish case

In the Luxembourg’s professional context, private and public actors have a legal obligation to ensure the safety and health of their employees or agents in the workplace (article L.312-1 of the Labour Code).

Nevertheless, in the event of a report, an public or private actor may, as part of its health and safety obligations, record:

• the date and identity of the person suspected of having been exposed;

• the organizational measures taken (containment measures, teleworking, contact with the occupational medicine service, etc.). 

Actors will be able to communicate to the health authorities, if they so request, the elements related to the nature of the exposure, necessary for any health or medical care of the exposed person. For their part, each employee/agent must implement all means to preserve the health and safety of others and themselves (Article L.313-1 of the Labour Code): they must, in principle, inform their employer if they suspect contact with the virus. The evaluation and collection of information on the symptoms of the coronavirus and information on the recent movements of certain persons is the responsibility of the public authorities, not the employer. While private and public actors may implement measures to limit the spread of the virus (e.g. travel restrictions or hygiene measures), such measures must take into account the privacy of the persons concerned.

Actors should therefore refrain from collecting information on the search for possible symptoms presented by an employee or external person and their relatives in a systematic and generalized manner, or through individual inquiries and requests. Employees, on their side, have the obligation to inform the employer about any suspicion of contact with the virus. 

Common elements

The European data protection authorities recommend that the following points to be complied with, when considering the privacy risk associated with any additional data processing activity in connection with COVID-19's management and infection prevention activities:

1. Ensure that the measures implemented are consistent with current (and rapidly evolving) public health’s authority’ies advice;

2. Limit the nature and volume of additional personal data processing activity to what is absolutely necessary to carry out the relevant response measure. 

3. Whenever possible, avoid processing specific health-related information that can be linked to an individual.

4. Ensure that measures are strictly limited in time to deal with the current pandemic and reduced once they are no longer necessary.

5. Seek to ensure that all additional measures are monitored and approved by a health professional or occupational health professional, particularly if health data are being processed.

6. Display a notice to explain what data is collected, by whom and for what purposes, and (as appropriate) update privacy policies.

7. Maintain a record of the legal basis for the treatment.

8. Comply with the already existing relevant GDPR principles (retention, security, etc.)

9. Record the decision-making procedure in a data protection impact assessment

10. When dealing with employment data and related decisions, also consider compliance with employment laws and understand the impact on the employment rights of data subjects.

Specificities and trends from different DPAs 

In Belgium:

Businesses should not assess risks to the health of employees; that task belongs to occupational doctors. Employers must inform employees and visitors about the purposes for which their data are processed and the period during which their personal data will be kept in any circumstances. A general and systematic checks of employees (e.g. temperatures) cannot be carried out. Checks will be carried out only by the occupational doctor. An employee may not be required to complete a form on the employee's health status or recent travels.

In Italy:

Employers should refrain from systematically and widely collecting, including through specific requests to the individual worker or unauthorized investigations, information about the presence of any flu symptoms from the worker and their closest contacts. Additionally, if during work activity, an employee who performs tasks in contact with the public (e.g. counter services) and is in contact with a suspected case of Coronavirus, he or she, also through the employer, will communicate the circumstance to the competent health services and comply with the prevention instructions provided by the health workers consulted.

In Spain:

Unless the health authorities deem it appropriate to identify the person concerned, the processing should stay anonymous. When such collection of data could be considered necessary as a risk prevention measure in the workplace, the principle of proportionality and minimization of data should be respected. After informing the employer and/or the prevention service, if the employee is on leave, he/she does not have to indicate the reason for the leave, unless the right to health protection of the group of workers prevails.

In France:

As the employer is responsible for the health and safety of the employees in accordance with the Labour Code (particularly its article L. 4121-1), an employer may record the date and identity of the person suspected of having been exposed and the organizational measures taken (confinement, teleworking, orientation and contact with the occupational doctor, etc.). Nevertheless, only public health authorities, who are qualified to take measures appropriate to the situation can process and collect information related to coronavirus symptoms and information on recent movements of certain persons as it is their responsibility.

In the UK:

The National Health Service or any other health professional from sending  public health messages to individuals, whether by telephone, text message or email, as these messages are not direct marketing. Staff should be kept informed about cases in the organization, without naming individuals and providing more information than necessary. There is an obligation to ensure the health and safety of employees. It is reasonable to ask employees to tell if they have visited a particular country or if they are experiencing symptoms of COVID-19.

In Ireland:

Companies can use the Article 9.2(b) RGPD basis to process their employees' personal data, as employers have a legal obligation to protect their employees under the Irish Health, Safety and Welfare at Work Act 2005. However, employers must rely on this legal basis only where it is considered necessary and proportionate to do so and must ensure that any information is treated confidentially.


We are currently facing a challenge in the fight to contain the coronavirus (COVID-19) and several countries are implementing emergency measures to contain the pandemic, while European countries are currently at the epicenter of the outbreak.

About this article

By Michael Hofmann

EY Luxembourg Partner, Executive Member of the Board of Managers, EY PFS Solutions

Related topics COVID-19 Cybersecurity