Coronavirus – Challenges related to data protection law

Many businesses are currently taking a wide range of initiatives which involve – quite naturally – the processing of personal data about their employees.

We generally see that businesses have many questions about which type of employee data they are allowed to process in connection with coronavirus (COVID-19), as well as questions concerning the disclosure of data about affected employees to customers and other employees of the business, respectively.

It is important in this respect to ensure that the basic principles of data protection law are observed, particularly the principle of data minimisation.

Below, we have provided a list of considerations of data protection law that businesses should take into account, in particular:

  1. The disclosure of personal data must be objectively justified and necessary. Pay particular attention to the disclosure of data in situations where:
    • an employee has been found to be infected with COVID-19 and a larger part of the organisation needs to be informed. Here it is important to consider carefully which data can be disclosed about the infected person. The identification of the infected person should be avoided to the extent possible;
    • an employee has been found to be infected with COVID-19, and a few employees need to be informed as they have been close to the infected person. In this case, it will most often be necessary to identify the infected person so that the affected employees can be identified and self-quarantine at home.
  2. The obligation to provide information must be complied with, see Articles 13 and 14 of the GDPR. As a general rule, the business’s way of processing information should already be detailed in its privacy policy for employees, but if this is not the case, it is recommended that the business meet its obligation to provide information by sending a standard email from HR to the infected person. Remember to include all the required information.

  3. Remember that consent can very rarely be used in employment relationships.

  4. Remember that requests from data subjects, such as requests for access to personal data, must be responded to as soon as possible and at the latest within one month. If it is not possible to comply with the time limits, it is recommended that businesses, on receipt of the first request from the data subject, at least send a standard response pointing out that the handling of the data subject’s request may be delayed due to COVID-19 and a reduced workforce.

  5. Be sure to have the same level of security when working from home as when working in the office. If employees have taken home any printed material, such material must be afforded the same degree of protection, for instance by being stored in locked cabinets. In addition, a connection to the business’s IT systems must be set up in a secure manner, for instance via a VPN with two-factor login authentication. Inform the employees about the risk of phishing emails and provide guidelines for handling suspicious email messages. See the threat assessment and guidelines issued by the Danish Centre for Cyber Security here.

  6. ​Be careful with data security, including encryption, especially for emails or text messages containing health information or civil registration (CPR) numbers. If an email is sent without complying with the security requirements, it will be regarded as a personal data breach within the meaning of Article 33 of GDPR.

Latest news on the coronavirus (COVID-19)