The impact of the Covid-19 pandemic on the everyday life of businesses is dramatic. Protecting employees, customers and business partners from infection is a new, urgent challenge for many companies.
With the further progression of the pandemic, the question arises more and more frequently how data protection compliance can be ensured in these exceptional circumstances. The economic impacts on the businesses are overwhelming and many companies act quickly and take incisive decisions, which, especially when processing of health data of employees, also require an assessment under applicable data protection laws.
Does the Covid-19 "state of emergency" override data protection law?
No, the opposite is true. Due to the enormous risks of Covid19, companies will process highly sensitive health data of employees to an increased extent which will continue to be subject to data protection law. Due to the substantial public health risk of Covid-19, businesses may justify data processing under Art. 6, 9 GDPR (EU General Data Protection Regulation) and, if applicable, local laws. Such data processing may not be lawful without such a public health risk. In order that businesses can prove the lawfulness of data processing to supervisory authorities retrospectively, they should fulfil their accountability duty under Art. 5 (2) GDPR. In particular, decisions with relevance to data protection law must be justified and documented. Regarding the current Swiss data protection law, the information duty related to the processing of health data needs to be observed. In general, the principle of proportionality applies. In cases where health data is disclosed to third parties, this needs to be justified and documented appropriately.
Are businesses allowed to check the body temperature of their employees?
Data protection law does not restrict employers from checking body temperatures of their employees as long as no identifying information of the employees is collected. If businesses intend to document the measurements, the permissibility must be carefully assessed, taking into account the circumstances of the individual case. It is recommended to conduct a data protection impact assessment (DPIA) and to observe labor law provisions.
Can data protection law conflict with working from home?
Before allowing home office work, businesses should double check that home office work of their employees does not violate contractual obligations with third parties. For example, commissioned data protection agreements may contain corresponding restrictions. Violations can, in the worst case, lead to contractual penalties or extraordinary termination of data processing contracts by business partners. In addition, any accompanying measures regarding home office work that may lead to monitoring of the employee's behavior, such as tracking of computer activities etc., need to be assessed carefully in order to comply with data protection and/or labor law. An additional aspect to consider are employees that may reside abroad (leading to cross-border data transfer).
What kind of security measures should businesses have in place for working from home?
If employees process personal data from home, they must also comply with the company's internal technical and organizational measures (TOMs). For example, documents containing personal data must be kept confidential, i.e. out of reach of household members or visitors. It is the duty of every business to instruct its employees accordingly and to oblige them to comply with applicable TOMs. When introducing working from home, companies should also anticipate risks where a "Bring Your Own Device"-policy (BYOD) is applied. Technical measures to prevent business data from being copied or automatically synchronized to private home devices need to be implemented. Otherwise, occurrences such as the synchronization of the employee's business address book to its private device and thus to its privately used applications may cause a data breach.
Are companies allowed to inform their employees about infected colleagues by naming them?
The disclosure of names of infected employees is a very severe intrusion of the rights of the affected employees and must be carefully assessed in each individual case. However, major risks for fellow employees and especially their elderly family members must be considered. Failure to mention the risk of infection can indirectly lead to the infection of members of risk groups whose mortality rate may be higher. Respective health risks can be individually taken into account in data protection assessments (especially regarding Art. 6, 9 GDPR or applicable local laws). The involvement of the data protection officer and the observance of the principle of proportionality is required. The principle of data minimization can also become relevant in terms of restricting the number of recipients of sensitive personal information.
Must businesses inform their employees about data processing concerning Covid-19?
Yes. If companies introduce new employee related data processing activities or adapt existing ones, the employees must be informed in advance based on GDPR and Swiss law. Obtaining an explicit consent may need to be considered as far as the overriding public interest in connection with a health emergency does not justify the planned processing activity. However, it needs to be observed that any consent must be given freely and in a manner that it can be withdrawn at any point in time.
To what extent must businesses adapt their data protection documentation?
The adaptation of internal processes due to Covid-19 measures also entails the updating of the data protection documentation, in particular the data protection impact assessments (DPIA) and the register of processing activities under GDPR (same applies for the upcoming revised Swiss Data Protection Act).
Why is it necessary to review and/or amend IT supplier contracts?
It has shown that Covid-19 measures may lead to an increased use of the IT infrastructure (e.g., due to home office work). In order to prevent negative impacts on the IT infrastructure, respective IT supplier contracts should be assessed with regard to the agreed quantity/quality of the performance (service levels) of the IT infrastructure and, if necessary, amended.
Is the concept of "force majeure" relevant in the context of Covid-19?
Many contracts contain clauses on "force majeure", according to which performance obligations can be suspended in the event of epidemics. However, businesses should only rely on such clauses after a careful assessment of the individual case as there is a high risk that the circumstances in question are not sufficient to suspend contractual performance obligations. Unjustified nonperformance can lead to substantial compensation claims by the contracting party. Depending on the applicable law, businesses may, in individual cases, be exempted from performance obligations or demand contractual amendment due to special circumstances of the Covid-19 "state of emergency" even without a contractual provision.
When must businesses notify their contractual parties of a delayed or impossible service?
Businesses must inform their contractual parties immediately due to the contractual duty of considerateness. If information is provided in time, supply chains can be optimized and damage reducing measures can be taken. Failure to notify can result in claims for compensation.
How can you best respond to Covid19 risks from a privacy law perspective?
• Keep yourself and relevant stakeholders informed and consider the available guidance from the Data Protection Supervisory Authorities in connection with Covid-19.
• Do not assume that the current health emergency per se justifies extended data processing. There are legal limits as well as internal technical and organizational measures (TOMs) that need to be considered.
• Be aware of changes in your standard processes caused by Covid-19 measures. In general, every major deviation requires an assessment under data protection law. We recommend conducting privacy impact assessments as required.