Coronavirus and labor, the protection of workers' fundamental rights and freedoms with regard to the processing of personal data

The purpose of the present discussion is to provide – on the one hand - an up-to-date picture of the recent provisions on labor and personal data, as well as - on the other hand - operational guidelines to be observed in working environments in order to pursue the best application of the legislation on the protection of personal data. This task is as arduous as ever since, with the spread of the coronavirus epidemic in Italy, different provisions have followed one another, not always in line with each other, which we are going to explore below. È however, it is possible to identify within them precepts whose compliance allows companies to put in place the behaviors, from time to time, more suitable.

1) The Information Note of the Guarantor of March 2, 2020 2) Decree Law No. 14 of March 9, 2020 3) The Protocol of March 14, 2020 4) The Statement of the European Data Protection Board of March 16, 2020

1) The information note of the Guarantor of March 2, 2020

The Privacy Guarantor with an information note, following the spread of the epidemic, inhibited the use of do-it-yourself initiatives in data collection, specifying that public and private entities must follow the instructions of the Ministry of Health and relevant institutions. The guarantor felt it was necessary to clarify the terms of the issue since numerous entities (both public and private) have begun, at the time of registration of visitors and users, to request to be able to collect information about the presence of Coronavirus symptoms and news about recent movements, as a measure of prevention from infection. As many requests were received from public and private employers, who asked the Guarantor for the possibility of acquiring a “self-declaration” from employees regarding the ’absence of flu symptoms, and events related to the private sphere. The aforementioned requests waited for no response, and throughout the country the practice spread, as quickly as spontaneously, thus making intervention even more necessary, in light of the widespread practice, in several companies that had prepared similar questionnaires. The Authority specified in this regard that such behavior is absolutely illegitimate. It should be noted, however, that this indication è in contrast to the previous orientation spread by consultants who, instead, on the basis of the combined provisions of Art. 2087 cc and Art 9 GDPR, had considered possible such control by the employer, thus favoring the proliferation of the mostù widespread questionnaires. The Guarantor, in contrast to this previous orientation, held that the employer has duties, butthese duties may be exercised only and exclusively through the mostù appropriate tools provided by the’system. This approach is in line with the government's attempt to identify a common line, avoiding uneven practices among different areas of our territory. In Conclusion, “employers must therefore refrain from collecting, a priori and in a systematic and generalized manner, including through specific requests to the individual worker or impermissible investigations, information on the presence of any flu symptoms of the worker and his closest contacts or otherwise falling within the non-work sphere”, explains the Guarantor.

The Guarantor's prescriptions can be summarized as follows:/What to do

For workers: - anyone who in the last 14 days has stayed in areas at epidemiological risk, as well asé in municipalities identified by the most recent regulatory provisions, must notify the territorial health company, including through the general practitioner, who will provideà the required investigations; - the obligation to report to the employer any situation of danger to health and safety in the workplace remains intact; - in case of suspected contact between the employee who performs duties in contact with the public comes in connection with suspected case of Coronavirus, the same, including through the employer, will provideà to communicate the circumstance to the competent health services and to follow the prevention indications provided by the health professionals approached. Employers: - è should update the “Risk Assessment Document” (so called DVR) making express mention of the epidemic risk; - must refrain from collecting, a priori and in a systematic and generalized manner, including through specific requests to the individual worker or unpermitted investigations, information on the presence of any flu symptoms of the worker and his closest contacts or otherwise falling within the non-work sphere. The purpose of prevention from the spread of Coronavirus must in fact be carried out by individuals who institutionally perform these functions in a qualified manner.

• may invite their employees to make, where necessary, the aforementioned communications by facilitating the manner in which they are forwarded, also by setting up dedicated channels;
• must notify the relevant bodies of any change in the “biological” risk arising from the Coronavirus for occupational health and other obligations related to health surveillance on workers through the competent doctor, such as, for example, the possibility of subjecting the most exposed workers to an extraordinary visit.
• should not take the place of health workers and the system activated by the civil defense, which is responsible for ascertaining and collecting information regarding typical symptoms of Coronavirus and information on the recent movements of each individual.
• must, in their capacity as data controllers, scrupulously comply with the indications provided by the Ministry of Health and the competent institutions for the prevention of the spread of the Coronavirus, without carrying out autonomous initiatives involving the collection of data also on the health of users and workers that are not legislatively provided for or ordered by the competent bodies;

2) Decree Law No. 14 of March 9, 2020

Article 14 dictates in the emergency context extraordinary provisions on the processing of personal data. It stipulates that for reasons of public interest and, in particular, to ensure protection from the public health emergency brought about by the spread of COVID-19 through appropriate prophylactic measures, as well as to ensure the diagnosis and health care of the infected or the emergency management of the National Health Service, the entities operating in the National Civil Protection Service, as well as the offices of the Ministry of Health and the Ministry of Health;Istituto Superiore di Sanita', public and private facilities operating within the National Health Service, and all entities implementing extraordinary measures, may carry out processing, including communication between them, of personal data, including those related to Articles 9 and 10 of the gdpr, which are necessary for the performance of the functions assigned to them in the context of the emergency determined by the spread of COVID-19. These entities may omit the information referred to in article 13 of the same regulation or provide a simplified information, after oral communication to the interested parties of the limitation. In the same way, authorizations may be given. The rule specifies that the communication of personal data to public and private entities, other than those referred to in Articles 9 and 10 of Regulation (EU) 2016/679, is carried out, in cases where it is indispensable for the performance of activities related to the management of the ongoing health emergency. The provision specifies that the processing of personal data shall be carried out in accordance with the principles of Regulation (EU) 2016/679, taking appropriate measures to protect the rights and freedoms of the data subjects and limited to the period of the state of emergency, at the end of which appropriate measures will be taken to bring the processing of personal data carried out in the context of the emergency, within the ordinary powers and rules governing the processing of personal data. For some this provision represents a step backward in the protection of privacy, however, it should be noted that the preeminent interest at this time and that is worthy of protection at this time è public health, therefore, always respecting the dignity of individuals the rule allows, in very exceptional and emergency cases to temporarily derogate from the good rules of the GDPR. In conclusion, if the’company falls into one of the categories referred to in the aforementioned art. 14, in case of necessity, it can’carry out the processing in the manner described above.

3) The Protocol of March 14, 2020 - for the contrast and containment of the spread of Covid-19 virus in the workplace

The social partners have arrived at a protocol that provides operational guidance aimed at increasing, in non-healthcare workplaces, the’effectiveness of precautionary containment measures to counter the COVID-19 outbreak. Confirmed within the document is the provision for the reduction and/or temporary suspension of activities, along with the possibility for the company to use agile work and social shock absorbers. The stated objective of the Protocol è to combine the continuation of production activities with the guarantee of health and safety conditions of working environments and working methods. In the context of this objective, the continuation of production activities can in fact take place only in the presence of conditions that ensure adequate levels of protection for workers. Below we see the operational implications of the Protocol within the’company.

The Information that the employer must provide to workers

To them è dedicated the first point of the Protocol. The’company, must inform all workers and anyone who enters the premises of the same, of the content of the provisions of the Authorities’by delivering and/or posting at the’entrance and in the most visible places of the company premises, appropriate information documents from which it must be evident:

• a) the’obligation to remain at home in the presence of fever (over 37.5°) or other flu symptoms and to call their family doctor and the’health authority;
• b) the’inabilityà to enter the workplace,or to stayand to have to declare promptly where, even after the’entry, the conditions of danger exist (flu symptoms, temperature, coming from risk areas or contact with people positive for the virus in the previous 14 days, etc.). In such cases, in fact, the measures of the’Authority; require to inform the family doctor and the’Health Authority’and to remain at home;
.
• c) the’commitment to comply with all the provisions of the Authorities’and the employer in making access to the company (in particular, maintain a safe distance, observe the rules of hand hygiene and keep correct behaviors on the level of hygiene);
• d) the commitment to promptly and responsibly inform the employer of the presence of any flu symptoms during the performance of work, taking care to remain at an appropriate distance from the people present.

The second point of the protocol è dedicated to the modalities of entry into the company.

• The employer must inform workers in advance, and those who intend to enter the company, of the preclusion of access to those who, in the last 14 days, have had contact with individuals who have tested positive for COVID-19 or come from areas at risk according to WHO guidance.
• Even the’entry of external visitors (cleaning company), provided that as much as possible should be reduced, should be subjected to company rules
• At the time of access, workers may be subjected to real-time body temperature monitoring. In the event that the reading is higher than 37.5°, they will not è be allowed access to the workplace.
• A person who develops fever and symptoms of respiratory infection in the company will be temporarily isolated (according to the provisions of the health authority) and the company will immediately proceed to alert the relevant health authorities and the emergency numbers for COVID-19 provided by the institutions.
• In the case of momentary isolation due to exceeding the temperature threshold, as well as in the case where the subject/worker communicates that he/she has had, outside the company context, contact with subjects who have tested positive for COVID-19, è it is necessary to guarantee the confidentiality and dignity of the worker.
• Alikewise, in the case of removal of a worker who develops fever and symptoms of respiratory infection during work activity è it is necessary to ensure the confidentiality and dignity of the same.

Data Protection Information

.

The taking of body temperature constitutes the processing of personal data and, therefore, must be done in compliance with the European Regulation on Personal Data Protection (EU Reg. 2016/679). The Protocol also suggests the operational modalities of data processing: 1) take the temperature and not record the acquired data. 2) provide the’information on the processing of personal data in accordance with the’art. 13 GDPR

With regard to the contents of the’notice, the Protocol specifies that:

- with reference to the purpose of processing may be indicated the prevention from COVID-19 infection, - with reference to the legal basis may be indicated the’implementation of anti-contagious security protocols in accordance with Art. Art. 1, no. 7, lett. d) of the Prime Ministerial Decree of March 11, 2020 (Art. 6, lett. e), as well as Art. 9, lett. b), GDPR; - with reference to the timing of any data retention è it will be possible to indicate the end of the state of emergency.

The Protocol reminds that data may be processed exclusively for purposes of prevention from COVID-19 infection and should not be disseminated or disclosed to third parties outside the specific regulatory provisions.

With reference to the legal basis, the above processing represents an explicit derogation from the prohibition under Art. 9, para. 1, GDPR to process the special categories of personal data – including data related to health – falling under the case of para. 2, lett. (b), of the same article where “the processing è necessary to comply with the obligations and exercise the specific rights of the data controller or the data subject in the field of labor law and social security and social protection, insofar as it is authorized by Union or Member State law or by a collective agreement under the law of the Member States, where there are appropriate safeguards for the fundamental rights and interests of the data subject.”

The security measures

The Regulatory Protocol also suggests that appropriate security and organizational measures be defined to protect the data. In particular, from the organizational point of view, it is necessary to identify the persons in charge of processing and provide them with the necessary instructions. Those in charge are understood to be professionals subject to professional secrecy. In fact, the Protocol specifies that “the competent doctor shall report to the’company situations of particular fragilityà and current or past pathologies of employees and the’company shall provide for their protection in respect of privacy the competent doctor shall apply the indications of the Health Authorities”. As for the measures those who carry out the aforementioned treatments must always operate with reference to the provisions of paragraph 1 of the’art. 25 GDPR in relation to the pseudonymization of data, as well as all the provisions of’art. 32 GDPR.

On the issuance of the epidemiological risk statement

In this regard è the Guarantor intervened, specifying that if the issuance of a statement attesting to the fact that one does not come from epidemiological risk areas and the absence of contact, in the last 14 days, with subjects who have tested positive for COVID-19, è the same Protocol to remember to pay attention to the regulations on the processing of personal data, sinceé the’acquisition of the statement constitutes data processing. To this end (in accordance with the so-called principle of minimization ex art. 5, par. 1, lett. c), GDPR) it is suggested to collect only the data necessary, adequate and relevant with respect to the prevention of COVID-19 infection.

The employer and/or the’company, therefore:

• if requesting a statement on contacts with persons who tested positive for COVID-19, should refrain from requesting additional information regarding the person who tested positive,
• if it requires a statement about coming from epidemiological risk areas, it should refrain from requesting additional information regarding the specificsà of the locations.

4) The Statement of the European Data Protection Board of March 16, 2020 GDPR and coronavirus: the’intervention of the’EDPB

On March 16, 2020, the Chairwoman of the European Data Protection Board (EDPB) è through the issuance of a Statement, on how to apply data protection legislation in the context of the coronavirus crisis. This intervention has become necessary in order to attempt to harmonize the previous guidance provided by the numerous European Data Protection Authorities, which in recent days have expressed their often discordant views on the matter. First, the EDPB clarified that privacy legislation, does not constitute a limitation on the’adoption of measures to combat the coronavirus pandemic. On the contrary, the Committee emphasizes how its own European Regulation offers a variety of legal bases that can be used, as an alternative to consent, to be able to process personal data as a measure to contain the contagion.

The’EDPB indicates in particular that processing could be justified if:

• a) “necessary for reasons of public interest in the field of public health”;
• b) “necessary to protect a vital interest of the’data subject or another natural person”
• c) “necessary to fulfill a legal obligation”

In light of what has been said, the Committee seems to be in line with the emergency measures that, in recent days, might seem, at first glance, to have compressed the sphere of rights related to the protection of personal data. With the issuance of the Statement, it can be said that the EDPB appears to be open to allowing companies to collect the personal data of their employees and others, including health data, to prevent the spread of the virus, at least if this is done in a proportional manner and with respect for the dignity of each individual.

In the light of the above regulations and indications, and pending, to receive more punctual indications, both at the national and EU level, it is recommended to limit processing to those deemed strictly necessary, and to always carry it out in compliance with the provisions of the GDPR regulations as well as with respect for human dignity.