Follow us on social media to keep up with our latest legal and business updates
as well as our corporate news
As confirmed by a statement from the Chair of the European Data Protection Board (“EDPB”)(1), the GDPR provides for the legal grounds to enable employers and competent public health authorities to process personal data in the context of epidemics (e.g. for reasons of public interest in the area of public health or to protect vital interests).
That being said, the Luxembourg data protection authority (the “CNPD”), which continues to ensure its duties in the current context (2), has issued recommendations which must be followed by Luxembourg private and public stakeholders and which have recently been updated (11.06.2020)(3) notably in order to take into account the neighbouring jurisdictions’ data protection authorities’ guidelines.
Indeed, while such entities are responsible for ensuring the health and safety of their employees and of their workplace, and hence implement measures to contain the coronavirus, the CNPD recalls that data subjects’ right to privacy should always be borne in mind.
Among the above-mentioned measures, Luxembourg entities should invite their employees and agents to reach out to them (in certain instances, taking into account the employees’ / agents’ obligation of security) or directly to health authorities in case of (potential) exposure or symptoms. In the event of a report, the employer is allowed to maintain a record with limited information which could be disclosed to health authorities, if requested.
In a nutshell, Luxembourg entities may only process data that is strictly necessary in order to comply with their legal obligations and must thus refrain from conducting their own investigation or "contact tracing", collecting information in relation to the possible symptoms of employees, externals or relatives in a systematic and generalised manner or through individual inquiries and requests. In particular, specific health questionnaires or declaration forms shall not be requested to be completed.
As a rule, temperature screening should not be an employer’s only response to the COVID-19 outbreak and employees should be encouraged to work from home to the maximum extent possible. Nevertheless, in view of the latest communications from the Luxembourg government and the planned phasing-in of an end to quarantine, employees will progressively be returning to the workplace.
As employers have an obligation to ensure the health and safety of their employees and the security of their workplace, stakeholders may wonder whether is it permissible to take employees’ temperatures for the purpose of granting or denying access to business premises.
We would like to highlight that this question requires an analysis of the particular facts of each situation. Luxembourg data protection rules and requirements must always be taken into account in so far as the employer will gain access to personal information as a result of the screening (e.g. the employee’s work location, either on-site or from home).
In accordance with the CNPD’s recent recommendations (1), merely reading body temperature taking at the entrance of a site does not qualify as an instance of processing personal data, as long as this reading does not entail, or is not linked to any additional record or processing of personal data.
Similarly, the use of thermal cameras is allowed as long as it does not allow the identification of employees, agents or visitors and is not linked to any recording or re-using of the images.
However, the CNPD considers that this would be different if the employer (i) creates a file containing all the monitored temperatures as well as identification data of the monitored persons, or (ii) could consult the images recorded by the thermal cameras and identify the data subjects. This would indeed be a disproportionate processing of data, which would not comply with the principle of data minimization, insofar as the employer could have implemented less invasive means to protect the employees’ and visitors’ privacy.
Those recommendations follow the French and Belgian data protection authorities’ guidelines (2)(3).