Processing of personal data in the context of the COVID-19 outbreak
We have prepared below a brief overview of certain opinions and positions of the Slovenian Information Commissioner (hereinafter: IP) regarding the processing and protection of personal data in the context of SARS-CoV-2 virus (COVID-19) outbreak, which we have summarised in the form of Q&A.
Does the applicable law in Slovenia allow and under what conditions does it allow processing of health data of employees, especially with respect to monitoring of body temperature of employees and possible obligation of the employee to inform the employer of a COVID-19 infection occurrence?
As a preliminary point, we emphasize that, in accordance with the provisions of the labor law legislation, employers are not normally entitled to process employees’ health data, which includes data on the diagnosis, body temperature of employees, etc. Such data represents one of the special categories of personal data and GDPR provides in Article 9 that its processing of such data is prohibited unless any of the exceptions pursuant to Article 9 (2) GDPR are granted. According to the IP, at a time when we are experiencing the spread of COVID-19 infections and both individual and public health are threatened, special circumstances may require measures that may also interfere with the processing of special categories of personal data.
However, that is a question that needs to be answered primarily by the health care professionals, especially by an authorized occupational health-care professional. It can be discerned from the IP’s opinions, that IP stems from the requirement that an appropriate person in the health profession must examine the necessity of individual measures aimed at achieving a specific goal. The IP also emphasizes that the necessity of individual measures should be examined in the light of concrete circumstances (what kind of work is involved, whether the work is conducted from home, what is the nature of the work, etc.).
Regarding the measurement and monitoring of employees’ body temperature, the IP emphasizes the need to verify if there are other less invasive measures that may be even more effective in terms of actually preventing the spread of the infection and ensuring a smooth working process (such as, for example, as there were media reports about organizations organizing work in such a way that a certain group of employees work for a certain number of days, while others remain in domestic isolation (thus the possibility of infection is significantly reduced)). IP also expresses doubts about the need for continuous monitoring of employees. Furthermore, the IP considers that employers should, in the case they intend to introduce such measure, carry out a date protection impact assessment, which may also be specific, brief and concise. In any case, employees must be duly informed in accordance with Article 13 of the GDPR that such measurement or monitoring is being carried out.
The IP further considers that the justification of the employer’s request that the employee is to notify the employer in the event of COVID – 19 infection depends on the type of work involved, how the employer arranged it and the nature of the work. Such obligation of an employee may be ordered by an individual company at the discretion of the competent institutions and the authorized person for occupational health-care (depending on the specific nature and organization of work) and taking into account the ZDR-1 (Employment Relationships Act) in connection with sectoral regulations and measures for ensuring health and safety at work. However, if the employer becomes aware of such information, the employer must ensure adequate protection and shall not be entitled to disseminate it without the appropriate legal basis. In principle, providing statistics (e.g., only information on the occurrence of an infection in a particular company, class, floor, etc.), without other information that enables the individual to be identifiable, is sufficient when dissemination of such information is necessary.
Does the aplicable law in Slovenia allow and under what conditions does it allow call forwarding forwarding to the employees´s personal mobile devices?
As a preliminary point, please note that the employer may also order work from home in accordance with Article 169 of the ZDR-1 (Employment Relationships Act), pursuant to which the employer may temporarily change the place of work during an emergency even without the employee’s consent, but only for as long as such circumstances last. In such a case, the employer may decide that the availability of a particular employee by telephone is absolutely necessary for the performance of his / her duties (e.g. for the purpose of working with clients), but should provide the employee suitable working means (e.g. a business telephone).
The IP believes that the employee may also make available his or her work resources (such as call forwarding to his / her mobile phone) but must explicitly consent to this. The employer may, therefore, designate call forwarding to employees’ private telephones, but must have the appropriate consent for such measure. Such consent may have already been given by the employee in the employment contract. In any case, the principle of data minimisation must be respected, which means that the telephone number should be used only to the extent absolutely necessary for the tasks of work from home. Upon termination of extraordinary circumstances, the employer may not further process or store the private number without the appropriate legal basis.
Does the applicable law in Slovenia allow and under what conditions does it allow online communication between the provider and the client and transfer of special categories of personal data through telecommunication networks?
Specific consent for online communication is not necessary, but it should be noted that individuals need to be properly informed, meaning that the data controller (i.e. the service provider) should clearly and transparently communicate to the client regarding what personal data will be processed, for what purposes, what rights individuals have, etc., as required and provide by the Article 13 of the GDPR.
Personal data protection legislation does not prohibit the use of online tools and communication methods, but caution must be taken to ensure the security and confidentiality of data, especially when processing of special categories of personal data (e.g. health data) is involved. The data controller (i.e. the service provider) must verify that the individual tool enables confidentiality, in particular by enabling encrypted communication that prevents unauthorized persons from becoming familiar with the content of the communication. Details of the technical requirements for the transmission of special categories of personal data via telecommunications networks can be found at the following link: https://www.ip-rs.si/vop/?tx_jzgdprdecisions_pi1%5BshowUid%5D=1448, regarding which we emphasize that regular e-mail as such does not provide special security.
Special consideration should also be given to the possibility of transfer of personal data to third countries, as many providers of such solutions come from the US. IP recommends checking if the solution provider is on the EU-US Certified Privacy Shield list (available at: https://www.privacyshield.gov/welcome).
Does the applicable law in Slovenia allow and under what conditions does it allow processing of geolocation data?
As a preliminary note, we emphasize that when it comes to the controller of personal data bound by the provisions of the Electronic Communications Act (Official Gazette of the Republic of Slovenia, No. 109/12, as amended; ZEKom-1), the special conditions and restrictions for the processing of geolocation data pursuant to Article 152 of ZEKom-1 must be respected. The aforementioned provision of ZEKom-1 applies for operators of electronic communications services.
In cases where the controller is not bound by the provisions of ZEKom-1 or the provisions of other special legislation, the decision on the legal basis for the processing of geolocation data must be taken by the data controller in light of the GDPR provisions, taking into account the specific context and purposes of processing such data and the risks to individuals’ rights when processing their geolocation data. Such risk can be considerable when processing of geolocation data is conducted. In the absence of the express consent of the individual, the legitimate interests of the data controller could also be an appropriate legal basis. IP emphasizes that it is necessary to satisfy the test of weighting between the legitimate interest of the data controller on the one hand and the encroachment of the interests or fundamental rights and freedoms of the individual on the other. Such assessment must be carried out by the data controller.
In any case, the data controller must respect the basic principles of the processing of personal data, among others the principle of proportionality, pursuant to which the data controller must choose the solutions that least affect the rights of individuals with regard to the processing of individuals’ geolocations, taking into account the purpose pursued by the controller. IP considers that invasive measures, such as “tracking” individuals for a specific purpose (i.e. processing historical non-anonymized location data), can only be considered proportionate in exceptional circumstances and when strong safeguards for the rights of the individual are provided (i.e. that proportionality of processing with respect to duration and scope, data retention time limit and purpose limitation is ensured). Whatever the legal basis, the data subject must be properly informed in accordance with Articles 12, 13 and 14 of the GDPR.
* * * * *
In addition to an overview of certain opinions and positions of the Slovenian Information Commissioner regarding the processing and protection of personal data in the context of SARS-CoV-2 virus (COVID-19) outbreak in the Republic of Slovenia, please find attached also a summary (Adriala Covid-19 Comparative Legal Guide Processing of personal data in the context COVID-19) prepared by Adriala alliance, a network of independent premium law firms based in 9 jurisdictions in the SEE region (Albania, Bosnia and Herzegovina, Bulgaria, Croatia, Kosovo, Macedonia, Montenegro, Serbia, Slovenia) and of which our law firm is a member.
Our law firm is actively following the latest COVID-19 developments. As always, you can contact us via e-mail or telephone +386 (0)1 2445500, or you can directly contact the lawyer you are generally in contact with.
Law Firm Kavčič, Bračun & Partners, o.p., d.o.o
Ljubljana, 6 April 2020
Please kindly note that the answers to individual questions represent summaries of the opinions and positions of the Slovenian IP and not the observations of the KBP Law Firm. The answers are prepared for general information purposes only, may be subject to change and may not be used instead of a legal opinion/advice. KBP does not guarantee the accuracy of the information and shall not be liable for any damages or costs in connection with the use of, or reliance on, the information contained herein.