Aware of the gravity of the situation, employers began collecting health data related to COVID-19 from their employees and visitors quite early on, which quickly raised privacy concerns – what exactly is permitted in the present circumstances, and under which conditions?
Although Serbia has declared a state of emergency and implemented a number of measures aimed at addressing the COVID-19 concerns – including restricting freedom of movement and gatherings – no derogation from the Constitutional right to protection of personal data has yet been put in place. This means that employers are permitted to adjust their business activities and data processing practices to address the new developments, but any measure implemented to that end must be fully in line with the Serbian Data Protection Law. The Serbian Data Protection Authority has recently issued a general position on data processing during the COVID-19 outbreak, which only reiterates the need to maintain compliance with the law, but unfortunately does not provide any further details.
Since personal data related to COVID-19 is health data, which is considered sensitive under the law, its processing can be performed only if a specific set of conditions is met. Amongst these conditions, the key ones relate to ensuring:
Adequate legal grounds, which in the context of COVID-19 may include compliance with an employer’s legal obligation to ensure safety and health at work, the legitimate interests of an employer or third parties (e.g., visitors and other employees), the public interest, or even the protection of individuals’ vital interests. Processing of health data also must fall within one of the exceptions to the general rule prohibiting the processing of sensitive data, among which the public interest in public health, employer’s obligations in the field of employment, or potentially even the protection of individuals’ vital interests could be considered.
Specific and necessary purposes, which include the need to determine whether employees and visitors are infected or have been in contact with infected people in order to provide a safe workplace for other employees. With respect to the disclosure of the identity of infected persons to other employees, this would be lawful only if it is strictly necessary for the protection of others.
The data minimization principle, which requires that employers should only collect the information strictly necessary for achieving a specific purpose. For instance, it would be proportionate to collect data such as previous contacts with supposedly infected persons and stay in high-risk areas, whether a person is symptom-free, and contacts made with others within the company. Although it may be considered reasonable, at least in certain circumstances, the prevailing interpretation of EU data protection authorities is that performing employees’ temperature measuring on-site is prohibited; and
Prior notification, which means that the employees and visitors should be properly informed of all aspects of data processing and their related rights, which can be performed either by amending existing privacy notices or (ideally) by preparing new ones specifically addressing the COVID-19 circumstances.
Depending on the specific measures implemented, companies should also consider performing a data protection impact assessment prior to collecting any personal data from individuals relating to COVID-19. This assessment is mandatory when the processing is likely to result in a high risk to individuals’ rights and freedoms, which in Serbia explicitly includes the large-scale processing of health data, but is very helpful in other cases as well to ensure compliance with key data processing principles.
It goes without saying that finding an adequate balance between the health and safety precautions in the workplace and employees’ right to privacy is quite a challenge. Although it would be unusual for the Serbian Data Protection Authority to start being overly nit-picky with enforcement during this time of crisis, it is nevertheless advisable to maintain at least certain reasonable privacy compliance standards. This is even more important for companies that intend to implement more intrusive COVID-19 measures, as these are likely to disrupt the delicate safety/privacy balance the employees and the public are used to, potentially resulting in both compliance risks and reputational damage.