Earlier we wrote about the use of corona rapid tests in an employment context. Due to a lack of testing capacity, people sometimes have to stay at home for several days at a time. As a result, organisations are struggling with a lack of employees in the workplace. This has particularly serious consequences for sectors in which it is not possible to carry out work from home. Many organisations are therefore looking for solutions to get their employees back in the workplace as quickly as possible.
The use of corona rapid tests could be such a solution. But is it really permitted to use rapid tests in a working environment? What measures can organisations take to make this possible? And what are the risks? These and other questions will be addressed in this blog series.
Does the GDPR apply?
In the first part we discussed that the use of corona rapid tests could be arranged in such a way that it does not involve the processing of personal data. As a result, the use of corona rapid tests would fall outside the scope of the GDPR. This in turn means that the Dutch Data Protection Authority (DPA) cannot take enforcement action against the use of these tests. In many situations, however, organisations will not be able to avoid processing the results of corona rapid tests in any way, or at least it cannot be ruled out that this will happen (for example, afterwards when reporting sick). And when it comes to the processing of personal data, the GDPR will have to be complied with.
What if the GDPR does apply?
If the GDPR applies, this means in the first place that a lawful basis is required for the processing of the personal data concerned. In the case of the use of corona rapid tests, these data will usually consist of the test results. Because the test results show whether someone is infected with the coronavirus, this is personal data concerning health. And personal data concerning health are a special category of personal data. This means that the processing thereof is in principle prohibited, unless an employer can invoke one of the exceptions as included in the second paragraph of Article 9 of the GDPR.
The best known exception is explicit consent (Article 9 (2)(a) GDPR).
When asked whether explicit consent can be used to record the health status of an employee, the DPA answers that consent can hardly ever be a valid basis for registering this type of sensitive information about employees. Employees may feel obliged to agree with their employer, which means that consent cannot be ‘freely given’. Only in very exceptional cases data on the nature and cause of an employee’s illness may be recorded on the basis of consent. For example, when an employee has a serious degree of diabetes or epilepsy. In such cases, it may be necessary for close colleagues to be aware of this, so that they know how to act when their colleague does not feel well.
This view of the DPA is in line with the case law and views of other European supervisors. Explicit consent therefore indeed does not seem to be a suitable legal basis for the processing of the (results of) corona rapid tests.
Another exception for the processing of health data that could be interesting in this context is the exception mentioned in Article 9 (2)(c) GDPR. This legal basis can be used when the processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving his or her consent.
It follows from recital 46 of the GDPR that this basis can be used for ‘monitoring epidemics and their spread’. At first glance, this basis appears to be appropriate, but this does not alter the fact that monitoring an epidemic is probably not a task that belongs to an employer. Rather, this seems to be a task for an authority such as a Municipal Health Services.
In addition, this legal basis can only be used if the data subject is physically or legally incapable of giving consent. It remains to be seen whether this also includes the situation in which the data subject is in a dependent position and can therefore not be considered capable of giving consent in a legally valid manner, as discussed above.
The EDPB, a body in which all national data protection authorities from the European Union cooperate in their supervision of the GDPR, unfortunately said nothing about this in its recent statement on the COVID-19 outbreak. This is unfortunate, since it did state that the condition of vital interests could be used as a legal basis in a working environment.
Thirdly, the processing of the test results could possibly be based on Article 9(2)(b) GDPR. It follows from this provision that personal data concerning health may be processed where such processing is necessary for carrying out the obligations and for the exercise of specific rights of the controller (i.e. the employer) or of the data subject (i.e. the employee) in the field of employment, where such processing is authorised by European or national law providing appropriate safeguards for the fundamental rights and interests of the data subject.
The question is whether Dutch law contains such a provision. The Dutch legal duty of care of employers to provide a safe working environment for their employees may offer a solution here. However, the DPA believes that this general duty of care does not imply that employers may process personal health data of employees in the event of a virus outbreak. Therefore, in the view of the DPA, an additional specific law would be required for this. And that law is currently (still) lacking. Although the DPA’s position is not decisive, it makes the use of this legal basis risky for employers.
Public interest in the area of public health
Lastly, the condition of public interest in the area of public health could possibly be used as a basis for the processing of the test results (Article 9(2)(i) GDPR). This legal basis was created to protect serious cross-border health hazards or to ensure high standards of quality and safety of healthcare. However, even this specific exception can only be used if the processing in question is regulated by European or national legislation, which contains appropriate and specific measures to protect the rights and freedoms of the data subject, in particular professional secrecy.
Professional secrecy, in particular, is likely to make this basis unusable for employers. Occupational physicians are, of course, bound by professional secrecy.
For the time being, therefore, the deployment of an occupational physician and/or an occupational health and safety service seems inevitable for employers in order to be able to set up the use of corona rapid tests on the basis of the GDPR.