Privacy & Information Security Law Blog

The French Data Protection Authority (the “CNIL”) recently issued guidance for employers relating to the processing of employee and visitor personal data in the context of the COVID-19 outbreak (the “Guidance”). The Guidance outlines some of the principles relating to those data processing activities.

The Guidance stresses that employers may not implement measures to fight against the coronavirus pandemic that would infringe on employees’ or visitors’ right to privacy, especially by collecting personal health data that would go beyond what is necessary to determine potential exposure to the virus. Such data is subject to strict protection under the EU General Data Protection Regulation (“GDPR”) and the French Public Health Code.

In particular, employers may not collect – in a generalized and systematic way or through individual requests or surveys – information relating to the search for potential symptoms of employees and their relatives. Employers are therefore not allowed to take the following measures:

• Mandatory body temperature readings of each employee or visitor, which would be shared with managers on a daily basis; and
• Collection of medical forms or questionnaires from all employees.

Lawfulness of Processing

The Guidance further states that employers are responsible for the health and safety of their employees pursuant to Article L.4121-1 of the French Labor Code. In accordance with that provision, employers may take actions aimed at preventing occupational risks, informing and training employees, and marshalling appropriate resources. As part of these actions, employers may (1) raise employee awareness and invite employees to report information about themselves in connection with potential exposure to COVID-19 to the employer or the relevant health authorities; (2) facilitate the transmission of such information by setting up, if necessary, dedicated channels; and (3) facilitate remote working methods and encourage the use of occupational medicine.

In the event employees report suspected exposure to COVID-19, employers may record (1) the date and the identity of the person suspected of being exposed, and (2) the organizational measures implemented by the employer. In this respect, the Guidance emphasizes that each employee is obligated to inform their employer in the event they suspect they have been exposed to the virus.

Finally, the Guidance explains that public health authorities may collect personal health data. As a matter of fact, these authorities are solely responsible for evaluating and collecting information relating to COVID-19 symptoms and recent movements of individuals.

The above Guidance is subject to changes, depending on how the public health situation evolves. The Guidance encourages employees to follow recommendations from public health authorities and only collect personal health data that would have been requested by the relevant authorities.

Read the CNIL’s Guidance (in French).