Privacy & Information Security Law Blog

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) recently published materials regarding the COVID-19 crisis, including recommendations and FAQs for employers and recommendations for employees. In the materials, the Dutch DPA emphasizes that, while fighting the virus and saving lives is the top priority, privacy must not be overlooked and the crisis should not become a prelude to a “Big Brother” society.

Key takeaways of the Dutch DPA’s recommendations are:

COVID-19 and the Workplace: Employers have an obligation to ensure a safe working environment. While employers may want to conduct health-checks on their employees to prevent infection, the Dutch DPA notes that specific rules apply to the collection of information in the event of illness at the workplace, in particular when such information qualifies as sensitive personal data.

FAQs: The Dutch DPA also answered questions regarding employment practices during the crisis. Notably, the Dutch DPA stated that:

• Employers are not allowed to process health-related data of their employees and therefore cannot ask their employees questions about their health or test their employees. Employers are also not permitted to document an employee’s reason for calling in sick, as this can only be done by a company’s doctor.
• If the company’s doctor suspects a case of coronavirus, he or she must immediately contact the Municipal and Regional Health Service (“GGD”), who will then consult with the employer on necessary workplace measures.
• If an employee presents any symptoms of illness, the employer can send them home.
• Employers may ask their employees to keep track of their health, particularly when working at home is not possible.

Safe Remote Working: As many people are working remotely during the COVID-19 crisis, the Dutch DPA stresses the importance to do so safely, so that data (including confidential and personal data) is adequately protected.The Dutch DPA recommends employees working remotely:

• Where possible, use equipment that is provided by the employing organization rather than personal devices;
• Be careful when using cloud, storage and email services, particularly when those services are offered free of charge;
• Ensure that confidential documents, including those containing sensitive personal data, are adequately protected (e.g., lists of customers and their contact details);
• Ensure that remote storage devices (e.g., USB sticks) are adequately secured, such as by using encryption;
• Limit, to the extent possible, the use of apps such as Facebook Messenger, Skype or WhatsApp to conduct business; and,
• Pay particular attention to emails coming from unknown sources and avoid opening any attachments those emails may contain.

Finally, given the current state of affairs, the Dutch DPA indicated that companies who have issues currently pending with the Dutch DPA will be given more time to respond to questions they receive, and deadlines for submitting information to the Dutch DPA will be extended, as necessary and subject to the Dutch DPA’s prior assessment (on a case-by-case basis).

Read the Dutch DPA’s statement (in Dutch).