The issue of implementing questionnaires which gather health data and other information about the existence of risk factors, to both employees, collaborators and visitors, does not have a unified approach by the European Data Protection Authorities.
While some authorities expressly prohibit such methods of systematic and general data collection, others allow organizations to make their own assessment and to decide whether imposing on staff and visitors to fill in questionnaires or to sign statements about risk factors (including symptoms) is necessary and proportional.
EDPB
The EDPB, in its Statement on the processing of personal data in the context of the COVID-19outbreak, adopts an open perspective, expressing the following view:
“Can an employer require visitors or employees to provide specific health information in the context of COVID-19?
The application of the principle of proportionality and data minimisation is particularly relevant here. The employer should only require health information to the extent that national law allows it.”
Ireland
The Irish DPC has analyzed this issue in great detail. The PDC says that “employers would be justified in asking employees and visitors to inform them if they have visited an affected area and/or are experiencing symptoms”, considering the legal obligations to ensure workplace safety. However, if organizations wish to implement these checks through the means of questionnaires, the Irish authority indicates the following:
“Implementation of more stringent requirements, such as a questionnaire, would have to have a strong justification based on necessity and proportionality and on an assessment of risk. This should take into consideration specific organisational factors such as the travel activities of staff attached to their duties, the presence of vulnerable persons in the workplace, and any directions or guidance of the public health authorities.”
In addition, considering health and safety duties, employers would also be justified to ask employees to inform them if they have a medical diagnosis of COVID-19.
Hungary
NAIH has a permissive approach to using risk factor questionnaires, with some caveats. Employers must, first of all, decide if this method is necessary and proportionate and ensure that questionnaires do not include questions relating to medical history or requirements to attach medical documents.
France, Belgium and Luxembourg
In this case, the authorities are more conservative. The CNIL states that “employers must refrain from collecting in a systematic and generalized manner, or through individual inquiries and requests, information relating to the search for possible symptoms presented by an employee / agent and their relatives”. CNIL prohibits to implement the collection of medical sheets or questionnaires from all employees / agents.
The Belgian APD prohibits the application of medical questionnaires, stating:
“The employer cannot compel workers to complete such questionnaires. It is recommended to encourage workers to spontaneously report risky travel or symptoms. In this case too, the role of the occupational physician must be emphasized.”
In Luxembourg, the authority also included questionnaires on the “What not to do” list. Employers should not require employees to fill in medical forms or questionnaires and should not require visitors to provide standardized statements about the absence of symptoms and travels to risk areas.
Romania
The Romanian authority (ANSPDCP) is silent on this specific matter and indicates certain possible legal grounds and exemptions which allow processing of health data.
What to consider
In any case, the collection of health data must be legal under the GDPR, which means that it must be allowed under an Art. 9(2) exemption -> read more on this topic.
If an organization decides to implement questionnaires and statements (provided that their national DPA did not explicitly prohibit it), this should be done with the observance of the data protection legal framework, including he essential GDPR principles – fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality and, of course, accountability.