On March 5, 2020, the Danish Supervisory Authority (“Datatilsynet”) issued a guidance document in which it clarifies how companies should process the personal data of their employees in the context of the coronavirus (“COVID-19”) crisis (see here, in Danish). This follows the publication of a similar guidance by the Italian Supervisory Authority (“Garante”) (see our previous blog here).
Datatilsynet’s approach seems more flexible than the Garante’s. According to Datatilsynet, an employer may, to a large extent, collect and disclose information on its employees, if the circumstances make it necessary, and provided that such a collection or disclosure is not prohibited under employment or health law and that the information in question is not very detailed and specific.
For example, Datatilsynet takes the view that, in the context of the COVID-19 crisis, an employer may lawfully record and disclose: (i) whether an employee has visited an epidemiological risk area; (ii) that an employee is at home in quarantine (without stating the reason); and (iii) that an employee is ill (without stating the reason). Although this is not expressly mentioned in the Danish guidance, it would seem logical to assume that the disclosure in question is to be understood primarily as a disclosure internal to the company.
However, Datatilsynet stressed that the collection and disclosure of information must be limited to what is necessary. Thus, before processing the data, the employer should carefully consider whether there are good reasons to collect or disclose the information in question, whether the purposes of the disclosure may be achieved by “telling less”, and whether it is really necessary to mention names (e.g., the name of the employee who is at home in quarantine).
The approach followed by Datatilsynet seems less stringent than that of the Garante, which recently took the view that companies should not engage in the spontaneous collection of information on their employees in connection with the COVID-19 crisis, unless this is specifically required by law or requested by the competent authorities.
As many organizations across Europe are currently implementing policies and introducing safeguards intended to prevent a spread of COVID-19, it is possible that other EU supervisory authorities will adopt similar guidelines. It is also possible that the European Data protection Board (“EDPB”) will issue guidelines on this matter, given that EU supervisory authorities seem to be taking different views on the issue at hand. Covington will continue to monitor developments in this area.