On March 2, 2020, the Italian Supervisory Authority (“Garante”) published a “statement” in which it clarifies how companies should process personal data in the context of their efforts for preventing a spread of the coronavirus disease (“COVID-19”) among their employees and others in Italy (see here, in Italian).
The Garante made clear that companies must not collect in a systematic and generalized manner information on possible COVID-19 symptoms suffered by their employees (or their family members), as well as on their whereabouts. According to the Garante, the collection of such information should be left to healthcare authorities; companies should not engage in the spontaneous collection of health data of their employees, unless this is specifically required by law or requested by the competent authorities.
However, the Garante stressed that employees must normally inform their employers of any health and safety risk at work they are aware of, including risks of contagious diseases. Thus, companies may invite their employees to notify them if they have been recently exposed to epidemiological risk areas or have other relevant information regarding possible risks of contagion.
While the “statement” does not elaborate much on the reasoning followed by the Garante, it suggests that the Garante interprets rather strictly the conditions for processing health data under the GDPR. Thus, companies should not simply assume that, in light of the seriousness of the present public health crisis in Italy, any processing of the health data to prevent the spread of COVID-19 may lawfully occur on the basis that is “necessary to protect the vital interests of the data subject or of another natural person”, “necessary for reasons of substantial public interest” or “necessary for the purposes of preventive or occupational medicine”.
In any event, companies should carefully monitor, and comply with, any emergency measure that the competent Italian authorities may adopt in response to a possible further spread of the disease in Italy. It is unclear whether other EU supervisory authorities will adopt related guidance, as more organizations, including employers, respond to the public health threat posed by COVID-19 by implementing policies and introducing safeguards intended to prevent spread of the disease. Covington will continue to monitor developments in this area.