On May 6, 2020, the Italian Supervisory Authority (“Garante”) published a list of frequently asked questions (“FAQs”) and answers on data protection and COVID-19 (see here, in English).
The FAQs build on and expand guidance previously issued by the Garante (see our blog post here), and take into account recent measures adopted by Italian authorities, such as the Protocol on Fighting COVID-19 in the Workplace that the Italian government signed with several trade unions on March 14, 2020 (see our blog post here), which was slightly amended on April 24, 2020 (see here).
Among other topics, the FAQs cover: (1) data processing by private employers in the context of the COVID-19 health emergency; and (2) data processing in clinical trials and medical research in the context of the COVID-19 health emergency.
(1) Data Processing by Private Employers in the Context of the COVID-19 Health Emergency
Body temperature checks: the FAQs confirm that companies may perform body temperature checks on employees, suppliers, visitors and customers at the entrance of their business premises. However, as a rule, the body temperature should only be measured in real-time, and should not be recorded. This reflects the rules set forth in the Protocol on Fighting COVID-19 in the Workplace mentioned above.
COVID-19 questionnaires: the FAQs state that companies may require their employees and visitors to provide information, including through a self-declaration, on their possible exposure to COVID-19 as a condition for accessing their business premises. In particular, companies may ask their employees and visitors to declare whether, during the last 14 days, they have had contact with individuals who are infected by the virus, or have visited one of the “risk areas” identified by the World Health Organization. However, employees and visitors should not be asked to disclose additional information on the infected individuals they have been in contact with or about the specific places they have visited. This is in line with line with the rules established by the Protocol on Fighting COVID-19 in the Workplace.
Data processing by occupational doctors: the FAQs note that, even in the context of the present public health crisis, occupational doctors (in Italian “medici competenti”) must not inform employers about the specific diseases suffered by their employees. However, if the health conditions of an employee are particularly fragile, the occupational doctor may suggest to the employer that he or she be assigned tasks in areas that are less exposed to the risk of COVID-19 infection (without informing the employer of the specific pathology affecting the employee).
Disclosure of the identity of infected individuals: the FAQs state that employers must not disclose the identity of an employee that has tested positive to COVID-19 to other employees within the company. However, the employer should share such information with the competent health authorities.
(2) Data Processing in Clinical Trials and Medical Research in the Context of the COVID-19 Health Emergency
Legal bases for processing health data in the context of COVID-19-related clinical trials: the FAQs indicate that, in the context of clinical trials on medicines for the treatment of COVID-19, sponsors and sites may rely on the following legal bases for the processing of patients’ health data: (i) consent (Art. 9(2)(a) GDPR); (ii) substantial public interest (Art. 9(2)(g) GDPR); (iii) public interest in the area of public health (Art. 9(2)(i) GDPR); or (iv) archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (Art. 9(2)(j) GDPR).
Processing of health data where it is impossible to obtain the consent of patients: The FAQs state that if the circumstances makes it de facto impossible to obtain the consent of a patient to the processing of his/her health data for COVID-related research purposes (or if obtaining such a consent would require disproportionate efforts), clinical trial sponsors and sites should try to obtain such a consent from a person who has legal authority over the patient, a close relative, a family member, or (in the absence of the latter persons) the manager of the center where the patient resides.
However, the FAQs note that where obtaining the consent from a third party is also impossible or it may seriously undermine the successful outcome of the research (e.g., where the processing concerns data of deceased patients or patients in intensive care units), the relevant data controller may process the data without submitting a prior consultation request to the Garante in accordance with Article 36 GDPR and Article 110 of the Italian Data Protection Code.
The Garante may decide to update the FAQs in the future, also in light of new questions that it will receive from companies. Covington will continue to monitor developments in this area.