On March 5, 2020, the Danish Supervisory Authority (“Datatilsynet”) issued a guidance document in which it clarifies how companies should process the personal data of their employees in the context of the coronavirus (“COVID-19”) crisis (see here, in Danish). This follows the publication of a similar guidance by the Italian Supervisory Authority (“Garante”) (see our previous blog here).

Datatilsynet’s approach seems more flexible than the Garante’s.  According to Datatilsynet, an employer may, to a large extent, collect and disclose information on its employees, if the circumstances make it necessary, and provided that such a collection or disclosure is not prohibited under employment or health law and that the information in question is not very detailed and specific.

For example, Datatilsynet takes the view that, in the context of the COVID-19 crisis, an employer may lawfully record and disclose: (i) whether an employee has visited an epidemiological risk area; (ii) that an employee is at home in quarantine (without stating the reason); and (iii) that an employee is ill (without stating the reason).  Although this is not expressly mentioned in the Danish guidance, it would seem logical to assume that the disclosure in question is to be understood primarily as a disclosure internal to the company.

However, Datatilsynet stressed that the collection and disclosure of information must be limited to what is necessary.  Thus, before processing the data, the employer should carefully consider whether there are good reasons to collect or disclose the information in question, whether the purposes of the disclosure may be achieved by “telling less”, and whether it is really necessary to mention names (e.g., the name of the employee who is at home in quarantine).

The approach followed by Datatilsynet seems less stringent than that of the Garante, which recently took the view that companies should not engage in the spontaneous collection of information on their employees in connection with the COVID-19 crisis, unless this is specifically required by law or requested by the competent authorities.

As many organizations across Europe are currently implementing policies and introducing safeguards intended to prevent a spread of COVID-19, it is possible that other EU supervisory authorities will adopt similar guidelines.  It is also possible that the European Data protection Board (“EDPB”) will issue guidelines on this matter, given that EU supervisory authorities seem to be taking different views on the issue at hand.  Covington will continue to monitor developments in this area.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as Privacy International and the European security agency, ENISA.