What are the guidelines issued?
The French data protection authority ("CNIL") has released a statement on March 6, 2020 reminding a few data protection principles to apply in the context of the Covid-19 crisis:
Snapshot of guidelines issued covering:
Asking employees, customers, vendors, and visitors about their diagnoses or symptoms
It is not possible for an employer to collect and process information about its employees, his/her relatives and visitors concerning their health condition, whether globally or individually, either through the collection of medical sheets or questionnaires or by way of binding body temperature testing of each employee / visitor.It is however recommended for an employer to inform visitors, customers and employees entering the buildings about Covid-19 and to invite them to contact the company as soon as possible in case of suspicion of contagion or symptoms (it is recommend to appoint a specific person to whom the employee, visitor or customer will report).
Employees have a duty to report to their employer any suspected contact with the virus.
Conducting or requiring examinations of employees
Health data are subject to specific protection both by the GDPR and the French public health code. This code notably provides for a strict medical secrecy which prohibits any doctor from disclosing information regarding an employee's health condition. In any case, an employer can only refer employees to the company occupational doctor who is bound by the same professional secrecy.
Sharing information about affected individuals
In the event of a report, an employer may:
- record the date and identity of the person suspected of having been exposed;
- list the organizational measures taken (confinement, teleworking and contact with the occupational doctor, etc.); and
- as the case may be, inform health authorities.
The CNIL does not specify that other employees may receive such information. The employer should, in order to comply with its health and safety obligation, inform the employees of a potential risk of infection. However, it does not seem necessary to provide the employees with the name of the sick individual. Should it be necessary to reveal the name of the person concerned, the individual concerned should be informed in advance and provide his/her prior consent.
Any other relevant considerations from the guidelines
Employers should follow directions given by public authorities and process health data only to the extent required by such authorities.
Visit us at mayerbrown.com
Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.
© Copyright 2020. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.
