Last weekend a Dutch newspaper reported that many companies are losing sleep over the lockdown and the lack of testing capacity. Not surprisingly more and more organisations are considering to take the testing of employees into their own hands. Especially the use of corona rapid tests is often mentioned. But is the use of those tests permitted in a working environment? What measures can organisations take to make this possible? And what are the risks? These and other questions will be addressed in this blog series.
Does the GDPR apply?
In the first part of our blog series we discussed that the use of corona rapid tests could be arranged in such a way that it does not involve the processing of personal data. The use of corona rapid tests could therefore be kept outside the scope of the GDPR. As a result, the Dutch Data Protection Authority (‘DPA’) cannot take enforcement action against the use of such tests. However, this does not necessarily mean that the use of corona rapid tests is permitted.
What if the GDPR does not apply?
The private life of employees must also be taken into account on the basis of other laws and regulations. Think, for example, of Article 8 ECHR and Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, under which the private lives and personal data of employees are also protected. Although the DPA does not supervise the compliance with the ECHR and the Charter, employees can (indirectly) invoke these provisions in the event of a dispute. As a result, the court may impose a ban on the use of corona rapid tests. In addition, compensation could also be awarded. This is something organisations should take into account as well.
The criteria of proportionality and subsidiarity play an important role in the provisions mentioned above. On the basis of these criteria, an employer will have to examine to what extent the invasion of the private life of his employees is proportionate in relation to his interest in the possible use of corona rapid tests. The employer will also have to assess whether the intended objective cannot be achieved in a less drastic manner. For example, by improving air circulation or by wearing mouth masks in the workplace.
In short, in order to assess whether the use of corona rapid tests is permitted, a balance of interests will have to be carried out in which the concrete interests of the employee are weighed against those of the employer. It is by no means a foregone conclusion that the interests of the employer in the use of corona rapid tests (such as performing work on location and providing a safe working environment for colleagues) are less important than the interests of an individual employee (such as the protection of his physical integrity).
Especially when it comes to work activities in vital sectors that cannot be carried out from home, the interests of the employer will carry quite some weight and it will be more likely that the use of corona rapid tests will be permitted.
Conclusion and recommendations
Whether or not the GDPR applies to the use of corona rapid tests in an employment context will strongly depend on the way the testing is set up. However, some organisations will not be able to avoid processing the results of corona rapid tests, or at least it cannot be ruled out that this will happen (for example, afterwards when reporting sick). And when it comes to the processing of personal data, your organisation will have to comply with the GDPR. In the second part of this blog series you can read what this means for your organisation.
Regardless of the answer to the question whether or not the GDPR applies, in any case safeguards will have to be put in place to keep the invasion to the privacy life’s of employees to a minimum.
Organisations are therefore advised to take the following measures when considering the use of corona rapid tests:
- Carry out a Data Protection Impact Assessment (DPIA) in advance to assess the impact of the intended (processing) activities on the protection of (personal) data. This is a good way to demonstrate that careful thought has been given beforehand to the way in which the corona rapid tests are used and how test results are handled. The main risks will be properly identified as well and can be minimised when necessary.
- Involve employees, the works council, and if applicable, the data protection officer, in the desirability of offering corona rapid tests.
- Document the usefulness and necessity of the use of corona tests. Take any alternative measures into consideration as well, such as the possibility to work from home, wearing mouth masks and other protective clothing, improving air circulation and/or keeping distance in the workplace.
- Make sure that reliable tests are used and that clear instructions are given on how to carry out the test, so that the chance an error occurs is as small as possible.
- If possible, have the tests taken by an occupational physician or an occupational health and safety service and make sure that only they and the employee in question receive the test results.
- Inform employees well and properly in advance of the use of corona rapid tests and of the possible consequences if they do not want to participate. Also inform them of the way to report sick and of what information should and should not be provided in the event of reporting sick.
- Record as little personal data as possible (data minimisation).
Would you like to know more?
Would you like to know if your organisation is allowed to use corona rapid tests and how the use of these tests is best performed? Would you like help with the execution of a DPIA? Or do you have other questions concerning privacy and corona? Then please contact Tom de Wit or Lisa Molenaars.