The Belgian DPO’s response to COVID-19
Given the topical issue of COVID-19 and its impact on data protection, the Belgian Data Protection Authority (BDPA) has decided to publish on its website a number of guidelines to provide clarifications on a Belgian level.
Firstly, the BDPA emphasized the General Data Protection Regulation’s (GDPR) applicability in employer-employee relationships under the current circumstances. When companies or organizations take certain measures to help combat COVID-19 involving the processing of personal data, the provisions of the GDPR must always be taken into account. At the same time, however, protecting personal data may not limit the battle against the spread of the virus, according to the BDPA.
The following recommendations were made over the course of the last months:
- In regards to the lawfulness of processing, there is currently no reason to base any processing of personal data on the ‘protection of vital interests’ of the data subject or another natural person in Belgium (article 6.1(d) GPDR);
- Processing health data is principally prohibited as it classifies as a special category of personal data unless an exclusion ground applies (article 9 GDPR);
- Performing systematic temperature checks on visitors and employees is permitted insofar no additional data is registered;
- Requiring employees to fill in a medical questionnaire is prohibited. However, it may be permitted to encourage employees to inform the company doctor of any symptoms and recent travels to unsafe areas; and
- Announcing the name of an infected employee is prohibited, given the principles of integrity and confidentiality (article 5.1(f) GDPR) as well as the requirement of data minimization (article 5.1(c) GDPR). However, it is allowed to inform other employees of an infection within the company or organization without further details. Furthermore, the identity of the infected employee may be communicated to the company doctor and competent government services if required.
- Secondly, the BDPA has clarified some misconceptions in the development and use of eHealth applications. Among others, the following principles must be adhered to:
- Personal data may not be processed unless it is required for beneficial use. In any other event, no personal data of the user may be requested and strict anonymity must be maintained at all times;
- If the app is used within an existing care relationship between a healthcare provider or institution and patient, this must be explicitly stated. Personal data may only be processed in the qualitative context of providing continuous care by the provider or institution; and
- In case the above advice does not apply, the BDPA provided an overview of the applicable GDPR requirements to comply with when developing eHealth apps.
How can we help?
Discover our expertise