You might be processing health-related personal data
If you process the personal data of employees or suppliers who are infected with the Coronavirus or who are at risk of developing a severe illness if they become infected, then you are processing health-related data.
Processing health-related personal data should be justified under one of the applicable GDPR exceptions
The processing of health-related personal data is prohibited, unless you can rely on one of the exceptions expressly set out in Article 9 paragraph 2 of the GDPR:
- The person concerned has given you his/her explicit consent
- The processing is necessary for the purposes of carrying out some of your obligations in the field of employment, social security and social protection law
- The processing is necessary to protect the vital interests of the data subject (or another person) where the data subject is physically or legally incapable of giving his/her consent
- The processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis or the provision of health care or treatment
- The processing is necessary for reasons of public interest in the area of public health
Depending on your organisation type and the measures you take, at least one of these exceptions will most likely apply.
Data minimization, storage limitation and information
You cannot process any personal data that is not strictly necessary for monitoring and managing the Coronavirus outbreak. Once there is no need any more to keep such personal data (for example, when the Covid-19 outbreak is over), you should delete it.
Data subjects must be informed in accordance with the requirements of Articles 13 and 14 of the GDPR.
Records of processing activities
The processing of health-related data, including for coronavirus outbreak purposes, must be registered in the records of processing activities that each controller and processor should have.
Local rules
The GDPR allows EU member states to introduce further conditions and/or limitations for the processing of health-related data. The Belgian Act of 30 July 2018 provides that, in addition to the GDPR, a controller subject to the Belgian data protection laws must keep a list of the categories of persons having access to health-related data. In addition, such persons must be bound by a statutory or contractual confidentiality obligation.
Data Protection Impact Assessment (DPIA)
To the extent that the processing of personal data for the purposes of the Coronavirus outbreak is likely to result in a high risk to the rights and freedoms of individuals (such as a refusal to honour a contract, systematic monitoring or profiling on a large scale), you should carry out a DPIA.
The above information is merely intended as comment on relevant issues of Belgian law and is not intended as legal advice. Before taking action or relying on the comments and the information given, please seek specific advice on the matters that are of concern to you.