Up Again: Privacy and data
Privacy and data Q&A
Can an employer carry out temperature monitoring and other health checks on employees and visitors prior to them entering work premises?

Only on a voluntary basis. According to Act on the Protection of Privacy in Working Life (759/2004) when carrying out any health examinations and tests or taking samples, healthcare professionals, properly trained laboratory personnel and health care services must be used. Only a physician or another health care professional shall perform all medical examinations. Employees have the right to go to a medical examination or procedure during their working hours.

Can an employer ask employees and visitors to complete a questionnaire on whether they are experiencing typical COVID-19 symptoms, have been in contact with an infected individual, or recently travelled to high risk countries?

Basically, yes. However, the processing of personal data always requires a legal basis, which must be determined before the start of processing (e.g. consent of the person). Health data belongs to the special categories of personal data and it can be processed if an exception to the prohibition has been provided for in the GDPR or specifically in Union law or national legislation. Health data refers to information about an individual’s health, diseases, disability or treatment. According to the guidelines given by the Office of the Data Protection Ombudsman of Finland, the information that someone has travelled to high risk countries is not health data.

Employers can rely on Article 9(2)(b) GDPR to process health data (but need to remember to assess the additional requirements for processing the health data of employees). The additional requirements in the employment relationship are, that the employer is only allowed to process personal data that is directly necessary for the employee’s employment relationship, which is connected with managing the rights and obligations of the parties to the employment relationship or with the benefits provided by the employer for the employee or which arises from the special nature of the work concerned. Health data of an employee can only be processed if it is necessary for the salary payment or to establish whether there is a justified reason for absence or if the employee expressly wishes his or her working capacity to be assessed. In addition, the employer has the right to process health data in the specific circumstances separately provided in the legislation.

Can an employer require their employees to notify them if they or a member of their household has contracted COVID-19, or that they have the antigen?

Only on a voluntary basis. Notice that processing of health data of employees is permitted only if it is necessary 1) to pay sick pay or other comparable health-related benefits or 2) to establish whether there is a justified reason for absence, or 3) if the employee expressly wishes his or her working capacity to be assessed on the basis of data concerning his or her health.   

Can an employer tell their employees that a colleague may have potentially contracted COVID-19?

The employer can inform other employees of the infection or potential infection in general terms, but cannot name the colleague in question.  

Can an employer share information with a health authority about COVID-19 cases they become aware of?

No, the employer is under an obligation of confidentiality concerning the health data of employees. In Finland, the notification obligation is set to physicians and laboratories. According to the Communicable Diseases Act, physicians and/or laboratories must notify the National Institute for Health and Welfare of Finland of suspected or diagnosed cases of COVID-19.

Can an employer send employees’ health data to one of their affiliates outside the EEA or otherwise in another jurisdiction?

If it is necessary for the salary payment or to establish whether there is a justified reason for absence or if the employee expressly wishes his or her working capacity to be assessed. For other reasons, the employer can inform its affiliates in general terms and according to the organisation’s practices that the employee is prevented from carrying out his/her duties. It should be noted that, an employee’s health data may only be processed by people whose job description includes such processing. The employer must either designate such individuals in advance or specify the tasks that involve processing health data. Individuals who process health data are subject to a confidentiality obligation.  

Can an employer monitor how employees move around the workplace to help keep social distancing rules?

General monitoring of employees without collection of employees’ data is permitted. The collection of employees’ data always requires a legal basis, which must be determined before the start of processing. If an organisation considers carrying out a new technical device for monitoring purposes, the obligations arising from the GDPR’s requirements must be evaluated on a case-by-case basis. Additionally, the employer must assess whether an impact assessment (DPIA) should be made of the adoption of the new device.

Does an employer need to comply with any other GDPR principles or local privacy laws, when collecting data for the purpose of tackling COVID-19?

There are several privacy laws that an employer must comply with, such as Act on the Protection of Privacy in Working Life, Data Protection Act, Communicable Diseases Act and Occupational Safety and Health Act.  

What are the risks if I am in breach of the GDPR or local privacy laws?

Among other things, the risks depends on factors such as the size of the organisation, amount of personal data and the nature of the personal data processed by the controller. The sanctions may be, for instance an administrative fine or a notification. The Data Protection Ombudsman is a national supervisory authority, which supervises the compliance with data protection legislation. The Data Protection Ombudsman and Deputy Data Protection Ombudsmen form the Sanctions Board tasked with imposing administrative fines in accordance with the GDPR.