The Dutch DPA names recent examples of its lenient approach towards healthcare organisations, such as allowing a healthcare provider to reach out, via an intermediary, to the former healthcare personnel in order to temporarily reinstate them as doctors or nurses in cases of critical personnel shortages. Another example is advising general health practitioners on the use of video chat apps for communicating with the Covid-19 patients, where the DPA explains how consumer apps like Skype of FaceTime can be used as an exceptional measure during the Covid-19 coronavirus outbreak (see for more details the guidance of the Dutch DPA of 18 March 2020, available here).
The Dutch DPA stated generally that it will be understanding to the needs of organisations to focus their current resources on combatting the consequences of the Covid-19 coronavirus pandemic. Noting that fighting the virus and saving lives is a top priority, along with preventing the damage to the economy and society as a whole, the Dutch DPA stated that it will not come hard on organisations with enforcing privacy and data protection law. However, the supervisor emphasized that it will intervene in situations where the privacy of individuals is at real risk.
New guidance on processing of employee data in relation to Covid-19
In addition, the Dutch DPA updated its Q&A on processing of personal data of employees in relation to the Covid-19 coronavirus. The new Q&A supersede the brief guidance published on 11 March 2020, where the Dutch DPA had provided a strict interpretation of the applicable data protection law requirements. The new guidance stresses upon the uniqueness of the outbreak situation and offers a more flexible approach to tackling personal data protection in these circumstances. The main points of the new guidance are summarised below:
-
Checking whether employees have Covid-19:
-
only the healthcare organisations are allowed to perform such check during the pandemic;
-
other organisations must follow the guidelines established by the RIVM, actively inform employees about these guidelines and provide the guidelines in all languages of the employees;
-
employers may ask their employees to keep a close eye on their health, be alert for the symptoms and, for instance, check their own bodily temperature during the working day, in particular if employees are working on premises;
-
Employer may send employees home if they display symptoms of cold or flu, or if employer has doubts about their health condition. The Dutch DPA emphasises that this position is a deviation from the legal requirements due to the exceptional circumstances of the Covid-19 coronavirus outbreak, where the employer may require its employee to cooperate;
-
Employer may always ask an employee to contact a company doctor, occupational health service or general health practitioner to perform a health check for Covid-19 symptoms. In case a doctor suspects the virus infection, he or she will immediately contact the regional Public Health Service, which will, in consultation with employer, follow up with appropriate measures in the workspace.
Update 26 March 2020: The Dutch DPA established a section on its website dedicated to the Covid-19 coronavirus and moved there all relevant guidance. Although the majority of the changes appear to be only of editorial nature, the Q&A now explicitly state that if an employee voluntarily informs an employer about being infected with the Covid-19 coronavirus, the employer is not allowed to record or share this information.
You can read more on the position of the Dutch DPA and other privacy and data protection authorities worldwide in our Covid-19 coronavirus: (global) emerging data protection and cybersecurity guidance.
Conclusion
This new guidance from the Dutch DPA provides organisations with more flexibility to respond adequately to the Covid-19 coronavirus outbreak. However, the Dutch DPA gives a clear signal that any deviation from data protection and privacy laws is limited to what is strictly necessary and unavoidable for tackling the pandemic.
Please feel free to contact Nicole Wolters Ruckert if you would like to discuss the practical implications of the new guidance or have specific questions on the protection of personal data and cybersecurity aspects of the Covid-19 coronavirus pandemic in the Netherlands and worldwide.
