Data Protection

A. Introductory remarks

The Coronavirus (officially called “Covid-19”) continues to create an evolving list of challenges for the global business community including the business community of Cyprus. Whilst the virus has been declared as a pandemic, we recognize that companies and their business operations are already significantly affected, and a substantial disruption is occurring at almost all levels. This briefing note looks at the potential impact of Covid-19 on businesses and focuses in particular to the data protection challenges companies and employers have to face during this unprecedented global health crisis. More specifically, it offers a practical guide on how companies can manage and mitigate the risks of Covid-19 while ensuring a safe environment for employees and clients as well as remaining in compliance with the data protection laws and regulations. For a general high-level guidance on the key employment and contractual related considerations for companies whose business operations or part of them are governed by Cyprus law please click here.

B. Covid-19 and EU General Data Protection Regulation: Where is the balance?

The primary goal of the EU General Data Protection Regulation (known as the “GDPR”) is the protection of the personal identifying information of data subjects. Moe specifically, processing of such personal information is limited by the GDPR’s enumeration of data subject rights. These rights, however, are not unconditional and under circumstances of civil crisis, some of these protections and rights might be suspended or restricted. In other words, the regulation allows the temporary suspension of some data-protection rights in times of crisis such as the outbreak and exponential global spreading of Covid-19.

Covid-19 and its spread across borders is a concern for employers around the world including Cyprus based employers. Whilst employers have an obligation to ensure the safety and health of their employees and visitors, measures intended to ensure a safe business environment can increase processing of employees’ and clients’ personal data.

Collecting and processing “sensitive (health) data”:

Monitoring the Covid-19 situation and taking measures in order to ensure and protect the health and safety of employees and visitors, may require employers to process more health data than usual.

Some of the most commonly raised related questions by our clients so far are the following:

    • Can I require employees or clients to undergo a medical examination?
    • Can I check their temperature before entering my company’s premises?
    • Can I require employees to inform my HR department once they have certain Covid-19 symptoms?
    • Can I require employees to provide me with health data in order to establish whether employees belong to a “vulnerable group” and thus in a more danger?
    • Can I use health data I already hold for a new purpose? For example, if I hold sick notes for the purposes of administering employees sick pay can I use these sick notes for a new purpose and check amongst others for history of respiratory illness?
    • Can I disclose health data to public authorities in case of emergency?

Before employers process “sensitive (health) data” during the Covid-19 health crisis, they should have regard to Article 9 of the GDPR. Article 9 provides that special category data, which includes health data, should not generally be processed, except in a limited number of situations, which are listed in article 9(2). In particular, if employees’ consent cannot be relied on as a valid condition to process such data (something that is highly likely), then one or more of the following alternative conditions under Article 9.2 may apply:

    • 9.2(b) – “processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law”.
    • 9.2(g) – “processing is necessary for reasons of substantial public interest”.
    • 9.2.(h) – “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services”.
    • 9.2(i) – “processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care”.

In order to establish whether any of the above can legitimately be relied upon by employers, they have to consider whether they can establish that processing of “sensitive (health) data” is necessary in order to safeguard employees and/or clients/visitors as well as to combat the threat of Covid-19. This will largely depend (i) on the level of threat posed by the virus in the geographic area of the business; (ii) on whether the processing activity achieves a proportionate balance between on the one hand the data rights of individuals concerned and on the other the efforts to combat the threat and ensure a safe environment for employees and visitors/clients; and (iii) on whether any alternative less intrusive measures are readily available. 

Collecting and processing other personal data:

Except of what has already been mentioned above, other measures that are usually under consideration by companies during their efforts to combat the threat of Covid-19 raise a number of data protection questions. Within this context we are often dealing with queries such as the following:

    • Can I ask employees and receive information about their travel plans (either before or after a holiday abroad)?
    • Can I use contact details of employees and clients to inform them for any Covid-19 related business decisions?
    • Can I text or email employees to inform them about workplace opening arrangements?

Both the GDPR as well as the Cyprus data protection legislation, require companies/employers to have a lawful basis before they collect and process such information.

In such cases, it is important to be remembered that employees’ consent is difficult to be regarded as a lawful basis for Covid-19 related data processing activity given the perceived imbalance of power between the company and the said employees.

Therefore, unless the processing becomes truly necessary to protect the “vital interests of the data subject or of another natural person” (usually understood to mean an emergency, “life or death” situation), it seems likely that the most appropriate lawful basis to rely on would be the legitimate interests of the controller (company/employer) or a legal obligation imposed by an applicable legislation. Such legitimate interest must be solid enough in order not to be overridden by the fundamental rights and freedoms of the data subjects (being employees and/or visitors/clients).

In light of the above, although in ordinary circumstances requesting to receive personal data such as details on travelling activity outside the workplace would constitute an unwarranted intrusion into private and family life, taking into consideration the current health crisis, an employer could have a valid, legitimate interest in asking employees to disclose where they are going on holiday, or have recently been as well as to use their contact details to communicate any related business decisions. The employer has a clear interest in and an obligation to ensure the safety of all staff and visitors where the employee works and must take into account the rights of all data subjects. In this situation, it is likely that the employer’s legitimate interest is not overridden by the individuals’ privacy rights.

It is thus fundamental for companies to always balance confidentiality and privacy of data subjects with their duty of care to other employees and visitors/clients before requesting and processing any personal data.

Retention of personal data collected and processed during Covid-19 crisis:

Whilst the extent of the threat is unknown, companies must ensure that they follow a data protection policy that is transparent on the purpose of processing as well as retention of data collected. They must in particular consider how long this type of data should be retained by closely monitoring the relevant global Covid-19 developments as well as any guidance issued by their local Data Protection Authority.

C. Concluding remarks and key takeaway for companies

In light of the serious global threat posed by this virus, data protection is not likely to be the primary concern for companies. We know however that businesses are keen to understand and, where possible, to comply with their data protection obligations in order to avoid related fines that will place an extra burden on them during these very difficult times.

With that said, we have summarised below some of the key data protection considerations for companies/employers:

    1. Companies must review and if needed amend their employee and client data protection privacy policies and notices in order to address any identified gaps whilst prioritizing the efforts to protect employees’ and clients’ health and safety. More specifically, companies must ensure whether existing privacy policies and notices are sufficient to cover the data to be collected during the Covid-19 crisis (ie data of employees, visitors, customers and other data subjects) as well as the processing of such data. Most importantly, such policies and notices must provide employees and clients with clear information about the company’s related decisions and plans.

    2. For many group of companies it may be necessary to provide a supplementary privacy notice with key information about the additional purposes of processing personal data and special category data.

    3. To help mitigate some of the data-related risks noted above, businesses may wish to establish prudential protocols for the manner in which they will collect, use, secure, retain and share any information collected during the Covid-19 crisis. Businesses should consider GDPR and other legal requirements, such as taking appropriate information security measures and applying data minimization rules.

    4. Subject to certain conditions, companies may need to consider whether a data privacy impact assessment is required before they proceed with new data-related activities during the pandemic crisis.

    5. If such health data will be transferred outside the company, companies must ensure that the contemplated transfers are covered under an appropriate GDPR data transfer mechanism.

    6. Employers who seek to rely on consent (eg by requesting employees and visitors to tick a consent box) should consider the fact that, in an employment context, consent is often deemed to be invalid due to the imbalance of power between the employer making the request and the employee, who may feel compelled to provide the information. Consent under the GDPR must also be revocable, which may undermine the organisation’s monitoring process. It is thus essential for companies to establish the basis of their new data-related activities.

    7. Any information collected should be kept at all times confidential; be limited to the absolute necessary and be in line with the data protection principles of data minimisation and purpose limitation (i.e. safeguard employees and visitors and combat the threat of the virus).

The exponential spreading of Covid-19 generates a number of challenges for companies/employers around the world including those based and operating in Cyprus. Apart from any commercial and business-related challenges, companies are also likely to confront privacy questions as they seek information on employees’ and clients’ health and travel activities in an effort to guarantee a safe business environment for everyone. In order to achieve a balance between, on the one hand, their duty to ensure the health and safety of employees and visitors, and on the other, the data protection rights of those involved, employers will need to consider these issues in a holistic and coordinated manner and closely monitor Covid-19 developments and related guidance issued by Data Protection Authorities.

Our firm is closely monitoring the relevant developments and can provide legal advice on the interplay of Covid-19 related issues and data protection concerns. For further information please do not hesitate to contact us.

DisclaimerThis note serves as a general overview of the relevant Cyprus legislation and the information set out shall not be considered as a legal advice nor shall be relied upon by any natural or legal person. G.C. Hadjikyprianou & Associates LLC shall not be liable for any damages incurred by any person who relied solely on the information provided herein. For the avoidance of any doubt, this note is merely intended to highlight key issues and not to be comprehensive and no party shall re-produce and/or use the same without our prior written consent. Use of the information provided herein is subject to our Terms of Use.