This post is part of a series on contact tracing apps. You can read our introduction to the series and get links to the other entries here.
There has been much discussion about contact tracing apps and their potential to be used to track COVID-19 cases as confinement regulations are loosened. While some countries have already started to implement such apps, this is not yet the case in Belgium. However, there have been legislative proposals and it appears that it may be implemented in due course.
As employees are slowly going back to work, companies are seeking ways to protect their workplace from further spread of COVID-19. This raises the question whether contact tracing apps could be used as part of a screening process to ensure the health and safety of your workplace.
To help navigate the complex legal environment around data privacy and employment law, we have set out below the main legal aspects that your business should take into account when considering using contact tracing apps as part of a screening process.
The use of contact tracing apps is likely to involve the collection of personal data. If you collect and process personal data such as the individual’s name, the EU general data protection regulation (GDPR) and its national transposition, the Law of 30 July 2018, will apply, making your business a data controller.
As a data controller, you would be under the obligation to comply with the following main requirements:
- Ensure that the processing of personal data pursues a lawful purpose: the processing of personal data is lawful provided that the data controller complies with the applicable legislation. This includes the GDPR and its national transposition but also any regulation that may apply from time to time. As the discussion on contact tracing apps is constantly evolving, we would recommend monitoring the legislative developments in such respect.
- Ensure you have a legal ground for the processing: note that the processing of data revealing health is, as a general rule, prohibited. However, article 9.2 of the GDPR provides for certain exemptions to this prohibition. If you decide to rely on the individual’s consent, as the cooperation of the individual is naturally required to obtain the data, be aware that the individual’s consent has a number of downsides, in particular that it can be withdrawn at any time.
- Ensure that the use of contact tracing apps takes place on a voluntary basis: in its guidelines on the use of location data and contact tracing tools in the context of the COVID-19 outbreak, the European Data Protection Board has underlined the fact that the use of contact tracing apps should only take place on a voluntary basis.
- Ensure you have a data privacy notice in place: a data privacy notice, including the information required by article 13 of the GDPR, should be easily available (before or right at that moment of the screening) to every employee, visitor and customer being screened.
As a rule, employers are only allowed to check employees’ incapacity to work, and not their capacity. That said, employers have a general duty of care to ensure the health and safety of their employees at the workplace and therefore have to take precautionary measures accordingly. Proportionality will be key, and it will have to be assessed on a case-by-case basis whether the different features of the screening process are in fact proportionate.
Also, employee representative bodies may have to be involved in such process. Indeed, the use of contact tracing apps may be seen as a precautionary measure by the employer to ensure a healthy work environment, which may require the involvement of the health and safety committee. Further, the use of contact tracing apps by employees could potentially trigger information and consultation obligations towards the employees’ representative bodies if considered as a new technology under the national collective bargaining agreement no.39.
Finally, the use of contact tracing apps may result in the collection of geolocation data. In Belgium, the use of geolocation data is not regulated under any law or collective bargaining agreement. However, the geolocation data of an individual constitutes personal data and, therefore, falls under the scope of the GDPR.
Note that the Belgian data protection authority issued an advice on geolocation data before the GDPR entered into force in which it outlined the main safeguards that need to be considered when an employer uses their employees’ geolocation data.
Other posts in this series:
- Round 1: What’s happening?
- Round 2: Legal considerations for companies that want to use contact tracing
- Round 3: Are companies required to use contact tracing?