Every processing should be following data protection principles, including the current atypical processing of personal data caused by the pandemic.
To provide a safe working environment and to protect the health of employees, we are of the opinion that the employers may process personal data of employees related to:
- their travel history (whether and when the employee visited countries considered to be at risk; whether the employee was in contact with anyone who has visited those countries recently);
- their health data related to the presence of symptoms of COVID – 19.
The employers are not allowed to perform medical checks, but only to process employees’ personal data that is adequate, relevant and limited to what is necessary to obtain a safe working environment and prevent the spreading of COVID-19.
The employers may reveal personal data of potentially infected employees/s within the organisation to prevent spreading COVID – 19 within the organization and in the community.
Legal grounds on which controllers may rely for the processing of data not considered as health data is processing that is necessary in order to protect the vital interest of the data subjects or another natural person (Article 12 Paragraph 1 item 4 of the LPDP) as well as legal obligation of the employer to obtain safe working environment (Article 12 Paragraph 1 item 3 of the LPDP). The latter is further provided in Article 80 of Serbian Labour Law and Article 11 of Serbian Law on Safety and Security at Work.
As per the health-related data, the acceptable legal ground for processing may be that processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of the law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy. (Article 17 Paragraph 2 item 9 of the LPDP).
Various European Supervisory Authorities issued guidelines on this topic in the past days and these guidelines provide for similar interpretations of the applicable data protection regulations (please find some of the links below).