The COVID 19 Pandemic (the "Pandemic") has certainly disrupted everyone's lives since early 2020. The "ray of sunshine", the vaccination, aimed at controlling this Pandemic has, however, created a certain kind of chaos, confusion and discord in our modern world society.
The Minister of Health issued a Decree on 8 July 2021, according to the powers vested in him by order of the Quarantine Law, Cap. 160, as amended (the "Decree"). More specifically, the relevant Decree imposes, amongst others, an obligation on a number of enterprises and individuals to request to review either:
- a negative laboratory (PCR) or rapid test carried out within less than 72 hours proving that the said individual is not COVID-19 infected; or
- certificate of vaccination with at least one dose having been administered provided that the timeframe of three weeks has elapsed; or
- confirmation that the said individual has been released after having been previously diagnosed as COVID-19 infected person, not later than 6 months of initially being diagnosed.
Evidence of any of the aforementioned can be considered as the so called "SAFE PASS".
The SAFE PASS is now mandatory in almost all aspects of a person's daily routine when it comes to human interaction.
The matter of personal data and the requirement of showing the SAFE PASS for any of our normal daily activities has therefore affected almost everyone. The purpose of this Article is to examine certain basic questions concerning personal data and the impact this has on each one of us from a legal perspective.
It is important to note that the Commissioner for the Protection of Personal Data (the "Commissioner") issued a set of FAQs on the 12 July 2021 (the "FAQs") answering a set of questions that have been raised and the fact that matters are now different from previous Decrees or orders as those issued earlier in 2020 - 2021.
GDPR: Special Categories of Personal Data
Under the provisions of Article 9(1) of the EU Regulation 2016/679 (the "GDPR"), one is not allowed to process certain categories of personal data which are considered as special, such as health information; unless certain provisions apply.
When considering this, we need to take a step back and identify what "processing of personal data" means.
As the GDPR clearly provides in the definitions section: processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Therefore, it is evident that the lawmakers had considered that any kind of use or making available of personal data could fall within the definition of processing.
It can therefore be safely argued that any kind of use or making available of the personal data to any third person for any reason would be considered as a processing activity. The troubling issue is whether the owner of a business is legally permitted to process such special categories of personal data.
Applying this to the present situation, the owner of a restaurant or business accepting people on their premises, is considered to be using or the visitors' personal data are made available to them. On the other hand, as a measure for the protection of their personal data, the FAQs indicate that they are prohibited from registering or in any case maintaining such information in their systems.
The GDPR allows, in very certain and limited cases, the processing of special categories of personal data. As analysed above, Article 9(1) expressly prohibits the processing of special categories of personal data; unless any of the exceptions offered by Article 9(2) are applicable. The GDPR provides a limited number of available exceptions. The Commissioner has noted in the FAQs, without expressly referring to the Article 9(2) exceptions, that such processing is necessary due to the current epidemiological situation which mandates the additional obligations. We can therefore only assume that the Commissioner may have relied on the exception that "processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross – border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy". It seems, though, that this condition might not be fully satisfied since the recipients or viewers of such information may not be bound by any particular professional secrecy.
From a legal perspective, it could therefore be argued that a general reference or assumption to the GDPR and the exceptions offered could not serve as a justifiable purpose for a free and uncontrolled processing activity of special categories of personal data.
The Commissioner has noted that the aforementioned measures, as these are analysed in accordance with the provisions of the relevant Decree, may be amended in case the epidemiological circumstances change.
Employment relationship and employer's/employees' liability
From an employment law perspective, it is a common understanding and interpretation that the relationship between employer and employee is an unbalanced relationship. The reason being that in any employment relationship, the employee is considered as the weak party to the relationship. For this reason, the legislative framework and legal precedence have been construed in such a way as to offer greater safety and security to employees and may be construed as pro–employee.
Once more, however, this may be overruled with the SAFE PASS situation. More specifically, the Decree clearly imposes the obligation on the employee to have in place the SAFE PASS, and on the employer to ensure that its employees comply with this requirement.
The Commissioner has clarified, through the FAQs, that an employer may register information as to its employees concerning their individual SAFE PASS; i.e., monitor and review when their tests might expire and/or the register when the said employee has carried out their vaccination in order for the employer to ensure that its respective employees actually have the SAFE PASS in place. But what happens in case an employee refuses to demonstrate that they have in place the SAFE PASS or even in case the employee does not wish to reveal such information to their employer? This would certainly bring both the employer and the employee to a difficult legal position. On the one hand, the employee is required to reveal special categories of their personal data to their employer and on the other hand, the employer is legally required to prove that its employees comply with the provisions of the Decree.
Therefore, in case an employee does not wish to reveal such information, then the employer might be required to take extreme measures against the said employee, such as denying him access to the employer's premises or even discharging the said employee from their duties. In such a case, this might be construed as constructive dismissal obligating the employer to duly compensate an employee for the loss of office and also possibly costing the employer a valuable employee. Depending on the mentality and interpretation of the Pandemic and its repercussions in our modern societies, this might lead to a number of employment law issues before the relevant employment tribunals.
Who is legally responsible to process such information?
According to the FAQs, the Commissioner has identified the relevant individuals that are responsible or authorized to process the information either by way of storing or merely reviewing them. This has somewhat been differentiated from the previous measures that were in place. More specifically, until very recently and in accordance with the FAQs dated 13 May 2021, as these had been issued by the Commissioner's office, only certain limited individuals were considered as competent to actually review the relevant certificate in any employment environment. This has now been revised by the new Decree, and the Commissioner has clarified with the latest FAQs that the legally responsible individuals are the individuals as these are noted in accordance with the Decree. In respect of places of work, this would be the relevant Safety Officer or if such an officer is not appointed, this would be the employer. Also, the police would have the relevant power to ask and see the SAFE PASS and so would a duly authorized and appointed officer be entitled to do so. In case of establishments such as restaurants, hotels, gyms or other places publicly accessible, the responsibility would burden the owner, director or manager of the place. It is equally important to note that in case of private gatherings in public spaces, such as wedding receptions in hotels, the responsibility for checking the SAFE PASS I on the owner or manager of the place, not the organizer of the event.
The GDPR sets out certain special circumstances when an organization is in need of processing personal data and/or special categories of personal data on the basis of its primary principles being accountability, integrity and confidentiality. Along with all the changes that the Pandemic has brought upon everyone, it has also imposed additional requirements and limitations in terms of the processing of personal data and ensuring that any actions to be taken are in line with this core principles as well. The intention should therefore be to unravel the complexities of the existing legal framework and create a safe and secure environment for people to continue with their lives without risk not only to their health but also to their personal data as well.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.