On March 13, 2020, the Belgian data protection authority ("APD") published its initial guidance (the "Guidance") to assist employers having to balance preventive measures for the health and safety of their employees while preserving the employees' right to privacy and data protection:

https://www.autoriteprotectiondonnees.be/covid-19-et-traitement-de-données-à-caractère-personnel-sur-le-lieu-de-travail

The Guidance was last updated on March 2020 and on March 31, the APD launched a dedicated COVID-19 page on its website (available here:

https://www.autoriteprotectiondonnees.be/epidemie-covid-19).

Snapshot of guidelines issued covering:

Asking employees about their diagnoses or symptoms

The APD made it clear that employers cannot oblige employees to fill in medical questionnaires or reports of recent travels. However, the APD suggests that employers may encourage employees to communicate voluntarily any symptoms or travels to highly infected areas.

Conducting or requiring examinations of employees

The APD pointed out that the assessment of health risks should be carried out by occupational physicians, namely the workplace doctors, and not the employers themselves. Similarly, only the occupational physicians and not the employers are authorised to conduct general and systematic health checks of the employees and visitors, such as temperature controls.

Sharing information about affected individuals

The fact for the employer to disclose the identity of data subjects who contracted COVID19 would likely a breach of GDPR. Rather, the physicians can detect infections and share such information to the employers and persons who have been in contact with the infected persons.

Any other relevant consideration from the guidelines

The APD reminds that the processing of special categories of data can only be based upon one of the legal bases set forth in Art. 9 (2) GDPR. Collection of health data as part of the COVID-19 pandemic cannot extensively and systematically be justified using Art. 6(1)(d) GDPR ("processing necessary to protect the vital interests of the data subject or of another natural person"). Further, while relying on the public interest in the area of public health could be possible, this would only apply for those processing activities required pursuant to explicit instructions from the authorities. The APD insists on employers to comply with the data protection principles of proportionality, transparency, data minimisation and purpose limitation. Should there be a reason for collecting the minimum required amount of personal data, employers shall ensure that employees are informed about the purposes for which their data are processed and the storage period of their data.

Visit us at mayerbrown.com

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2020. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.