Given the exceptional situation caused by the Coronavirus, Privacy Authorities are facing the challenge to find a balance between the need to combat the spread of the virus and the protection of the privacy rights, and to react with effectiveness and flexibility to adapt to a situation evolving day by day.
Recently Italian Authorities issued certain decisions in connection with the Covid–19 emergency, which include (i) the statement on Covid-19 of the Italian Data Protection Authority (the “Garante”) of 2 March 2020 and (ii) the Protocol signed by Trade Unions and Trade Associations for the regulation of measures taken to combat and control the spread of Covid-19 virus at workplace of 14 March 2020 (the “Protocol”).
With its Statement of 2 March 2020, the Garante underlined that in compliance with the principles set forth in the General Data Protection Regulation of the European Union of 27 April 2016 (the “GDPR”), and in Italian Legislative Decree no. 196 of 2003, as amended by Legislative decree no. 101 of 2018 (the “Privacy Code”), employers must refrain from collecting data related to employees’ health, in advance and in a systematic and generalized manner, because any of such activity is under the responsibility of healthcare professionals (i.e. so-called family doctors) and the civil protection system. The Garante reminds that – on the opposite – it is a duty of the employee to inform the employer of any potential danger for health and safety at workplace.
The Protocol clarified the powers, the limits and the procedures that employers can put in place, as a result of the balancing of the opposite interests at stake (i.e. the prosecution of economic activities, the right to privacy and the guarantee of health and safety at workplace). It contains specific provisions in connection with, among the others:
- Information flows during the emergency. Companies must inform all employees, as well as anyone who have access to the workplace, about the Authorities’ provisions by handing them or posting at the entrance or in any visible place the appropriate information brochures.
- Data processing activities before entering into the office. The employer can (i) ask its employees for a ‘self-declaration’ that they do not come from epidemiological risk areas and they had no contact with people positive for Codiv-19 virus within the last 14 days, as well as (ii) get the temperature of the employees at the entry of the company’s premises.
All procedures above include processing of personal data of the employees and must be implemented in compliance with data privacy laws including:
- the provision of the information notice pursuant to the GDPR and the Privacy Code, even if in a simplified manner;
- the company cannot request for information that are not necessary for the purposes of prevention for contagion;
- the company shall implement security measures in order to process the personal data in compliance with the data privacy laws;
- the people of the company who will be involved in collecting the personal data shall be previously identified, trained and made aware of the data protection rules applying to the processing activities;
- all personal data collected in the context of the emergency can be processed exclusively for the purpose of prevention from contagion by Covid-19 and should not be disseminated or communicated to third parties outside the specific regulatory provisions.
The European Data Protection Board (“EDPB”) recently adopted two Statements, on 16 and 19 March 2020, with the purpose of giving guidelines on the issue of the processing of personal data in the context of the Covid-19 outbreak.
- In the 16 March Statement, the Chair of the EDPB stated that the GDPR applies even in the context of the Coronavirus pandemic. Even if processing of personal data revealing data concerning health shall be prohibited as a general principle, when such processing is necessary for reasons of protecting the public health or the vital interestsof the employees, it is allowed. Finally, in connection with processing of electronic communication data (i.e. mobile location data), the EDPB reminded that each State of the European Union has the powers to introduce legislative measures pursuing national security and public security.
- In the 19 March Statement, the EDPB considered the fight against the Coronavirus pandemic as a common goal of all nations to be supported in the best way possible, but any measure launched in this context shall respect the general principles of law and must be reversible. With respect to the processing of telecom data, the EDPB clarified: (i) as to the use of mobile location data, Public Authorities should first try to process them in an anonymous way, enabling cartography. If a State introduces measures allowing the non-anonymised location of data, it is obliged to adopt adequate safeguards, applying the proportionality principle (i.e. in terms of duration and scope, limited data retention and purpose limitation); (ii) employers should only require health information as far as national law allows it and process personal data in compliance with the principles of proportionality and data minimization.
Authorities are taking an extensive approach, prioritizing the safeguard of
public health, but at the same time have helped companies in identifying the
minimum requirements that shall be complied with, in order to protect the right
to privacy and the compliance with the principle of limitation of purpose, on
the assumption that the personal data collected during the emergency can be
processed exclusively for the period and the purpose of prevention from
contagion by Covid-19.
 At the initiative of the Italian Prime Minister, the Minister for Labor and Social Policy, the Minister for Economic Development and the Minister for Health.
 Article 20 of Italian Legislative Decree no. 81 of 2001, the Health & Safety Code.
 Please note that the 14 March Protocol shall be applied taking into consideration and in compliance with the Decree of 22 March 2020, adopted by the Italian Prime Minister with the purpose of introducing additional measures on containment and management of the Coronavirus pandemic. The Decree established further restrictions on productive activities, clarifying that companies whose activities are not suspended must operate in accordance with the 14 March 2020 Protocol.
 Note 1 of the Protocol.
 Notes 1 and 2 of the Protocol.
 The European Data Protection Board is an independent European body, which is composed of representatives of the national data protection Authorities and the European Data Protection Supervisor (EDPS).
 At the European level, see also https://www.enisa.europa.eu/tips-for-cybersecurity-when-working-from-home, for some top tips for teleworking in times of Covid-19, published by the European Agency for Cybersecurity.
 Article 9, paragraph 1, and recital 35, GDPR.
 Articles 6 and 9, paragraph 2, GDPR.
 Art. 15 of the e-Privacy Directive states that Member States may adopt legislative measures when the restriction of the scope of the rights and obligations provided for in the Directive constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security (i.e. State security), defense, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorized use of the electronic communication system.
Avv. Francesca Petronio, Avv. Manuela Hyeraci