Up Again: Privacy and data

Privacy and data Q&A

Can an employer carry out temperature monitoring and other health checks on employees and visitors prior to them entering work premises?

Temperature monitoring and other health checks would entail processing of medical/health data, which again are considered special categories of data pursuant to Article 9 GDPR. The Norwegian Data Protection Authority has confirmed that there is no legal basis under Article 9 GDPR that can be relied upon in order to process health data resulting from temperature testing of employees. In particular, Article 9(2)(b) cannot be relied upon as a legal basis for such processing in Norway under, for example, the Working Environment Act.

Can an employer ask employees and visitors to complete a questionnaire on whether they are experiencing typical COVID-19 symptoms, have been in contact with an infected individual, or recently travelled to high risk countries?

Asking employees whether they are experiencing typical COVID-19 symptoms is subject to the same restrictions as temperature monitoring stated above.

Asking employees whether they have been in contact with an infected individual or have recently travelled to high risk countries is generally allowed.

Instead of initiating any of the above, employers may consider issuing general personnel policies requiring employees experiencing symptoms to stay at home.

Can an employer require their employees to notify them if they or a member of their household has contracted COVID-19, or that they have the antigen?

Generally, employers in Norway can only require employees to disclose (and document) whether they are ill. Employers may not, with certain exceptions, require employees to disclose which illness they have been affected by.

An exception to this rule is that employers will need to know whether their employees are or have been affected by COVID-19 to exercise the expanded right to reimbursement of sickness benefits due to COVID-19 available in Norway.

Employers may consider issuing personnel policies requiring employees to stay at home if they or a member of their household have contracted COVID-19.

Can an employer tell their employees that a colleague may have potentially contracted COVID-19?

Yes, if necessary to mitigate the spread of COVID-19.

The Norwegian Data Protection Agency has stated in their guidelines regarding COVID-19 that to the extent necessary to ensure a sound working environment (e.g. to mitigate the spread of COVID-19) the employer may provide information within a company that an employee has contracted COVID-19 or is in quarantine.

Can an employer share information with a health authority about COVID-19 cases they become aware of?

No, unless in order to comply with a request from a health authority which has sufficient legal basis in Norwegian law.

Can an employer send employees’ health data to one of their affiliates outside the EEA or otherwise in another jurisdiction?

Generally, no.

Transferring health data constitutes a processing of sensitive personal data and must comply with one of the exceptions found in Article 9(2) of the GDPR. Under certain circumstances, the exceptions in Article 9(2) may apply but such exceptions would always be subject to case by case assessments. Therefore, we recommend seeking legal advice before initiating such transfers.

Can an employer monitor how employees move around the workplace to help keep social distancing rules?

Yes, however, subject to certain restrictions and conditions.

From a general point of view, employers may monitor employees at the workplace, but doing so must comply with both Norwegian employment law and Norwegian data protection law. Furthermore, specific types of monitoring (e.g. CCTV surveillance) are subject to additional restrictions. Therefore, we highly recommend seeking legal advice before initiating monitoring of employees.

Does an employer need to comply with any other GDPR principles or local privacy laws, when collecting data for the purpose of tackling COVID-19?

Yes.

Other than GDPR itself, employers need to comply with the Norwegian Data Protection Act and the Working Environment Act, the latter which prohibits processing of employees' personal data with some limited exemptions.

What are the risks if I am in breach of the GDPR or local privacy laws?

The GDPR and Norwegian privacy laws are generally enforced by the Norwegian Data Protection Agency. Enforcement actions may include fines, damages and other actions set forth in the GDPR.

We do, however, expect the Norwegian Data Protection Agency to take a relatively light approach to minor deviations from privacy laws if such deviations may be justified for compelling reasons (e.g. to mitigate the spread of COVID-19).

In addition to the above, unlawful monitoring of individuals (including employees) may in some circumstances be subject to criminal liability.

Breach of privacy laws in an employment context may also constitute a violation of employment laws resulting in legal actions taken by the employee (or typically a trade union on behalf of the employee).