Up Again: Privacy and data

Temperature monitoring and other health checks would entail processing of medical/health data, which again are considered special categories of data pursuant to Article 9 GDPR. The Norwegian Data Protection Authority has confirmed that there is no legal basis under Article 9 GDPR that can be relied upon in order to process health data resulting from temperature testing of employees. In particular,  Article 9(2)(b) cannot be relied upon as a legal basis for such processing in Norway under, for example, the Working Environment Act.

Asking employees whether they are experiencing typical COVID-19 symptoms is subject to the same restrictions as temperature monitoring stated above.

Asking employees whether they have been in contact with an infected individual or have recently travelled to high risk countries is generally allowed.

Instead of initiating any of the above, employers may consider issuing general personnel policies requiring employees experiencing symptoms to stay at home.

Generally, employers in Norway can only require employees to disclose (and document) whether they are ill. Employers may not, with certain exceptions, require employees to disclose which illness they have been affected by.

An exception to this rule is that employers will need to know whether their employees are or have been affected by COVID-19 to exercise the expanded right to reimbursement of sickness benefits due to COVID-19 available in Norway.

Employers may consider issuing personnel policies requiring employees to stay at home if they or a member of their household have contracted COVID-19.

Yes, if  necessary to mitigate the spread of COVID-19.

The Norwegian Data Protection Agency has stated in their guidelines regarding COVID-19 that to the extent necessary to ensure a sound working environment (e.g. to mitigate the spread of COVID-19) the employer may provide information within a company that an employee has contracted COVID-19 or is in quarantine.

No, unless in order to comply with a request from a health authority which has sufficient legal basis in Norwegian law.

Generally, no.

Transferring health data constitutes a processing of sensitive personal data and must comply with one of the exceptions found in Article 9(2) of the GDPR. Under certain circumstances, the exceptions in Article 9(2) may apply but such exceptions would always be subject to case by case assessments. Therefore, we recommend seeking legal advice before initiating such transfers.

Yes, however, subject to certain restrictions and conditions.

From a general point of view, employers may monitor employees at the workplace, but doing so must comply with both Norwegian employment law and Norwegian data protection law. Furthermore, specific types of monitoring (e.g. CCTV surveillance) are subject to additional restrictions. Therefore, we highly recommend seeking legal advice before initiating monitoring of employees.

Yes.

Other than GDPR itself, employers need to comply with the Norwegian Data Protection Act and the Working Environment Act, the latter which prohibits processing of employees' personal data with some limited exemptions.

The GDPR and Norwegian privacy laws are generally enforced by the Norwegian Data Protection Agency. Enforcement actions may include fines, damages and other actions set forth in the GDPR.

We do, however, expect the Norwegian Data Protection Agency to take a relatively light approach to minor deviations from privacy laws if such deviations may be justified for compelling reasons (e.g. to mitigate the spread of COVID-19).

In addition to the above, unlawful monitoring of individuals (including employees) may in some circumstances be subject to criminal liability.

Breach of privacy laws in an employment context may also constitute a violation of employment laws resulting in legal actions taken by the employee (or typically a trade union on behalf of the employee).