The pandemic we are living is affecting different fields: from employment to tax, from real estate to litigation. Another specific aspect to be considered is data protection. Indeed, due to the enormous risks of Covid19, companies will have to process highly sensitive health data of employees. This situation generates lots of questions on how data protection compliance can be ensured in these exceptional circumstances, and, in particular, after Swiss government has adopted strict measures to curb the spread and to protect the public.
Let’s analyze the main points in Switzerland according some Swiss law firms, focusing on three key points of the issue: the type of data that can be collected, the amount of time that this data can be stored and its disclosure to third parties. All this considering that the situation concerns different actors: “Employers, contract partners, insurance companies as well as authorities”, Walder Wyss writes in its Coronavirus information hub, a project they have launched to cope with the pandemic, where a specific section is indeed dedicated to data protection. All these parties “must regularly deal with questions relating to the processing of data concerning health in relation with the coronavirus”.
Niederer Kraft Frey has written a client note which specifies, among others things, that companies should only collect the necessary personal data, such as the existence of Coronavirus symptoms, information on recent professional and non-professional travel to risk countries and close contact to persons who have recently been to risk countries and/or show Coronavirus symptoms. It’s important to notice that the legal basis for collecting health and travel data is the legal obligation basis. Anyway, “if companies introduce new employee related data processing activities or adapt existing ones, the employees must be informed in advance based on GDPR and Swiss law”, EY Law underlines. Still according to EY, “Data protection law does not restrict employers from checking body temperatures of their employees as long as no identifying information of the employees is collected”.
As Pestalozzi points out, “data can be stored as long as it is required for the purpose at stake. At the latest when the impact of the Covid-19 pandemic has ceased to exist, the data must be deleted”. Furthermore, “companies not having designated a data protection officer might have to declare their newly established data files related to Covid-19 measures to the Federal Data Protection and Information Commissioner (Fdpic)”. In any case, it’s important to remark that employees should receive a privacy notice prior or at the moment of collection setting out the type of data that will be collected, the purpose, whether it will be shared with third parties. a data protection privacy impact assessment (Dpia) might be required under the GDPR, but this currently not yet necessary under the Swiss Data Protection Act.
Finally, “collections with sensitive personal data disclosed to third parties need to be registered with the Swiss Federal Data Protection and Information Commissioner”, Nkf specifies. “With regard to medical data required to assess an employee’s vulnerability, the Covid-19 Ordinance can be invoked as statutory obligation”, Pestalozzi writes. Eventually, without justification and notification, sensitive personal data should not be disclosed to third parties, including other group companies in Switzerland or abroad.