Telecom operators must complete an impact analysis before transmitting location data for COVID-19 tracking purposes. The processing of location data has to be carried out in an anonymous and aggregated way.

When an employee has COVID-19 symptoms, document their identity, date they became aware and organizational measures taken (e.g. teleworking).

Symptom collection must be necessary and proportionate to fulfill legal basis. The service industry can collect the time of entry and exit of a consumer to and from the premises, along with their phone number. However, they are not allowed to collect consumer temperatures.

Organizations should only disclose identifying information when necessary to protect employee health. Disclosure of the information may not harm the dignity and integrity of the infected individual. Public health authorities may require telecoms to provide data to identify and track the outbreak. This includes location data from mobile phones. Users must be informed of such disclosures.

It is permissible to collect the following information from an employee or visitor:

• whether the employee or visitor has returned from a risk area

• whether they are under quarantine (without stating the reason)

• whether they are ill (without stating the reason)

Limit details of personal data to only what is necessary.

It is permissible to ask whether an employee or visitor:

• has been in a risk area

• has been exposed to infected people

• is fit to work

Personally identifying information should only be disclosed if necessary to protect employees’ lives, health or liberty. Personally identifying information can be disclosed to specific individuals with whom the infected worker has been in contact.

Organizations can ask whether an employee:

• is infected by the virus

• returned from an infected area

• is in quarantine (without additional information).

However, individual identities cannot be disclosed to others.

Personal data should only be collected to manage the virus. Any individual inquiries into symptoms presented by an individual are prohibited. 

Temperature screenings using a thermometer are permitted at entrances. However, automated tools, such as thermal cameras, are not permitted. Furthermore, temperature screenings cannot be mandatory and employees are entitled to refuse.

It is permissible to ask whether an employee:

• has been infected

• has been in contact with an infected person

• has visited an known infected area

In workplaces with particularly close contact employers can measure employees’ body temperatures and ask employees if they are experiencing specific symptoms.

Names and contact details of visitors can be collected and transmitted to health authorities upon request.

Prior to the transmission of cell phone data, the following must be considered:

• voluntary participation based on informed consent

• narrow purpose limitation for movement and contact data

• effective pseudonymisation and secure transmission

• decentralized storage on mobile devices

• deletion of data after the 14 day quarantine period

Employee questionnaires are permitted based on risk assessment. However, they cannot include medical history or health documentation.  In addition, screenings with diagnostic devices (thermometer) are prohibited. Only healthcare professionals can test employees, and share results of exams with employers only.

Questionnaires are permitted that ask if an employee:

• visited a risk area

• is experiencing symptoms

• had contact with someone who traveled to a risk area.

Temperature measurements are permitted only with employee consent.

Organizations can ask whether an employee:

• visited an affected area

• is experiencing symptoms

• has been diagnosed with the virus. 

However, employee identities can not be disclosed. 

It is permissible to collect from employees and visitors whether they have come in contact with an infected person. Systemic, continuous or generalised collection of symptoms or visits to places outside the workplace is prohibited.

An individual’s temperature should only be recorded when necessary to document the reasons that prevented access. 

Employers must communicate the names of infected employees to public health authorities and work with public health authorities to identify close contacts of the individual. The identity of the individual should not be disclosed to coworkers or other staff.

It is permissible to to ask employees and visitors whether they have visited a particular country or are experiencing COVID-19 symptoms. If specific data must be collected, do not collect more than necessary.

Organizations are permitted to ask employees if they have been abroad in the last 14 days and/or in contact with COVID-19. 

Employers are not entitled to disclose information reported from employees.

Employers are allowed to test for symptoms if an employee travelled to a country of risk, was in contact with an infected person or someone who travelled to a country of risk, is at home due to quarantine and lastly if an employee feels sick even without specifying the illness. Collection of medical records or temperature readings of staff or visitors is prohibited. Data involving location can only be processed when anonymous or the individual has given consent.

Organizations can ask employees and agents to provide information about virus exposure to the employer or competent health authorities. 

Organizations do not need to require employees to communicate daily about their body temperatures or fill out medical questionnaires; or for visitors to sign pre-established declarations certifying their health or recent travel.

If an employer is informed of an infected employee, they must record:

• the date and identity of the person

• the containment measure taken

• any contact with occupational health services.

Communicate information to health authorities upon request.

All data collected must be for a specific and legitimate purpose. Data regarding location for isolation moderating must be secured properly and deleted once the purpose is achieved.

Employers should not: 

• process medical data of staff

• ask employees about their health or to take a test

• keep track of the reason for absences due to illness.

A company doctor may test employees for COVID-19. Personal medical data can not be collected or processed. Company doctors can test employees, but results are only shared with the employee tested.

Employers can collect employee and visitor temperatures and health data when instructed to do so by the Chief Sanitary Inspector. Employers must inform all persons whose personal data will be collected in accordance with GDPR requirements.

Employers can not collect and register information on health status. They are also prohibited from collecting and registering employee body temperatures.

The disclosure of the identity and health status of individuals is only permitted with consent. Data subjects must be informed if their data is being processed for COVID-19 purposes.

Health data can only be processed under a valid legal basis. Observe proportionality when processing data of the potentially infected. Employers and the media can not publicize information about infected individuals.

The employer should only request health information to the extent permitted by national law. Temperature readings can be collected in accordance with national law and are required at entrances to hospitals and industrial plants. Records of employees who have had their temperature checked are kept and reported to the workplace management.

On a case-by-case basis, temperatures can be collected, but must not be recorded in an identifiable way. Inform individuals that temperatures will be collected and conduct DPIA to determine risks associated with temperature collection. Apps can obtain location data through terminal equipment if the individual agrees or in a case of urgent exception. Data collected by contact tracing apps should be deleted.

The processing of health data must be exclusively limited to what is necessary for the intended purpose. 

It is permissible to ask staff and visitors if they have been infected, however, questions should be limited exclusively to inquiring about the existence of symptoms or if the individual has been diagnosed or subject to quarantine.

Do not ask questions unrelated to the virus or circulate extensive health questionnaires.

Employees must inform their employer and/or occupational health delegates if they are not fit for work. 

The identity of the individual should not be disclosed unless where necessary for the purpose of protecting the health of staff. Disclosure to health authorities is permitted upon request.

The Catalan Data Protection Authority noted that citizens can communicate information to public health authorities if the facts, data or circumstances may constitute a risk or serious danger to the health of the population.

The collection of body temperature is generally prohibited. Personal data should only be collected if necessary. The individual’s identity should not be disclosed unless necessary to fulfill a legal obligation under labour law.

Any collection of health data for the purpose of preventing infection (e.g. collection of body temperatures at the entrance of a building) must be limited to what is necessary to achieve the purpose.

It is permissible to ask employees or visitors if they have traveled to an affected area and/or are experiencing symptoms of COVID-19. However, requests for information must have a strong rationale based on necessity and a risk assessment. Do not disclose the identity of the individual or provide excessive details. Where it is necessary to identify the employee or visitor, inform the infected individual in advance.

Employers are allowed to collect information about employees’ recent visits to particular countries or they are experiencing symptoms. Do not collect more specific health data than needed and ensure appropriate safeguards are applied. Before testing an individual or obtaining an individual’s test results an employer must be able to demonstrate the reason for testing or obtaining the individuals’ results.

Monitoring of employees must be necessary and proportionate as well as done within the employees’ reasonable expectations. Employers are urged to consider if less intrusive means can achieve the same purpose.