Following the outbreak of COVID-19 and its development into a global pandemic, organizations have been implementing exceptional measures to safeguard the health of employees, customers and others. Organizations are also endeavoring to maintain "business as usual" to the extent allowed by their particular circumstances.
As part of White & Case's ongoing legal updates on COVID-19-related issues affecting our clients' businesses around the world, this article discusses the resulting data protection compliance obligations under Czech law.
Many companies and individuals are now in an unprecedented position, when, due to the crisis measures1 taken by the government in an effort to flatten the curve of the infection and prevent the exponential spread of this virus, their functioning and, in some cases, even some of their rights are being infringed.
In order for the crisis measures to bear fruit, it is also desirable for companies themselves to restrict or monitor the movement of people entering their premises, or even monitor the movement and health of their employees. In practice, such efforts require the collection and further processing of health-related personal data, which is subject to a strict regulatory framework under Article 9 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the "GDPR")2 and other regulatory restrictions within local jurisdictions.
Misuse of this data can also significantly affect the personal lives of individuals, affect their social relations in the community, and violate their natural right to the protection of personhood or privacy. While governments and companies are forced to take measures to protect their citizens and employees, they must do so without putting society at greater risk in the long run by violating the rules on sensitive data. Therefore one of the key compliance concerns is the legal basis for the collecting and further processing of health-related personal data of employees, clients, visitors, business partners, and other persons present on the premises.
The European Data Protection Board (the "EDPB") commented on the situation on March 19, 2020. Its statement3 addresses basic areas such as the lawfulness and basic principles of processing sensitive data, the use of location information from mobile devices, and employment in general. It reiterates that the GDPR is a broad piece of legislation laying down rules that also apply to the processing of personal data in situations such as the coronavirus pandemic,4 as long as it is done in respect of democracy, the rule of law and human rights, including the rights to privacy and data protection. These opinions are further presented in a jointstatement5 on the right to data protection in the context of the COVID-19 pandemic published by the Committee of Convention 108 and Data Protection Commissioner of the Council of Europe, which can also serve as an introduction to more in-depth legal analyses prepared by experts and by decision makers. The specific legal basis for such data processing, however, is mostly a matter of national law.
If we focus on private bodies, in the Czech Republic, the processing of personal data by businesses is mainly regulated by the GDPR, Act No. 110/2019 Coll., on the Processing of Personal Data and a number of other legal acts, which were amended to align Czech law with the GDPR.
Under Act No. 262/2006 Coll., the Labor Code, as a general rule, employers shall not request from their employees any information that does not relate to their employment or work performance. At the same time though, Section 102 of the Labor Code generally obliges the employer to create a safe and non-hazardous working environment and working conditions by means of appropriate organization of safety and health at work and by taking measures to prevent foreseeable risks. In specific situations, the employer is obliged to proceed so as to prevent, eliminate or minimize risks, and is obliged to take necessary protective measures in the event of danger, corresponding to the given circumstances. It is, of course, appropriate to proceed in co-operation with public health authorities, to which the employer is in some situations also obliged to report specific facts stipulated by legal regulations. As part of their precautionary obligation, employers must also inform other employees about the risks in an appropriate manner. One example of such a risk would be the presence of an infected person in the workplace. However, the facts about a specific person are to be communicated by the employer only to the extent necessary for the protection of health, and always so as not to affect the dignity and integrity of such person.
In practice, according to the guidance of the Ministry of Labor and Social Affairs6 issued at the beginning of March, employees should notify their employer if they have returned from affected countries. Accordingly, it can be concluded that they should also inform their employer about any other potential risk of a COVID-19 infection. Employers are thus entitled to request information regarding the employees' health and safety protection, and to process the information in accordance with the applicable provisions and key principles of the GDPR (including data minimization, transparency, and security). However, employers should refrain from providing any specific information concerning their employees to third parties. Although it may be justifiable to inform customers/clients of the potential risk of coronavirus infection, the provision of any particular information relating to specific employees might be problematic.
The data protection rules deal with the processing of special categories of personal data, among them data on health status including communicable diseases, based on public health legislation such as protection against serious health threats. These rules apply to public health authorities, which include not only regional health authorities, but also the Ministry of Health, Ministry of Interior and Ministry of Defense, which are authorized to process personal data to the extent and for the purpose set by Act No. 258/2000 Coll., on the protection of public health, including taking appropriate measures to achieve a reduction in the further spread of infectious disease.
Even that, though, has to be done with due regard for personal data protection. The risk of improper intrusions into one's personal data by the above-mentioned public health authorities is mitigated by means of the anonymization of such data for public use. This is achieved by not disclosing or by obscuring any specific information that could be used to identify a person.
Further, regarding the provision of sensitive data, in practice, there is often a need to hand over a patient's medical records to the doctor of their choosing. How to proceed is regulated in Section 57, Paragraph 3, Letter d) of Act No. 372/2011 Coll., on health services, which states that this should be done at the written request of the patient or the doctor of choice.7 Another situation in which sensitive data is handled is when the health service provider passes data from medical records on to other entities, such as the State Institute for DrugControl or the Institute of Health Information and Statistics, which is the administrator of the National Health Information System. These entities are entitled by law to request data in accordance with special laws that regulate their scope. For the persons obliged to report and transmit data, this processing of personal data is necessary for the fulfillment of their legal obligations pursuant to Article 6 (1)(c) of the GDPR. Entities authorized to inspect medical records without the patient's consent are listed in Section 65 (2) of the Health Services Act. All entities that store sensitive personal data have a duty to protect the same from leakage or misuse, and if they have information that such an incident has occurred, they must report it immediately.
The use of technology and smart devices for containing the COVID-19 outbreak has already been predicted by the EDPB, which is generally of the opinion that data and technology used to help fight COVID-19 should be used to empower, rather than control, stigmatize, or repress individuals. Furthermore, in Guidelines 4/2020, on the use of location data and contact tracing tools in the context of the COVID-19 outbreak, the EDPB states that, while data and technology can be important tools, they have intrinsic limitations and can merely leverage the effectiveness of other public health measures. In that context, countries must respect general principles of effectiveness, necessity, and proportionality.
In this regard, the EDPB has taken the position that the use of contact tracing applications should be voluntary, and should not rely on tracing the movements of individuals, but rather on proximity information regarding users. The EDPB further emphasizes that when it comes to using location data, preference should always be given to the processing of anonymized data, and holds the view that a data protection impact assessment must be carried out prior to implementing such tool, as the processing is considered likely to carry a high risk.
In the Czech Republic, this shall be adopted with the use of the so-called smart quarantine system, mainly using position data from mobile phones and data on the time and place of electronic payments. Such data, which in principle is protected by the confidentiality of communications and banking secrecy, may be used by controllers with the consent of the data subjects. In the case of smart quarantine, the basic idea is to create a map of the movement of an infected person over a period of time, using the above data for tracing.
By a resolution of March 18, 2020,8 the Government of the Czech Republic approved the creation of a legal framework for the so-called smart quarantine, under the following conditions. The Ministry of Health will authorize the Prague Regional Health Authority to conclude a cooperation agreement, on the basis of which the supplier will contact a person who tested positive for COVID-19, and with their prior consent obtained by the Prague Regional Health Authority, will use the operating and location data from their mobile phone to determine those persons with whom the infected person has been in contact and who may be at risk of infection. In the case of the use of electronic payment systems, the procedure is similar, with the data from the banks first being obtained by the Prague Regional Health Authority, and then, with the prior consent of the persons concerned, transferred to the supplier for the purpose of contacting them.
From the personal data protection point of view, requiring the consent of individuals in the case of measures taken to prevent a pandemic might seem unnecessary, as an appropriate legal entitlement to the processing of the necessary data could arise from Article 6 (1)(e) of the GDPR. Due to the fact that such processing is necessary for an overriding public interest, there is no need to rely on the consent of individuals.9 But, as the EDPB highlights the criterion of free choice, regarding smart quarantine, if the infected person does not agree to provide data from their mobile operator and the bank, the health official will conduct a conversation with them, during which they will also try to determine everywhere they have been, as well as who they have met. Those people who are potentially infected should then be isolated and tested as soon as possible. The data obtained may only be kept for the amount of time that is strictly necessary to fulfill the purpose thereof, which must never exceed six hours.
In the first half of April, the European Commission issued a Guidance on apps supporting the fight against the COVID-19 pandemic in relation to data protection. According to such Guidance, mobile applications commonly installed on smartphones can provide support to health authorities at the national and EU level in monitoring and managing the ongoing COVID-19 pandemic, and are particularly important in easing measures to reduce the spread of the disease. However, it is essential to find solutions that are fully in line with the requirements of personal data protection and privacy set out in EU law. In addition, these applications should be deactivated as soon as the pandemic is declared over. Furthermore, the security of information in these applications should include state-of-the-art security features.
In addition to the above-mentioned smart quarantine, other applications are available. Users shall install those themselves, and the explicit consent to the use of data will be required during installation. Consent can be denied or revoked at any time. For example, one good app to mention is a mobile application for smartphones created by volunteers working on the Covid19CZ platform under the auspices of the Ministry of Health of the Czech Republic. It is called eRouska,10 which is supposed to help health officials to more easily, efficiently and quickly trace the people with whom an infected person has recently come into contact.
In practice, the application works such that if an infected person is identified and a health official asks them for an overview of the people they have met in recent days, the user sends them a list of other eRouska users within reach of Bluetooth, including those they don't know personally. Furthermore, unlike other applications, eRouska does not monitor and collect information about the user's location, but only determines other users of the application with whom the user has come into closer contact.
Aside from the Covid19CZ platform, there are various start-ups and IT technologies, experts and enthusiasts in the Czech Republic who have effectively managed to help flatten the curve for the local spread of the virus. Furthermore, there is a global effort to take advantage of technology and software developers to further combat COVID-19 in order to produce results from research as quickly as possible. At the same time, legal questions concerning the use of health data for such research purposes keep arising, as is evident from the EDPB Guidelines on the processing of data concerning health for the purposes of scientific research. Similar research is already underway in the Czech Republic, and a crucial role regarding the processing of sensitive data will apparently be played by the subject's verifiable consent.
4 See Recital 46 of the GDPR.
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2020 White & Case LLP