COVID-19: Data collection and processing activities
On 16 March 2020, the Swiss government adopted strict measures to curb the spread of COVID-19 and to protect the public, including the closure of establishments open to the public. Manufacturing sites without public contact are allowed to maintain operations, but are at the same time required to implement measures to protect their employees' health and more generally to help stop the further spread of the virus.
Such measures by necessity include the collection and processing of personal data of all individuals entering and working at the manufacturing sites (e.g. health and travel data, information about the activities of the employees' families) and need to comply with Swiss data protection law.
For Swiss companies responsible for a manufacturing site this means:
- Collect and process only personal data about employees and visitors that is necessary to achieve the purpose of ensuring public health and the company’s own business continuity.
- Inform persons potentially concerned by the data collection and processing activities adequately in advance.
- Delete the data at the latest when the impact of the COVID-19 pandemic has ceased to exist.
- Disclose personal medical data to other group companies only if the purpose cannot be achieved by disclosing anonymised data.
- Observe usual safeguards and intragroup data transfer rules for cross-border data transfers.
The Swiss COVID-19 Ordinance, as amended on 16 March 2020, does not provide for specific data protection rules. Insofar as companies operating manufacturing sites collect and process personal data for the purpose of implementing COVID-19 measures, the general principles set out in the Federal Act on Data Protection (FADP) must be observed.
Which personal data can be collected and processed?
Companies responsible for a manufacturing site shall only collect and process personal data about individuals entering and/or working at the site that is necessary to achieve the purpose of protecting employees’ health and limiting the further spread of COVID-19 in the interest of ensuring both public health and their own business continuity.
The Swiss COVID-19 Ordinance requires that employees particularly vulnerable to COVID-19 have to stay away from their working places and where possible work from home (see Legal Update from 17 March 2020 for more detailed information). Accordingly, companies must collect data about the actual health and medical conditions of their employees to assess who qualifies as being particularly vulnerable. Other measures needed to protect employees and ensure both public health and business continuity might also require data processing. Examples include the collection and processing of:
- Up-to-date and regular information about COVID-19 symptoms or contacts with COVID-19 patients from employees and visitors to its facilities
- Detailed information about employees on sick leave for appropriate allocation of available workforces
- Information about family activities (who is taking care of the children, do persons at risk live with family, etc.)
- Access and other data related to the use of remote devices by employees when working from home
All processing activities must be carried out only in a way that is purpose-related and proportionate. This means such activities should be limited to the minimum necessary to achieve the purpose. Whether the collection and processing is proportionate depends on the specific circumstances of each company.
Medical data, which qualifies as sensitive personal data, is particularly worthy of protection and the above-mentioned principles must be applied strictly. However, processing of such data does, under Swiss law, not require explicit consent.
In fact, the collection and processing of information about the health of all employees and visitors may be considered to be justified by the interest of ensuring both public health and the respective company’s own business continuity. Also, the reasonable collection of medical data required to assess an employee's vulnerability is in general justified by the COVID-19 Ordinance. Similarly, with regard to other data, companies are able to justify reasonable processing activities with reference to their obligations under employment and safety laws as well as the overriding interest to protect all its employees. The purpose of ensuring business continuity can also qualify as an overriding private interest depending on the specific data and circumstances in question. Companies active in the provision of care or therapeutic products might even rely on public interests regarding their business continuity, as the assurance of the provision of care and therapeutic products is a primary purpose of the COVID-19 Ordinance.
In any case, the persons potentially concerned by data collection and processing must be adequately informed in advance even under such extraordinary circumstances.
How long can such data be stored and is a notification to the FDPIC necessary?
In general, data can be stored as long as it is required for the purpose at stake. At the latest when the impact of the COVID-19 pandemic has ceased to exist, the data must be deleted.
Companies not having designated a data protection officer might have to declare their newly established data files related to COVID-19 measures to the Federal Data Protection and Information Commissioner (FDPIC). A notification is required if they regularly process sensitive personal data (including medical data) or disclose it to third parties and no exception, such as a statutory obligation, applies. With regard to medical data required to assess an employee’s vulnerability, the COVID-19 Ordinance can be invoked as statutory obligation.
Can such data be transferred to other group companies within Switzerland and abroad?
Without justification, sensitive personal data should not be disclosed to third parties, including other group companies in Switzerland or abroad. Companies might want to share certain data with other group companies in order to coordinate the assignment of available workforces in the best manner within the group. This is in principle permitted, provided that the transfer of personal medical data for this purpose to other group companies is necessary as the purpose cannot be achieved by disclosing anonymised data only.
Cross-border data transmission must comply with the general principles provided in the FADP. Accordingly, data may only be transferred if the receiving country has an adequate level of data protection or other safeguards for ensuring an adequate level has been implemented. As an exception, personal data may be transferred abroad in case the transfer is required in order to protect the life or the physical integrity of the data subjects, i.e. the employees and visitors of the manufacturing sites. It remains questionable, whether this justification can be invoked in relation to COVID-19 measures, as the transfer of personal data abroad is in most cases not directly necessary to protect the data subject's health. Accordingly, the usual safeguards and intragroup data transfer rules should be observed for cross-border data transfers related to COVID-19 measures.
Contributors: Lorenza Ferrari Hofer (Partner), Severin Etzensperger (Associate)
No legal or tax advice
This legal update provides a high-level overview and does not claim to be comprehensive. It does not represent legal or tax advice. If you have any questions relating to this legal update or would like to have advice concerning your particular circumstances, please get in touch with your contact at Pestalozzi Attorneys at Law Ltd. or one of the contact persons mentioned in this Legal Update.
© 2020 Pestalozzi Attorneys at Law Ltd. All rights reserved.