News Update Privacy & Data Protection

Dutch DPA relaxes position on coronavirus measures in the workplace

As the coronavirus crisis unfolds, many employers want to take measures to ensure that their employees are safe. Several organisations in the Netherlands have indicated that they wish to check their employees' body temperature before they enter the workplace or worksite (if working from home is impossible), as fever may be an indication of coronavirus infection.

Initially, the Dutch DPA published guidance on its website which prohibited employers from monitoring their employees for coronavirus in any way. In newspapers earlier this month, the Dutch DPA also expressed its strict interpretation of data protection and privacy laws in an employment context, especially as regards health data. Recently however, the Dutch DPA has updated this guidance (in Dutch) to the benefit of employers.

The guidance can be summarised as follows:

• Employers should comply, and instruct their employees to comply, with all government instructions and restrictions regarding coronavirus.
• Employers may ask their employees to monitor their own health, including during working hours. For example, employees may be required to monitor their own body temperature.
• By way of exception, the Dutch DPA considers it permissible for employers to send sick employees home. This is the case when the employee shows signs of a cold or flu, or when the employer is "in doubt" about whether the employee is infected with coronavirus or not.

An alternative, which was already suggested by the Dutch DPA in its earlier guidance, is for employers to engage and refer their employees to the external company doctor (bedrijfsarts).

On 20 March, the Dutch DPA also announced that it will give organisations "more time" because of the coronavirus outbreak. It said that it understands that privacy is currently not the number one priority for many organisations. Although it is not entirely clear what this means, we interpret the communication to mean that the Dutch DPA will hold off any enforcement actions in relation to coronavirus-related data processing activities, or in any case take a lenient approach.

Working from home during the coronavirus crisis

The Dutch Data Protection Authority (Dutch DPA) has issued guidance on working from home during the coronavirus crisis.

We recognise that the temporary transition from working in an office environment to having a substantial part of your organisation working from home can lead to practical and sometimes frustrating challenges. In order to minimise the risk of unauthorised access to data and data breaches, employees should continue to adhere to their organisation's standards for IT and information security, and exercise additional caution when accessing, sending or otherwise processing sensitive data.

When using freely available communication apps such as FaceTime and Skype, employees are advised to consider whether sharing sensitive information via such apps is appropriate. Where possible, it helps employees to keep information secure if the organisation makes secure communication tools available as an alternative to freely available apps.

Tips for staying secure when working from home from the Dutch DPA:

1. Work in a secure environment.
   • Where possible, login to your organisation's server and work on the organisation's systems. Where applicable, use the hardware made available by your organisation.
   • Be cautious with the use of cloud, storage or email services, especially when these are offered free of charge. These types of service may use your personal data for other purposes, such as marketing or sales to third parties.
   • Be extra cautious when processing sensitive personal data.


2. Protect sensitive documents
   • If sensitive documents are not on your organisation's server, but on a USB stick or other carrier, be sure to transfer these documents to your organisation's server. If documents are only available in paper form, scan the documents and only use the digital files.
   • If it is necessary to carry data on a USB stick, ensure the data is encrypted.


3. Be cautious when using chat and video chat services
   • When discussing sensitive data, use available secure means of communication such as telephone or secure video chat services.
   • Be cautious when using unsecured video chat services, such as FaceTime or Skype.
   • Where possible, do not discuss names of persons when discussing sensitive personal data (such as medical data) on unsecured means of communication.


4. Watch out for phishing emails.
   • Cyber criminals are expected to take advantage of this crisis; be careful when receiving emails with coronavirus information as they may be fake.
   • As always, do not click on links or attachments in emails of unknown origin.