On March 2, 2020, the Italian Supervisory Authority (“Garante”) published a “statement” in which it clarifies how companies should process personal data in the context of their efforts for preventing a spread of the coronavirus disease (“COVID-19”) among their employees and others in Italy (see here, in Italian).

The Garante made clear that companies must not collect in a systematic and generalized manner information on possible COVID-19 symptoms suffered by their employees (or their family members), as well as on their whereabouts.  According to the Garante, the collection of such information should be left to healthcare authorities; companies should not engage in the spontaneous collection of health data of their employees, unless this is specifically required by law or requested by the competent authorities.

However, the Garante stressed that employees must normally inform their employers of any health and safety risk at work they are aware of, including risks of contagious diseases. Thus, companies may invite their employees to notify them if they have been recently exposed to epidemiological risk areas or have other relevant information regarding possible risks of contagion.

While the “statement” does not elaborate much on the reasoning followed by the Garante, it suggests that the Garante interprets rather strictly the conditions for processing health data under the GDPR.  Thus, companies should not simply assume that, in light of the seriousness of the present public health crisis in Italy, any processing of the health data to prevent the spread of COVID-19 may lawfully occur on the basis that is “necessary to protect the vital interests of the data subject or of another natural person”, “necessary for reasons of substantial public interest” or “necessary for the purposes of preventive or occupational medicine”.

In any event, companies should carefully monitor, and comply with, any emergency measure that the competent Italian authorities may adopt in response to a possible further spread of the disease in Italy.  It is unclear whether other EU supervisory authorities will adopt related guidance, as more organizations, including employers, respond to the public health threat posed by COVID-19 by implementing policies and introducing safeguards intended to prevent spread of the disease.  Covington will continue to monitor developments in this area.

Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as Privacy International and the European security agency, ENISA.