COVID-19 in France: Personal Data Protection in the Workplace

April 29, 2020

As prevention measures against the coronavirus (COVID-19) pandemic bump into the principles and guidelines of the EU General Data Protection Regulations (GDPR), the French Data Protection Authority has reinforced essential rules and good practices for companies to ensure employee personal data protection.

The French Data Protection Authority, Commission Nationale de l'Informatique et des Libertés (CNIL), expressed its views on various issues relating to the consequences of the pandemic on the processing and protection of personal data and on its monitoring activity for 2020.

As a reminder, while the current public health emergency requires all stakeholders to be particularly vigilant, the processing of health data is the responsibility of the health authorities qualified to take appropriate measures in light of the situation. The CNIL therefore asks that individuals and professionals follow the recommendations of the health authorities and collect data on the health of individuals only upon request by the competent authorities.

On April 8, CNIL President Marie-Laure Denis spoke to the French National Assembly's Law Commission. She stressed the importance of data protection issues in the context of the current health emergency.

Processing of Personal Data in the Workplace Amid COVID-19

Employer’s Obligations

While each individual must implement measures appropriate to the situation, such as limiting travel and meetings or respecting hygiene measures, an employer may not take any measures that could infringe on the privacy of its employees, in particular by collecting personal health data that would go beyond what is necessary to determine potential exposure to COVID-19.

Indeed, health data is subject to special protections provided by the GDPR, the French Data Protection Law, and the French Public Health Code. As a reminder, according to Article 9.1 of the GDPR, the processing of health data is, in principle, prohibited. It may nevertheless be authorized in a limited number of cases and, in particular, if the data subject freely gives his/her explicit consent.

The question of whether consent is freely given is generally questioned in the context of the employee/employer relationship.

More specifically, an employer may not collect, on a general and systematic basis, or through surveys and individual requests, information relating to the search for possible symptoms presented by an employee or his/her relatives. The employer is therefore not authorized to take the following measures:

  • Mandatory daily body temperature readings of each employee to be sent to his/her hierarchy (however, there seems to be a discrepancy between the positions of the CNIL and of the French Ministry of Labor, which has stated that "companies, as part of a comprehensive set of precautionary measures, may implement systematic monitoring of the temperature of persons entering their site"; the CNIL remains the competent authority in terms of data protection).
  • Collection of medical forms or questionnaires from all employees.

However, under Article L. 4121-1 of the French Labor Code, the employer is responsible for the health and safety of its employees. In this respect, it must implement occupational risk prevention measures, information, and training actions, and set up an appropriate organization and resources.

As part of its professional risk prevention actions, to deal with the current pandemic, the employer may do the following:

  • Raise awareness and invite employees to provide individual feedback to the employer or the competent health authorities regarding possible exposure.
  • Facilitate the transmission of this information by setting up, if necessary, dedicated channels.
  • Promote remote working methods and encourage the use of labor medicine. Indeed, labor health services are maintaining their activity at the service of companies and employees during the crisis. Moreover, Order No. 2020-386 of April 1, 2020 provides that, during this period, labor health services must, in particular, support companies in defining and implementing appropriate prevention measures against COVID-19. Finally, the order provides that labor doctors may participate in screening missions and prescribe work stoppages. Regulatory texts are due to be published shortly to specify these measures.

In the event of a report, the employer may record the following:

  • The date and the identity of the person suspected of having been exposed.
  • Organizational measures taken (containment, teleworking, orientation, and contact with the labor doctor, etc.).

The employer may then communicate to the health authorities, on the authorities’ request, the elements related to the nature of the exposure and necessary for any health or medical care of the exposed person.

The employer may also be required to draw up a business continuity plan, the aim of which is to maintain the essential activity of its business. This plan must, in particular, provide for the measures necessary to protect the safety of employees, and identify the essential activities to be maintained and the persons necessary for continuity of service.

Practically speaking, the employer must do the following:

  • Avoid, as far as possible, collecting information on symptoms. One solution may be to provide a list of symptoms and ask employees if they have any of the listed symptoms. The employer should then encourage the employee with symptoms to contact the health authorities or to inform HR or their manager.
  • Encourage employees to disclose to HR, their manager, or the company's health services their recent trips to a city or country identified as "at risk" (without specifically indicating the country) or their contact with a contagious or sick person, and note the person's name and the isolation measure taken (teleworking, time off work to care for children under 16, sick leave, etc.).
  • Must not record employees’ temperatures. It is preferable to record only limited information.
  • Limit questions to the information that is strictly necessary to ensure the health and safety of persons outside the company who are required to work in the workplace, and obtain the explicit consent of the persons answering the questionnaire to process data relating to their health, after having informed them in accordance with Article 13 of the GDPR.

All collected employee personal data must be erased when the health risk disappears.

If one of the employees is in quarantine, the employer must inform the staff representatives and other employees that one of their colleagues is in quarantine without identifying the employee.

Employee’s Obligations

All employees, for their part, are obligated, in accordance with Article L. 4122-1 of the French Labour Code, to use all means to protect the health and safety of others and themselves. Employees must therefore inform their employer in the event of suspected contact with the virus, in particular if the employer requests this information. Refusal to reply or to provide this information may be considered a violation of the above obligation.

As this is an extremely fluid and unpredictable situation, a reassessment of the measures taken must be expected in order to ensure the best possible protection of employees, in terms of both health and their personal data.

Fight Against Cybercrime

In the context of the COVID-19 pandemic, teleworking is a solution that requires reinforced security measures to guarantee the integrity of information systems and processed data.

The CNIL therefore recommends that a security charter or, at least, a set of minimum rules to be complied with for teleworking, be drawn up and communicated to employees in accordance with internal regulations.

In the event of a change in information system management rules to allow teleworking (change in authorization rules, remote administrator access, etc.), the risks incurred should be assessed and, if necessary, the necessary measures should be taken. Furthermore, if the services used are accessible online, protocols should be used to guarantee the confidentiality and authentication of the receiving server, using the most recent versions of these protocols.

The CNIL also recommends implementing two-factor authentication mechanisms on remotely accessible services to limit intrusion risks and regularly consulting access logs for remotely accessible services to detect suspicious behavior. Finally, the CNIL recommends not making unsecured server interfaces directly accessible and limiting the number of services made available to the strict minimum to reduce the risk of attacks.

The CNIL also recommends equipping all employees' workstations with a firewall, antivirus software, and a tool for blocking access to malicious sites, and implementing a VPN to avoid direct exposure of services on the internet as soon as possible. It presents all of these measures as a minimum and recommends using the latest versions of such equipment and software.

CNIL 2020 Survey Program

The CNIL states on its website that it conducts thousands of surveys each year. This program covers the entire year and concerns its other control methods, which are carried out online, on the basis of documents or by mail. In the current context, onsite inspections will most likely be postponed until the end of the pandemic, or at least after the containment measures announced by the French government on March 16, 2020, expire. Nevertheless, CNIL agents remain in operation, remotely, which means that other types of inspections could be implemented (or even replace some inspections initially planned onsite).

For 2020, the French authority has declared that it will focus its action on three main areas:

  • Safety of health data
  • New uses of geolocation data
  • Cookies and other tracking devices

The processing of health data is considered as "risky" processing because health data is treated as sensitive data and requires special precautions and measures. The CNIL maintains that recent health news (telemedicine, connected health objects, violation of personal data within public institutions) evidences that attention must be paid to the security of health treatments.

Processing involving geolocation data and cookies uses large volumes of data; the CNIL considers that this processing is particularly intrusive in the population’s daily lives. Particular attention should be paid to the evolution of the CNIL's recommendations concerning cookies and other tracers. Indeed, without waiting for the adoption of the future eprivacy regulation, the CNIL already adopted new guidelines in July 2019 and published in January 2020 a draft recommendation submitted for public consultation, which should be adopted soon. After a six-month awareness and adaptation period from the final publication of the recommendation, inspections and punitive actions by the CNIL will follow.

Coronavirus COVID-19 Task Force

For our clients, we have formed a multidisciplinary Coronavirus COVID-19 Task Force to help guide you through the broad scope of legal issues brought on by this public health challenge. We also have launched a resource page to help keep you on top of developments as they unfold. If you would like to receive a daily digest of all new updates to the page, please subscribe now to receive our COVID-19 alerts.


If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:

Charles Dauthier
Laetitia de Pelet