Employers should NOT:

  • require that employees communicate to them daily a statement of their body temperature or fill out medical sheets or questionnaires
  • have visitors or other external persons sign a declaration by which they certify that they have no symptoms of the coronavirus or that they have not recently traveled to a risk zone, etc.

Employers SHOULD:

  • invite employees/agents to provide information in connection with a possible exposure to them or to the competent health authorities
  • facilitate the transmission of information by setting up, if necessary, dedicated channels to guarantee data security and confidentiality
  • promote remote working methods and encourage the use of occupational medicine


From the Irish Data Protection Commission:

  • Data protection law does not stand in the way of the provision of healthcare or management of public health
  • Measures taken in response to Coronavirus involving the use of personal data, should be necessary and proportionate and informed by the guidance of relevant authorities.
  • You may process  health data, under art 9(2)(i) GDPR once suitable safeguards are implemented (e.g access limitation, strict time limits for erasure, adequate staff training)
  • Employers have a legal obligation to protect their employees. Data may be processed under 9(2) GDPR where necessary and proportionate.
  • You may process personal data to protect the vital interests of an individual where necessary – e.g incapable of giving their consent.
  • An employer should not disclose that an employee has the virus to their colleagues. Instead, inform staff that there has been a case in the organization and request that employees work from home.
  • Principles of transparency, confidentiality, security, data minimization and accountability apply.

Read the full text of Luxembourg’s guideance. 

Read the Irish Data Protection Commission’s guidance.