Iceland’s data protection authority offers advice on GDPR compliance during the COVID-19 outbreak.
- Information that a person is quarantined is generally not considered to be sensitive personal information, but it is appropriate to pay particular attention to the principles of the Data Protection Act on data minimization and fairness.
- Maintain only the minimum information about the illness or quarantine so that the wage calculation is correct and the collective bargaining rights are guaranteed. No need to mention COVID-19 specifically, can just say illness.
- Ensure security and stringent access controls. Retain only for as long as necessary.
- Don’t share the name of an infected employee unless absolutely necessary. You may need to share the names with health authorities.
- Questionnaires with yes or no questions regarding travel or symptoms are allowed for employees, students and visitors. Questions with open answers require a detailed risk assessment.
- You may take the employee’s temperature with their consent.