Coronavirus | Good practice for personal data processing in France

In the wake of the current crisis, companies can take measures to ensure the safety of their employees and business partners against Coronavirus. Within this framework, they will therefore process their employees' personal data. The following good practices will help to ensure that businesses remain compliant with data protection regulation.

DOs

Legal basis

As regards the processing of personal data with the purpose of protecting employees and preventing the spread of the Coronavirus, several legal bases can be considered, including:

• the legitimate interest of the company to protect the safety of people;
• the legal obligation in the event that the French Government decides to move to stage three of the Government's action plan.

Minimisation

The collect of personal data must be proportionate. It is possible to ask whether a person has certain symptoms or has just returned from a so-called "at risk" country.

Retention period

If you create a file with personal data you will not be able to keep it for more than 30 days (quarantine lasts generally 14 days). After this period, this record must be definitively deleted.

Security

If you create an electronic file with your employees' personal data, save it in a restricted access area protected by a strong password. Only a few people should have access to it.

DONTs

Proportionality

The measures taken must be proportional and some behaviours are prohibited, such as imposing temperature control on all employees. It is also not possible to require disclosure of an employee's entire medical file.

The CNIL is expected to provide recommendations on Coronavirus in the coming days. These good practices are therefore likely to be modified or strengthened following that publication.