← Back to all briefings
Governance 6 min read Published Updated Credibility 73/100

EDPB clarifies COVID-19 workplace and health data rules

The EDPB clarified GDPR rules for employee health data during COVID-19 in April 2020. You can process health data for workplace safety, but necessity, proportionality, and legal basis still apply. Temperature checks? Document your justification.

Kodi C.

Editor & Research Lead

Fact-checked and reviewed — Kodi C.

Governance pillar illustration for Zeph Tech briefings
Governance, ESG, and board reporting briefings

High-level summary

On , the European Data Protection Board issued full guidance on processing personal data during the COVID-19 pandemic, clarifying how GDPR applies to employer health measures, contact tracing, and remote work monitoring. The guidance establishes boundaries preventing organizations from using the pandemic to expand surveillance while acknowledging legitimate needs for health data processing.

The EDPB clarified appropriate legal bases for COVID-19-related processing:

  • Legal obligation: Employers may process health data when national law requires specific workplace health measures such as reporting or testing requirements.
  • Public interest: Processing may be justified by significant public interest in controlling disease transmission, particularly for organizations in healthcare or essential services.
  • Vital interests: In emergency situations, processing to protect life may apply, though this basis should not be routine.
  • Consent: The EDPB noted that employee consent is generally not a valid basis given the power imbalance in employment relationships.

Organizations must identify and document the specific legal basis for each type of health data processing.

Proportionality and Data Minimization

The guidance emphasizes that pandemic conditions do not suspend GDPR principles:

  • Necessity: If you are affected, only collect health data genuinely necessary for the stated purpose—general health surveillance beyond COVID-19 protection is not justified.
  • Proportionality: Measures must be proportionate to the risk and objective. Less invasive alternatives should be considered before implementing full monitoring.
  • Purpose limitation: Data collected for COVID-19 protection should not be repurposed for performance management, attendance tracking, or other employment decisions.
  • Storage limitation: Retention periods should be limited to the duration necessary for pandemic response, with clear deletion schedules.

Employer Health Screenings

The EDPB addressed common workplace health measures:

  • Temperature checks: May be permissible if required by law or public health authority guidance, but must include appropriate safeguards including limited retention and restricted access.
  • Symptom questionnaires: Should be limited to COVID-19-relevant symptoms rather than full health surveys. Results should be accessible only to those with legitimate need.
  • Testing: Employer-mandated testing requires clear legal basis and should follow public health guidance regarding appropriate circumstances.
  • Disclosure of positive cases: If you are affected, avoid naming infected employees to colleagues. Information should be limited to what is necessary for contact tracing or workplace safety.

Contact Tracing Considerations

The guidance addresses workplace contact tracing:

  • Public health authority coordination: Contact tracing is primarily a public health function. Employer programs should coordinate with rather than duplicate official efforts.
  • Voluntary participation: Where employers implement contact tracing apps or programs, participation should generally be voluntary.
  • Location tracking: Continuous location monitoring raises significant privacy concerns and requires strong justification. Proximity-based approaches are generally preferable.
  • Data sharing: Sharing employee health information with public health authorities should be limited to legal requirements or specific consent.

Remote Work Monitoring

With expanded remote work, the EDPB cautioned against excessive surveillance:

  • Productivity monitoring: Invasive monitoring tools (keystroke logging, continuous screenshots, activity tracking) require strong justification and are generally disproportionate.
  • Video surveillance: Requiring cameras enabled during work hours intrudes on home privacy and typically exceeds legitimate employer interests.
  • Working time tracking: Reasonable time tracking may be justified, but should use least intrusive methods.
  • Personal device considerations: Employers should minimize access to personal devices and clearly separate work from personal data.

Employee Rights

GDPR rights remain applicable during the pandemic:

  • Information rights: Employees must be informed about what data is collected, purposes, retention periods, and recipients.
  • Access rights: Employees can request access to their health data held by employers.
  • Rectification: Inaccurate health information should be corrected upon request.
  • Complaint rights: Employees can lodge complaints with supervisory authorities regarding disproportionate processing.

Documentation and Accountability

If you are affected, document COVID-19 processing comprehensively:

  • Record legal bases for each type of health data processing.
  • Document necessity and proportionality assessments.
  • Maintain records of retention periods and deletion schedules.
  • Update privacy notices to reflect COVID-19-related processing.
  • Conduct data protection impact assessments for higher-risk measures.

Closing analysis

The EDPB guidance establishes that pandemic response does not suspend data protection principles. Organizations implementing workplace health measures must ensure legal basis, proportionality, and transparency while respecting employee privacy rights. Measures implemented during the emergency should be reviewed and rolled back as conditions normalize.

More on this topic

Further reading from our research library.

Continue in the Governance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Board Oversight Governance Blueprint

    Unify Basel Committee, PRA, SEC, and ISSB oversight mandates into an auditable board governance operating model with data lineage, assurance cadences, and regulatory source packs.

  • Third-Party Governance Control Blueprint

    Deliver OCC, Federal Reserve, PRA, EBA, DORA, MAS, and OSFI third-party governance requirements through board reporting, lifecycle controls, and resilience evidence.

  • Public-Sector Governance Alignment Playbook

    Align OMB Circular A-123, GAO Green Book, OMB M-24-10 AI guidance, EU public sector directives, and UK Orange Book with digital accountability, risk management, and service…

Coverage intelligence

Published
Coverage pillar
Governance
Source credibility
73/100 — medium confidence
Topics
GDPR · COVID-19 · Workplace privacy · Health data
Sources cited
3 sources (edpb.europa.eu, iso.org)
Reading time
6 min

Source material

  1. Statement on the processing of personal data in the context of the COVID-19 outbreak — European Data Protection Board
  2. EDPB Guidelines and Recommendations — EDPB
  3. ISO 37000:2021 — Governance of Organizations — International Organization for Standardization
  • GDPR
  • COVID-19
  • Workplace privacy
  • Health data
Back to curated briefings

Comments

Community

We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.

    Share your perspective

    Submissions showing "Awaiting moderation" are in review. Spam, low-effort posts, or unverifiable claims will be rejected. We verify submissions with the email you provide, and we never publish or sell that address.

    Verification

    Complete the CAPTCHA to submit.