How to be GDPR compliant when introducing COVID-19 testing in the workplace

Covid testing, either through fully fledged tests, such as PCR, or through less intrusive methods, such as temperature measuring, is a fundamental part of returning to work in the “new normal”. Especially since newer and more dangerous covid strains appear more frequently, it is important to make sure that your employees can transit back to working from the office in a safe manner. However, one of the less understood compliance risks that introducing mandatory testing poses is being compliant with the GDPR.

This is why we put together a short guide to make sure you understand the main GDPR implications and how to act in accordance with the rules. Check it out below.

Lawful basis and preparatory steps

Health data, such as whether or not the employee is covid-positive and even body temperature, are covered by the article 9 of the GDPR (General Data Protection Regulation). This means that they are special category data. Therefore, in order to process them, you need to fulfil at least one of the conditions of art. 9 para. (2).

Our point of view is that the applicable scenario to office-testing would be the one covered by art. 9 para. (2) letter b, that enables controllers to collect data if it allows them to fulfil their obligations in the field of employment. In this case, ensuring the safety of your employees can be seen as an obligation of the controller (i.e. you, the employer).

Besides fulfilling the requirements of art. 9, you’d need a lawful basis to collect the data, as it is always the case. In this case, that lawful basis would be legitimate interest (art. 6 para. (1) letter (f)).

However, in order to prove legitimate interest, you’d need to prove that data collection is necessary and proportionate in order to reach your legitimate aim. Therefore as an employer you have to make sure that you require employees to disclose only necessary covid-related data, such as, whether they have any symptoms, the results of any tests etc.

You’d also have to consider what type of testing measure you want to implement, whether or not returning to office is necessary and for what categories of employees, how you will keep the data secure and who will have access to it.

Preparing a Data Protection Impact Assessment (DPIA)

A DPIA works as a sort of “record” that proves that you have considered the main compliance issues that you will face when implementing mandatory testing. It will need to include the following points in order to prove that your testing system is necessary and proportionate:

  • The activity being proposed (i.e. the specific measures)
  • the data protection risks;
  • whether the activity is necessary and proportionate;
  • how risk will be mitigated; and
  • whether risk mitigation has been effective.

Informing the staff and using the data

After you have prepared a DPIA and everything seems to be set from a preparatory point of view, you also need to “nail” the implementation of your mandatory testing policy.

First, you’d need to communicate clearly and openly with your employees. Try to avoid dry, legal terms and explain in a simple the policy in plain language. Generally, your employees will need to know:

  • why the testing is necessary
  • what personal data is required
  • what it will be used for
  • who it will be shared with
  • how long it will be kept for
  • what decisions will be made based on the test results

Moreover, the notification bringing these aspects to your employees’ attention should also remind them that they have a number of rights in relation to the processing of their data.

After you inform the employees and collect the necessary data, you have to remember that you have specific obligations. So keep in mind the main ones:

  • Keep the data secure. You can keep the full names of covid positive employees, but make sure that no one, but qualified practitioners have access to them.
  • Do not prejudice any of your employees based on the collected data. That means that you should not fire or take any other extreme measures based on the covid-related data. It is of paramount importance to remember that health data will change fairly frequently and act accordingly.
  • Do not disclose the name of any infected employee. Use general terms, such as “team member” or “member of the staff” in order to inform your employees of any confirmed covid cases.
  • More importantly, disclose any information on a “need-to-know” basis. That means that when you discover a new case among your employees, you should only inform the people directly affected. Generally, they would be the infected employee’s team members.


Bogdan Ciacli

Legal Intern R&R Partners Bucharest

If you would like to address more questions or if you need a legal consultation, you can contact us at or by accessing our site for more information.

Keep up to date with our latest articles!

Leave a comment