K&L Gates ranked “Highly Recommended” with Claude-Etienne Armingaud.
Source: Leaders League
(more…)The current COVID-19 pandemic continues to raise many issues on employee privacy and how employers may balance processing their employees’ data with ensuring safety in the workplace. The French Supervisory Authority (CNIL) has provided guidance on the methods that may be used by employers to collect and process health data from their employees (outside of medical care data) in order to detect possible symptoms related to COVID-19, as well as data relating to travel or events. In addition, more generally, the French Labor Ministry has published a “National protocol regarding the end of the lockdown for companies to ensure health and safety of the employees” (Protocol), in order to help employers manage the various tasks and issues related to the end of the lockdown and employees’ return to work. This document does not have legal force, but sets out the general recommendations and principles of prevention regarding the protection of employees’ health and safety in the context of the current health crisis.
Under the General Data Protection Regulation (GDPR) framework, the CNIL guidance available here in French) reiterates a number of core principles:
In the private sector, Articles L. 4121-1 and R. 4422-1 of the French Labor Code (FLC) provide for a safety obligation incumbent on employers, which must implement occupational risk prevention, information and training actions. The company and its legal representatives are criminally liable for the employee security obligation. Employers that fail to provide employees with safe and appropriate working conditions would face a court risk and could be held liable for not ensuring the employees’ safety and security on the workplace. Since 2015, the French Supreme Court has held that the employer’s obligation with regard to employees’ health and safety is an enhanced best efforts obligation (obligation de moyen renforcée). Therefore, the employer can avoid liability by proving that preventive measures have been implemented. French Supreme Court case law holds that the employer has complied with this legal obligation to take the necessary measures to ensure the safety and protect physical and mental health of employee when it is demonstrated that he has taken all measures to prevent, adapt and provide information on the risks, in accordance with Articles L. 4121-1 and L. 4121-2 of the FLC.
In the context of the current pandemic, the employer’s safety obligation is more topical than ever. In order to comply with this mission, employers have the right to process personal data, albeit only when strictly necessary to foster that purpose. In this respect, the CNIL encourages employers to regularly consult the information and recommendations published by the French Labor Ministry, in order to better understand their obligations in this period of health crisis.
According to the CNIL’s position, employers are entitled, in this context, to:
On the other hand, Article L.4122-1 FLC provides that each employee has a safety obligation which requires them to preserve not only their own health and safety, but also, the health and safety of other individuals with whom they may come into contact in the course of their professional activity, be it other workers or customers. However, in practice, employers might be in a delicate situation if they were to take disciplinary sanctions against these employees, and they might face labor court actions.
While French employees are usually only required to provide an illness certificate, which does not provide any specifics on the health status other than inability to work, the CNIL understands that the contagiousness of the COVID-19 pandemic mandates self-reporting be more specific to enable employers to take any measure required to ensure the safety in the workplace.
However, this reinforced duty to provide information does not extend to individuals working in isolated conditions, e.g. without contact with other individuals and/or working remotely. For such “isolated” workers, the classic rules of labor law apply and employers are not allowed to mandate such disclosure of personal data.
When organizing the return to work, employers are encouraged to facilitate dialogue with its employees and employee representative. Employers may require certain information, and may ask employees to inform the company’s management of, in particular, any travel to risk areas and risk factors related to their health or relatives. However, this organizational requirement must be compliant with the GDPR for the processing of employees’ personal data.
In any case, employers may only process elements related to (i) the date, (ii) the identity of the person, (iii) the contamination status reported by the employee, and (iv) the data related to the organizational measures to be put in place.
The CNIL emphasizes the particular sensitivity of health-related data, which is considered a “special category of personal data” under Article 9 GDPR, and thus requires processing under robust conditions of security and confidentiality, as well as limited access to authorized personnel. Consequently, employers wishing to take steps to ensure the health of their employees must rely on their occupational health service.
Processing operations pertaining to such special category of personal data is, by principle, prohibited under GDPR, unless they fall within one of the exceptions provided under GDPR, namely:
In the context of the pandemic, the CNIL highlights that (2) and (8) would be the only relevant bases to ensure the safety in the workplace.
In that regard, the coordination with health authorities, as potential recipients of the data, is authorized, to ensure the medical care of the exposed person. Nevertheless, the identity of the individual, effectively or presumably infected, must not, under any circumstances, be communicated to other employees.
Considering that GDPR and its French implementation only apply to automated processing (particularly computer processing) or to non-automated processing where a physical file is materialized, this means that the simple verification of temperatures prior to access to premises would not trigger application of GDPR insofar as no trace of this check is kept and if no other operation is carried out. On the other hand, any automated temperature verification, such as through use of thermal cameras, would be subject to GDPR. Given that other less intrusive methods to achieve a similar purpose exist, they may not pass muster for the data minimization tenet of GDPR.
Based on the CNIL and French Labor Ministry guidance, the following could be considered by employers in order to effectively and efficiently organize their employees’ return to work:
First publication: K&L Gates Hub in collaboration with Christine Artus, Sarah Chihi, Anne Ragu, Clara Schmit
Claude-Étienne Armingaud
Source: Legal 500 – EMEA
(more…)K&L Gates LLP handles contentious and advisory matters for clients in a range of sectors, focusing particularly on telecoms and e-commerce. Claude-Etienne Armingaud led a team which defended Priska Pasquer, a German gallery which is internationally renowned for the distribution of photographic work, in an alleged fine art photograph infringement case.
Source: Legal 500 – EMEA
(more…)K&L Gates LLP occupies a unique place in the market with its focus on media and entertainment clients and its impressive track record in handling matters for French professional associations, including those representing communication agencies, advertising players and online publishers. Practice heads E. Drouard and Claude-Etienne Armingaud are well versed in cross-border matters as demonstrated by their frequent involvement in matters involving multinational companies, particularly clients from the US and Asia. Instructions relating to GDPR compliance also account for a significant portion of the workload. The practice also offers clients the use of artificial intelligence tools to facilitate document analyses, knowledge management and document drafting. While the tools are employed across the board, they are particularly beneficial in litigation through the improved management of document evidence.
‘The data protection team can be noted for its outstanding quality, reputation and high responsiveness. With their international network, in-depth knowledge of the market, the technology and their legal strength it is an excellent firm to go to for data protection matters.‘
‘Really pleasant team to work with. Responsive and team players.‘
‘The K&L Gates privacy team in France has a lot of knowledge regarding cross-border privacy issues.‘
(more…)‘Claude-Etienne Armingaud is a true data protection thought leader. With his in-depth knowledge of the market, technology and his legal strength he is the person to go to for all data protection matters. He is an expert in the fields of new technological areas including fintech, blockchain and the internet of things where he combines his extensive data protection knowledge with his market and technological experience.
Practice head(s):Claude-Etienne Armingaud
‘The team is well versed and up to date on the current standards and practices. Team members are all very flexible in their availability and very responsive’.
‘The team provides sharp advices and has great sector industry knowledge’.
‘The team has in-depth expertise and great ability to anticipate future legislation’
(more…)‘Claude Etienne Armingaud is more than a lawyer; he is a trusted partner who knows his own limits and is very friendly’.
K&L Gates ranked “Highly Recommended” with Claude-Etienne Armingaud.
Source: Leaders League
K&L Gates ranked with Claude-Etienne Armingaud.
Source: Leaders League