Since 1 July 2021, the CovidCheck certificate (EU Digital COVID Certificate - EU DCC) has facilitated the free and safe circulation of citizens in the EU during the COVID-19 pandemic for 30 countries. In Luxembourg, the Government has also set up a CovidCheck system, i.e. it has provided the mobile application CovidCheck.lu to verify the authenticity and validity of certificates.
Authenticity and validity of a certificate:
The app checks whether the holder has either a negative COVID-19 test certificate certified by laboratories, doctors or certain health professionals, pharmacists), or a recovery certificate, or a complete vaccination certificate.
The Luxembourg CovidCheck regime currently applies to establishments, events and activities but was not designed to be used by employers for entry into business premises.
Implementation of a CovidCheck system at the workplace?
In the absence of a legal obligation to be vaccinated against COVID-19, employers cannot force their employees to be vaccinated. They can however strongly encourage or recommend vaccination through the setting up and implementation of health and safety measures.
The return of employees to their usual workplace can only take place in a healthy and safe environment. Employers must therefore put adequate measures in place. Employers’ liability may be triggered if the measures put in place are not sufficient or go far enough to protect employees of a company. Employers must take into account the risks for employees which depend on the nature of the tasks performed by them, as well as their working conditions.
Implementation of the CovidCheck System initiated by the employer:
Article 2 §1 of the GDPR only applies to "the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data which form part of a filing system". The material scope of the GDPR relies on two concepts: personal data and processing.
The fact that personal data are relevant in the implementation of a Covid-Check system does not pose a problem. The question that arises, however, is whether or not processing is carried out.
According to Article 4 point 3 of the GDPR, processing is "any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automatic means".
The CovidCheck App only verifies the validity of the certificate when it is scanned and does not record any data. Like temperature check measures, the fact that the temperature data is not processed and linked to a data subject has the consequence that it does not constitute data processing within the meaning of the GDPR.
An employer can therefore rely on its health and safety duty to verify employees’ CovidCheck status.
Implementation of the CovidCheck system based on a legal duty:
The situation is likely to evolve in Luxembourg : the CovidCheck system will be extended to private companies as of 1 November 2021 since the vote of the new Covid law on 18 October 2021.
As a result, in addition to employers’ health and safety duty of care towards employees, the CovidCheck system in companies will become part of a specific law.
Does that mean that employers could then process employees’ health data when implementing the CovidCheck system?
In addition to Article 6 requirements, processing of health data requires further conditions to be met as set out in Article 9 of the GDPR.
Since the concept of necessity is interpreted strictly and the use of consent is not recommended in the relationship between employer and employee, only the fulfillment of a legal obligation that would additionally meet the conditions of Article 9 of the GDPR could be relied upon. However, to rely on such basis, the legal provision allowing such processing should define in a clear and precise manner the purposes of the processing and contain specific provisions “on the types of data that are subject to the processing; the data subjects; the entities to which personal data may be disclosed and the purposes for which they may be disclosed; purpose limitation; retention periods; and the processing operations and procedures, including measures to ensure lawful and fair processing".
In addition, the lawfulness bases of Article 9 of the GDPR also require a strict proportionality check and the establishment of appropriate safeguards to safeguard the fundamental rights and freedoms of the data subject for the legal basis considered.
As a result, the employer’s health and safety duty of care as defined in Article L. 312-1 of the Luxembourg Labor Code is not sufficient to allow employers to process health data even if the implementation of the CovidCheck system in the workplace will be authorised by law. The Luxembourg Data Protection Authority (the “Commission Nationale pour la Protection des Données”) has pointed out that if data processing were to be carried out on the basis of the current bill of law, it does not meet the requirements of clarity, precision and clarity, precision and foreseeability that a legal text must meet.
Consequently, the implementation of the CovidCheck system by employers, which would require the recording or logging of personal data from the system, could not be legally implemented under current Luxembourg legislation.
Article provided by INPLP member: Michel Molitor and Virginie Liebermann (Molitor, Luxembourg)
Dr. Tobias Höllwarth (Managing Director INPLP)