Frequently Asked Questions
The ODP recognises that Data Controllers are facing unexpected challenges during the Coronavirus COVID-19 pandemic.
The ODP is aware that Data Controllers may need to share Personal Data rapidly or collect the Personal Data of visitors to their premises for such purposes as contact tracing and other response measures.
The DP Regulations do not prevent a Data Controller from processing Personal Data in cases of emergency, provided that the Personal Data is processed fairly, lawfully and securely, and it is adequate, relevant and proportionate for the purposes for which it is being processed.
The ODP is here to help and clarify frequently asked questions received in this regard:
1. What is the ODP’s position if a Data Controller does not meet certain regulatory requirements or experiences a delay in responding to Data Subject rights requests during the current COVID-19 situation?
Data Controllers should always seek to comply with their obligations under the DP Regulations. However, during these uncertain times, the ODP understands that Data Controllers might be distracted and there may be delays in responding to Data Subject requests and other compliance requirements under the DP Regulations. The ODP will take a pragmatic approach to regulation during these uncertain times and will take into consideration any mitigating circumstances before deciding what regulatory action to take (if any) against Data Controllers for non-compliance.
2. Can a Data Controller inform employees that a member of their team has contracted COVID-19?
Employers have a legal obligation to ensure the health and safety of all their employees. Accordingly, Data Controllers should keep employees informed about any cases of COVID-19 in their organization and take the necessary measures to keep employees safe. However, employers should avoid naming individuals, if possible, and should not provide any more information than is necessary.
3. Is a Data Controller, that is a public entity or healthcare provider, permitted to contact individuals in relation to COVID-19 without having prior consent?
The DP Regulations do not prevent any health professionals from sending public health messages to people, either by phone, text or email, as these messages are not direct marketing.
Public bodies may also require additional collection and sharing of Personal Data for the purpose of protection against serious threats to public health. This is a legitimate purpose for collecting and processing such Personal Data.
4. Can a Data Controller collect health data in relation to COVID-19 about employees or visitors of ADGM entities?
As an employer, Data Controllers have a duty to ensure employees’ health and safety, but that does not necessarily mean they may gather unnecessary information about their employees.
For example, it may be reasonable in the current circumstances to ask an employee or a visitor if they have visited a particular country or are experiencing COVID-19 symptoms. On the other hand, it would be unreasonable to ask an employee or visitor if they or any of their family members have ever been diagnosed with any other contagious disease.
If additional health data is required, employers must ensure that they do not collect any more Personal Data or Sensitive Personal Data than is necessary (note: Sensitive Personal Data includes health information). In addition, employers must ensure that any Person Data or Sensitive Personal Data that is collected is treated with the appropriate safeguards, as specified under the DP Regulations.
5. Can a Data Controller share employees’ health information to the relevant Health Authorities for public health purposes?
It is unlikely that a company will be required by Health Authorities to share information about specific individuals. However, if this does happen, the DP Regulations do not prevent employers from sharing such information, provided there is a legal basis for the processing of the Personal or Sensitive Personal Data and appropriate safeguards have been met.
6. Can employees work from home during this period?
The DP Regulations do not restrict a Data Controller’s employees from working from home, provided the appropriate safeguards have been met (e.g. appropriate IT security is made available to employees) to protect any Personal Data that may be processed during that period.
ADGM Data Controllers and their employees are responsible for ensuring robust security measures are in place and adhered to at all times.
7. Who can I contact for more info?
For further information, please do not hesitate to contact the ODP via e-mail: Data.Protection@adgm.com.