Considering COVID-19's nature and its implications on people’s health, companies have been forced to collect certain information from their employees in order to implement measures with an aim to reduce the related risks, including: confirmation of trips, contact with people who have been in high transmission areas and the presence of symptoms related to the disease such as fever, cough, headaches and body aches, among others. It is important to note that this information is protected by the Ley Federal de Protección de Datos en Posesión de Particulares (the Data Protection Law).

In accordance with the Data Protection Law, data related to a person's present or future health status is considered as "sensitive" personal data that, as a general rule, requires the owner’s express written consent for its processing.

In situations such as the one currently created by COVID-19, such information’s processing can be covered by the exception cases set forth in the Data Protection Law. For example, the existence of an emergency situation that could potentially harm an individual in his or her well-being would not require the employee's express written consent for data processing.

Companies continue to be subject to the personal data processing guidelines described below:

• Employees must be informed of the existence and main characteristics of the processing of their personal data by means of the privacy notice.
• Companies must protect the confidentiality of the information with adequate administrative, physical and technical security measures, among others, to avoid damage or discrimination of the information’s owner.
• The information's processing must be justified for legitimate, specific purposes and performed in accordance with the pursued purpose. In particular, information processing must be performed in accordance with the applicable legal provisions of the Ley Federal del Trabajo (Federal Labor Law) and the Ley General de Salud (General Health Law).
• Any communication made in the company about the possible presence of COVID-19 in the workplace should omit the identification of any individual employee.
• Identification of affected COVID-19 employees should not be disclosed, except to the Secretaría de Salud (Ministry of Health). According to the Ley General de Salud (General Health Law), the Ministry of Health should be notified of serious contagious or epidemic cases.  In this case, such transfer of information must be clearly documented, substantiated and carried out considering security measures that guarantee the protection of personal data.
• Periods of storage of personal data related to COVID-19 and the mechanisms that will be used to safely delete them must be defined.
• Only the data that is strictly necessary to fulfill the proposed purpose should be collected. This is data related to the identification and presence of symptoms, as well as information on movement or contact with people who have been in risk areas.

DISCLAIMER: Please note that the situation surrounding COVID-19 is evolving and that the subject matter discussed in these publications may change on a daily basis.