Data Protection in Romania during Covid-19

• to appoint a person responsible for checking the temperature at the entrance of the unit/institution;
• to ensure the triage of employees by checking the temperature at the beginning of the work program and whenever necessary during the program;
• if the employee shows respiratory symptoms (cough, sneezing, rhinorrhea) and / or fever higher than 37.3 ° C and / or general impaired condition, the employer must isolate the person from other employees and send him / her to his / her home or to the medical unit (depending on his / her condition). The rules on access and temperature measurement shall also apply to visitors.

• the employer shall be transparent to employees regarding the health data processing in the context of implementing measures against COVID-19, providing information on the purpose of collecting the personal data, the storage period, the recipients of the data, the rights of the data subjects in connection to personal data;
  
• the employer shall not disclose the identity of affected individuals to any third parties or to their colleagues without a clear justification. However, public health authorities could request this information, in which case disclosure is mandatory;
  
• the employer shall process only the minimum necessary amount of data to achieve the purpose of implementing measures to prevent or contain the spread of COVID-19. Employers should not (unless expressly indicated by the law or expressly requested by a competent authority): collect information about the body temperature of their employees or visitors to the premises, actively gather information about employee's travel outside of work, actively collect information on the presence of any symptoms in the worker and his or her closest contacts;
  
• the employer shall document any decision-making process which involve the processing of health data in the context of implementing measures to fight against COVID-19.
  

• information of the data subjects (as per art. 13 in the GDPR) – for both employees and visitors entering the facilities in respect of any assessment questionnaires or health checks (e.g. temperature screening of employees and visitors entering the premises);
• avoid collecting or keeping excessive data, especially health data (e.g. no records from the thermal scanner reading should be stored or archived) 
• consider the potential involvement of a health care professional in carrying the health checks;
• consider updating the company’s prevention and protection plan.

The retention period for questionnaires or other related records shall be set on a case by case basis, by each data controller, provided data shall not be kept for longer than necessary considering the processing purpose for which the data was collected. We recommend no retention period if there is no suspicion of disease, in the other cases a few days, which is required for epidemiological investigations/communication with the Public Health Inspectorate (DSP).

• the staff, on a need-to-know basis; a general statement in case of a confirmed infection with COVID-19 among the workforce (avoiding the disclosure of the employee’s identity) can be considered at the workplace, if not susceptible of preventing the fight against diseases/spread of the disease. However, prevention and fight against the disease/its spread implies a obligation to investigate and identify all individuals who were in direct or indirect contact with the employee who is or may be infected with COVID-19;
• processors authorized for and instructed by the company to the processing of personal data (e.g. security company managing the access to the premises) on the basis of pursuing the specific purpose;
• reporting obligations under local laws and regulations to public authorities acting in their institutional capacity.