As the COVID-19 pandemic continues to affect workplaces throughout the world, employers are considering new ways to ensure a safe workplace when employees return to the office. Outside the US, employers must balance their duty of care to protect the health and safety of all their employees with safeguarding employees’ privacy and complying with data protection regulations. Many employers already have analyzed whether they may require or request employees to (i) submit to COVID-19 testing at the workplace, (ii) certify certain health information regarding exposure to COVID-19 and (iii) wear a face covering in the workplace. Another relatively recent development employers outside the US may wish to consider is whether they may require or request employees to download a COVID-19 contact tracing application to their smartphones to track employees’ movements and contacts to enable employers to alert employees if they have been exposed to a co-worker with COVID-19.

Consent in the Employment Context

Requiring or requesting employees to download a contact tracing application raises data privacy issues. To start, in the EU and elsewhere processing employee personal data, including location data, generally requires employers to obtain employee consent. As such, using an employer-sponsored COVID-19 contact tracing application must be voluntary. But it is very difficult for employers in the EU and other countries to demonstrate that employees’ use of the application actually is voluntary. This is because those jurisdictions view consent skeptically in the employment context because of the perceived unequal bargaining position between employers and employees.

There may, however, be a way to implement contact tracing through use of a mobile phone application that is legally complaint with the General Data Protection Regulation (“GDPR”). Under the GDPR, EU employers may process employees’ personal data when necessary for employers’ legitimate interests or the legitimate interests of a third party, unless there is an overriding reason to protect the individual’s personal data. In addition, employers must comply with GDPR rules when processing special category (sensitive) data, which includes health data. To ensure that employers’ processing of special category data is lawful, employers must first identify an Article 6 basis for the processing, and then must meet one of the specific conditions in Article 9, which includes explicit consent. To establish explicit consent under the GDPR, the consent must (i) be a clear statement (oral or written), (ii) specify the nature of the special category data and (iii) be separate from any other consent.

Jurisdiction-Specific Considerations

Prior to rolling out a COVID-19 contact tracing application, employers should analyze whether such an application is permissible in specific jurisdictions. Some countries, including Australia, India, Japan, Singapore, Spain and the United Kingdom, among others, have state-sponsored applications and also allow employers to request employees to download a workplace contact tracing application. Government applications are not necessarily widely used (as is the case in Spain and the UK); therefore, an employer-specific application, although arguably redundant, may actually provide better workplace contact tracing and with it, better employee health safeguarding.

There are some countries, however, which ban contact tracing applications. In Luxembourg, for example, the National Commission for Data Protection has stated that employers should not use contact tracing applications to process employee data. After national debate, Luxembourg decided not to develop a national contact tracing application. The decision applies to employers, who if they do not comply, may be subject to fines and/or criminal sanctions.

In other countries, including France, Germany and Ireland, where the government has rolled out a state-sponsored COVID-19 contact tracing application, employers likely face an uphill battle in demonstrating that a workplace application is necessary and proportionate in light of data privacy laws.

Proposed Solutions

To minimize data privacy issues, EU employers should provide employees with a detailed notice statement that contains specific information regarding the purpose and scope of the data collection and includes an employee acknowledgment. This detailed notice statement should not be a “one-size-fits-all” form, but instead should be tailored for specific circumstances.

Where an employee can work from home, but may wish to return to the workplace, employers may consider making an employee’s return to the workplace contingent on their downloading the employer’s contact tracing application. In such case, and as a best practice, employers still should provide employees with a specific, detailed notice statement that informs employees of the purpose and scope of the data collection and should obtain the acknowledgement.

Where workplace contract tracing applications are permitted, providing employees with written disclosure and obtaining their acknowledgement and consent should minimize the potential for data privacy claims.


In the end, whether employers should require or recommend employees to download a contact tracing application depends upon both practical and legal issues. Employers should be aware of type and size of the workforce that they have in specific jurisdictions. While some employees may think that the application is a cool gadget, others may have privacy concerns. Local teams may be in the best position to assess this risk.

Epstein Becker & Green continues to monitor workforce management issues in the US and abroad.

Back to Workforce Bulletin Blog

Search This Blog

Blog Editors

Related Services



Jump to Page


Sign up to receive an email notification when new Workforce Bulletin posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.