Swiss data protection agency issues guidelines on health data collection during COVID-19 pandemic

The Federal Data Protection and Information Commissioner (FDPIC) of Switzerland issued guidelines outlining data protection requirements for private companies when collecting health data for the purpose of managing the COVID-19 pandemic. In particular, in relation to private companies’ plans to make goods or services available only with proof of a negative COVID-19 test result or certification of vaccination, the FDPIC highlighted that companies need to adhere to the principles of proportionality and compliance, underscoring that making access to goods and services conditional on the collection of specific health data affects data subjects’ rights. The FDPIC outlined specific requirements, including following a specific purpose for the processing of health data, considering the opinions of health authorities, and ensuring the security and limitation of processing to what is necessary for the purpose behind it. Moreover, the FDPIC noted that private companies should refrain from barring customers who do not consent to health data collection from receiving goods and services, unless access to such goods and services can be otherwise guaranteed.