Since vaccinations against corona virus became available, the employers have been increasingly seeking to know their employees’ vaccination status. However, the vaccination status classifies as a health data, which is a special category of personal data under the GDPR. Due to it’s sensitive nature, processing of such personal data is generally prohibited, unless an exception applies.
Employers can collect and process information about the vaccination status of their employees (as a special category of personal data) if:
Moreover, the employers have to identify the purpose of collecting and processing this kind of data. They usually rely on ensuring Health and Safety at the workplace.
Finally, they might need to conduct a DPIA (Data Protection Impact Assessments), before processing large volumes of data regarding vaccination status. The DPIA would need to consider why such data is needed and whether there is a sufficient legal basis for processing. The safest legal reasons will be compliance wit legal obligations and “substantial public interest”.
Whether there is a legal basis for the processing of vaccination data by employers under Art. 9 GDPR is viewed differently throughout Europe.
Countries such as the United Kingdom, Austria, Spain, Finland permit the employers to collect and process employees’ vaccination status data to the extent that the information is necessary to ensure the safety of the workplace (i.e., to prevent infections at the workplace). In their view, this can be based on Art. 9 (2) (b) GDPR, which allows the processing of special category data “for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment”.
Contrary, guidance from several countries, such as France, Germany, Belgium, Netherlands, and Ireland, indicate that employers are not allowed to ask employees for their vaccination status, as there is no legal basis for it. Germany provides an exemption from this strict rule: vaccination status requests by employers may be allowed in case of wage compensation claims.
Therefore, it is of utmost importance that each employer assesses national legislation and guidance on the processing of vaccination data before any data is collected and processed.
However, even if national laws and guidelines indicate that the collection and processing of data on your employees’ vaccination status is permissible, there are some key principles you have to consider.
First of all, you as an employer must provide employees with information about how and why their vaccination data is being processed. This could be an update to your existing Privacy Policy or could be provided as a separate document.
Second, the principle of data minimisation obliges you to limit the collection of vaccination data to employees working in an office or other facility in this case, as only this data is necessary to ensure workplace safety. Moreover, you have to limit the retention of vaccination data to the period that is strictly necessary to achieve the purpose. Therefore, your company should establish a retention schedule for employee vaccination data (and inform the employees about it)
Finally, with special category data, such as health data, security is vital. Therefore, your company should have organisational and technical safeguards in place, such as limiting access to vaccination data to persons responsible for monitoring health and safety in the workplace.
Due to its personal and sensitive nature, processing of employees’ vaccination status data is permitted in specific and limited cases. You should always assess your national laws to confirm if such processing is permitted. If this is not the case, you should refrain from processing employee vaccination data. If processing is considered to be permissible, you should nevertheless always keep the above mentioned key considerations and principles in mind and adhere to them.