Share

4 min read

Writen by Stefanija Rikaloska

Posted on: January 18, 2022

Data Protection and Corona Virus

Since vaccinations against corona virus became available, the employers have been increasingly seeking to know their employees’ vaccination status. However, the vaccination status classifies as a health data, which is a special category of personal data under the GDPR. Due to it’s sensitive nature, processing of such personal data is generally prohibited, unless an exception applies.

Employers can collect and process information about the vaccination status of their employees (as a special category of personal data) if:

  • they demonstrate a lawful basis for processing, under Article 6 of GDPR; and
  • meet a specific, separate condition, as stipulated in Article 9 of the GDPR.

Moreover, the employers have to identify the purpose of collecting and processing this kind of data. They usually rely on ensuring Health and Safety at the workplace.

Finally, they might need to conduct a DPIA (Data Protection Impact Assessments), before processing large volumes of data regarding vaccination status. The DPIA would need to consider why such data is needed and whether there is a sufficient legal basis for processing. The safest legal reasons will be compliance wit legal obligations and “substantial public interest”.

Different views across Europe

Whether there is a legal basis for the processing of vaccination data by employers under Art. 9 GDPR is viewed differently throughout Europe.

Countries such as the United Kingdom, Austria, Spain, Finland permit the employers to collect and process employees’ vaccination status data to the extent that the information is necessary to ensure the safety of the workplace (i.e., to prevent infections at the workplace).  In their view, this can be based on Art. 9 (2) (b) GDPR, which allows the processing of special category data “for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment”.

Contrary, guidance from several countries, such as France, Germany, Belgium, Netherlands, and Ireland, indicate that employers are not allowed to ask employees for their vaccination status, as there is no legal basis for it. Germany provides an exemption from this strict rule: vaccination status requests by employers may be allowed in case of wage compensation claims.

Therefore, it is of utmost importance that each employer assesses national legislation and guidance on the processing of vaccination data before any data is collected and processed.

Key considerations

However, even if national laws and guidelines indicate that the collection and processing of data on your employees’ vaccination status is permissible, there are some key principles you have to consider.

First of all, you as an employer must provide employees with information about how and why their vaccination data is being processed. This could be an update to your existing Privacy Policy or could be provided as a separate document.

Second, the principle of data minimisation obliges you to limit the collection of vaccination data to employees working in an office or other facility in this case, as only this data is necessary to ensure workplace safety. Moreover, you have to limit the retention of vaccination data to the period that is strictly necessary to achieve the purpose. Therefore, your company should establish a retention schedule for employee vaccination data (and inform the employees about it)

Finally, with special category data, such as health data, security is vital. Therefore, your company should have organisational and technical safeguards in place, such as limiting access to vaccination data to persons responsible for monitoring health and safety in the workplace.

Conclusion

Due to its personal and sensitive nature, processing of employees’ vaccination status data is permitted in specific and limited cases. You should always assess your national laws to confirm if such processing is permitted. If this is not the case, you should refrain from processing employee vaccination data. If processing is considered to be permissible, you should nevertheless always keep the above mentioned key considerations and principles in mind and adhere to them.

Contact Us

Hope you find this useful. If you need an EU Rep, have any GDPR questions, or have received a SAR or Regulator request and need help then please contact us anytime. We are always happy to help...
Zlatko, Stefania, Adam.

Contact Us

Recent blogs

GDPR Fines Q4 2021

The Fourth quarter of 2021, really confirmed that 2021 is the year of fines. We did an overview of

ICO Video Surveillance guidance

The steady growth of the use of video surveillance systems across public and private sectors, has l

Everything you need to know about a Data Processing Agreement

What is a DPA? A data processing agreement (DPA) is a legally binding document to be entered int

Get Your Account Now

Setup in just 5 minutes. Enter your company details and choose the EU Representative services you need.

Give Us a Call

Not sure whether EU Representative applies to you or which option to choose? Call, email, chat to us anytime.

06 GDPR INFO

Stay Up-To-Date

Leave your details here and we’ll send you updates and information on all aspects of GDPR and EU Representative. We won’t bombard you with emails and you will be able to tell us to stop anytime.