Now that life seems to be getting back to “normal” (the bars open, and the curfews have been lifted) employers are starting to look for ways to recommence life at the office as well. Employers are hoping that the restrictive work-from-home measures that are currently in place will soon be lifted, or at least be put in a less stringent manner. This easing of the work-from-home measures seems to be on the menu in the (conditional) exit-plan proposed by the Belgian government on 11 May. Currently, the obligation would become a strong recommendation on 1 July, if all the containment of the pandemic and the vaccinations continue as expected.
Employers are asking themselves questions, like whether or not office presence could be managed on the basis of vaccination or even Covid-test data of their employees. This question touches upon multiple legal considerations, one of those being data protection. In this short post we will have a brief look at the legal qualification under data protection law of the vaccine- and test-related data as well as its for employers.
- Qualification under the GDPR
The very first question that begs an answer is the legal qualification of the vaccine and test data under data protection law. The General Data Protection Regulation (“GDPR”) considers personal data to be any information relating to an identified or identifiable natural person. Personal data is subject to various legal considerations, including the fact that it may only be processed for specified purposes (article 5(1) (b) GDPR), as well as that it can only be processed when there is a legal basis for such action (article 6 GDPR).
Vaccination and test data, however, are not mere personal data, but fall under the regime of sensitive personal data. Particularly, data concerning the physical health, revealing information about a natural person’s health status. Sensitive personal data is subject to additional protection under the GDPR, most importantly being the fact that its processing is prohibited, except if an additional legal basis applies (article 9(2) GDPR).
In an employment relationship, two categories of those legal bases could be considered relevant.
- Explicit consent
A first ground on which the sensitive personal data could be processed, is the explicit consent of the employee (article 9(2) (a) GDPR). It should, however, immediately be pointed out that in an employment relationship, consent will rarely be considered valid due to the presumed imbalance in power between the employer and its employees. The employee will often feel compelled to consent to the processing of their data due to a fear of backlash. The same would almost always be the case when asking an employee to provide information on their vaccination status or test results. Data protection authorities across Europe share the view that consent should probably not be used as a legal basis for the processing of such data. However, exceptions may exist.
Therefore, processing the vaccination and test data in an employment relationship, on the grounds of consent will always require a case-by-case analysis, considering the particular purpose for which the data would be processed. Nevertheless, it should be noted that it will in almost all cases be found lacking as a legal basis.
- European Union and member-state law
A second ground on which the processing of vaccination and test data in an employment relationship could be based, is a legislative source. The legislative source might stem both from the European or national level. The legislative source could find its basis either (1) in an employment, social security or social protection law, or collective agreement (article 9(2) (b) GDPR), or (2) in a law relating to preventive or occupational medicine (article 9(2) (h) GDPR).
As regards both grounds, there is currently no sufficient legislative source that would allow the processing of the vaccine- and test-data of employees in order to e.g. manage their office presence. However, the European and Belgian legislators are looking at options regarding the use of such data, including in the form of the vaccination passport. This may result in a European Union or Member State law allowing for the use of such data by employers. For now, however, it is to be awaited what those rules will state regarding the sensitive personal data of employees as well as the option to e.g. test employees coming back to the office.
Considering the special qualification of the vaccine- and test-related personal data, and the fact that these personal data cannot be processed without an additional legal basis, employers should be careful to assess the opportunity of the processing of such data e.g. for the purposes of managing office presence.
The GDPR provides for two options that may apply at first sight. However, after taking a closer look at these legal bases, none of these prove to be sufficient to permit the lawful processing of vaccine- and test-data. For this reason, at the moment of publication of this blog post, employers can generally not process such sensitive personal data of their employees.
Please note that legislative changes in the near future may allow for such processing by employers. Should such a change occur, we will follow up this blogpost with an update.
All comments and analyses included in our blog posts are for information purposes only and do not amount to legal advice.
Should you have any query or wish to contact us, you can send us an email to firstname.lastname@example.org. We will get back to you as soon as possible!