According to the latest reports, more than 8 million people in the Netherlands have now been vaccinated (at least once) against the corona virus and that number is still rising. As the vaccination is not required by law, employers (e.g. in healthcare) will probably want to know which of their employees have been vaccinated. Under the General Data Protection Regulation (AVG), can the employer obtain information about this?
Health data and AVG
The fact that a person has been vaccinated or not falls under the category of health data. According to the AVG, as we wrote in previous articles, health data is special personal data and therefore receives extra protection (Art. 9 paragraph 1 AVG). The processing of special personal data is in principle prohibited, unless the processor can invoke a legal exception and one of the grounds for processing 'ordinary' personal data (Art. 9 paragraph 2 AVG).
Express consent of the data subject is one of the most important exceptions for the processing of (special) personal data. Within the employment law context, the following exceptions are also involved:
Health data may be processed if this is necessary for:
- the reintegration or guidance of the employee in connection with illness or disability;
- a proper execution of legal regulations or collective labour agreements that provide for entitlements that depend on a person's state of health;
- for purposes of preventive or occupational medicine or for assessing the employee's fitness for work (such as making a medical diagnosis).
There is also the requirement that these health data may only be processed by or under the responsibility of a professional who is bound by professional secrecy or obligation of confidentiality.
Under the AVG, an employer may therefore not ask for health data from its employee(s), including whether an employee has been vaccinated against the coronavirus. Even if an employee indicates of his/her own accord whether or not he/she has been vaccinated, the employer may not register this data. The employer may also not use it to form an opinion about the employability of its employee(s). This is only permitted to the occupational health and safety service or company doctor.
As indicated, the employer could process the special personal data of the employee with the explicit permission of the employee. However, according to the Dutch Data Protection Authority, in such a relationship of authority the employee is by definition not in a position to freely determine his own will. Therefore, there is no legal basis if the employer will only process the special personal data on the basis of the employee's consent. The employer thus runs the risk of a sanction from the Personal Data Authority.
The escape clause in the AVG is that health data may be shared if 'the processing thereof is necessary for reasons of public interest in the area of public health', for example if safety is at risk. In that case, the rights and freedom of the data subjects must be properly protected.
Because the information about whether someone has been vaccinated falls under health data, the AVG states that the employer may not process this data of its employee(s). Asking for and using this information is also prohibited, even if the employee gives explicit permission. The Authority for the Protection of Personal Data is of the opinion that an employee in such a relationship of authority is by definition not in a position to freely determine his own will. Would you like to know more about this topic or about other topics of employment law? SPEE advocaten & mediation will be happy to be of service.