Position of the government and the Dutch Data Protection Authority
Much has been said and written about permissible pandemic-related policies set by employers. In the Netherlands, it is clear that employers cannot require employees to get vaccinated. However, according to the government, employers are free to ask employees about their vaccination status, provided that the employer has a clear plan on how to proceed if the employee turns out to be unvaccinated or does not want to disclose vaccination status. Employees do not have to answer questions about their status, but an employer may suggest adjustments to the work schedule or the workplace to employees it knows have not been vaccinated or who do not want to disclose their vaccination status. If that suggestion is reasonable, the employee must accept the adjustment, according to the government.
The Dutch Data Protection Authority (DDPA), on the other hand, seems to be of the opinion that an employer may not make such suggestions. According to the DDPA, the General Data Protection Regulation (GDPR) classifies data about health as special personal data, which may be processed only if there is a specific legal basis for doing so. The government also indicates that employers may not record in any way whether or not employees are vaccinated, but it apparently sees this as no impediment to suggesting adjustments. According to the DDPA, however, an employer cannot do much with an answer to the question of an employee’s vaccination status. How do these two positions relate to each other? The answer may depend somewhat on whether the employer is engaged in the healthcare industry.
It is true that the GDPR prohibits the processing of health data unless certain conditions are met. For example, processing is permitted, among other things, if it is “necessary for the purposes of preventive or occupational medicine, the provision of health or social care, or the management of health care systems and services, on the basis of Union or Member State law or pursuant to contract with a health professional”.
The GDPR Implementation Act is the basis in national law that provides that healthcare providers or healthcare institutions may process health data that are necessary for the proper treatment of the data subject or for managing the institution or practice concerned. This basis provides sufficient scope for healthcare employers to process vaccination data if, for example, this step is necessary to safeguard the services the employer provides. The employer may do the processing itself, in which case it is bound to secrecy, or have it carried out by a person subject to professional secrecy, such as an occupational physician.
The employer also may scan the QR code of the CoronaCheck app. After all, it is then not directly processing medical data about the vaccination status.
Juridisch advies nodig?
Kom in contact met een van onze arbeidsrecht advocaten of mediators.
Employers in other industries
However, it does not seem to be ruled out that employers in industries other than health care also may process data about the vaccination status of employees. The GDPR allows processing if it is “necessary for the purposes of carrying out the obligations and exercising specific rights in the field of employment and social security law, in so far as it is authorised by Union law or Member State law or a collective agreement providing for appropriate safeguards for the fundamental rights and interests of the data subject”.
Again, the GDPR Implementation Act provides the ground in national law. That act provides that the prohibition on processing health data does not apply to employers if processing is necessary for the proper implementation of statutory regulations that provide entitlements that depend on the health status of the data subject. We consider such entitlements to be present in this situation.
An employer is required by law to take measures to prevent its workers from suffering harm while on the job. The employer is liable for the damage suffered by workers if it fails to meet this obligation adequately. Fulfilling this obligation, and thus fulfilling the right of workers to a safe workplace, most certainly depends on the health status of the workers concerned. As long as the processing does not go beyond what is strictly necessary for providing a safe workplace, there appears to be no reason why an employer should be in breach of the GDPR.
Therefore, it likely is justifiable for employers to ask employees to demonstrate that they do not pose an – alleged – corona risk, without finding out in doing so whether that is because of vaccination, a recovery certificate or a negative test. The CoronaCheck app is a suitable tool for this purpose.
For employees who cooperate, it will be clear whether they pose a risk. For employees who do not cooperate, it will then be clear that they may pose a coronavirus-related risk. The question is whether any health data are collected in this process at all; after all, the employer does not know if employees are unvaccinated, untested, or tested but simply not disclosing that.
Scanning the QR code on the CoronaCheck app at the workplace may nonetheless be necessary, especially for companies where workers can only work on-site, without sufficient physical distancing. In that case, any curtailment of employee privacy would seem to be proportionate to the purpose of fulfilling the legal obligation to provide a safe, healthy workplace for everyone in the company.