IP (Slovenia) - 07121-1/2021/1039

From GDPRhub

The Slovenian DPA (IP) issued an opinion that employers cannot collect or process employee's COVID-19 test results or their health card number unless required to do so by sectoral regulation. Even where such regulations are in place, the employer must prove that their data collection practices comply with the principle of data minimization.

IP (Slovenia) - 07121-1/2021/1039
LogoSI.png
Authority: IP (Slovenia)
Jurisdiction: Slovenia
Relevant Law: Article 6 GDPR
Article 9 GDPR
Article 48 of the Employment Relationships Act (ZDR-1)
Type: Advisory Opinion
Outcome: n/a
Decided:
Published: 03.06.2021
Fine: None
Parties: n/a
National Case Number/Name: 07121-1/2021/1039
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Slovenian
Original Source: IP (in SL)
Initial Contributor: Klemen Kraigher Misic

Summary[edit | edit source]

Facts[edit | edit source]

Personal data relating to the physical or mental health of an individual, including the provision of health services, and disclosing information about his state of health are defined in Article 4 (15) GDPR as data concerning health.

Article 48 of the Employment Relationships Act (ZDR-1), which stipulates in the first paragraph that personal data of employees may be collected, is particularly relevant for the processing of data in employment relationships. It states that it is up to the employer to justify why the employee needs certain personal data in order to exercise the rights and obligations arising from the employment relationship or in connection with the employment relationship.

Holding[edit | edit source]

The Slovenian DPA (IP) explained that what personal data the employer may process for the purpose of the employment relationship must be assessed on a case-by-case basis. Maintaining this approach, it held that an employer is generally not entitled to COVID-19 test results, unless it can justify that this information is necessary for the exercise of rights and obligations arising from the employment relationship.

The recognized exceptions from this general rule are for health and education workers. Under current regulatory orders in place in Slovenia, healthcare workers have to provide proof of negative tests to their employer.

If employer has a dual role (ie. both an employer and a healthcare provider), it must ensure that the legal bases for collecting health data are strictly separated for the two applications. The mere fact that an employer is also a healthcare provider does not create a right to access employees’ health data.

Furthermore, the Slovenian DPA (IP) explained that there is no current regulation that would give the employer a general legal basis for processing a health insurance card number. In the absence of a specific legal basis for processing, an employer is generally not entitled to employee's health card number .

Finally, the IP issued some additional guidelines for collecting data concerning health.

Firstly, it wrote that processing of the employee's personal data on the basis of his personal consent will be permissible only in exceptional cases, provided that the employee's refusal has no consequences for the employment relationship or the employee's legal position. Personal consent in employment is more the exception than the rule, because the employer is a stronger party in relation to the employee and the chances of abusing this basis for data processing in employment are greater.

Secondly, it elaborated that, pursuant to Article 48 of the Employment Relationships Act (ZDR-1), if the legal basis for processing an employee’s personal data cease to exist, the employer must delete the personal data immediately.


Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details.


                    
                    Employer testing
                    +
                    -
                    
                    
                        Date: 03.06.2021
                        Number: 07121-1 / 2021/1039
                        Categories: Employment, Education, Health Personal Information
                        The Information Commissioner (hereinafter IP) has received your request for an opinion. You are interested in whether the processing of personal data by the employer in connection with the testing of employees for the new coronavirus, as written at the bottom of the link…, complies with the law. Above all, you are interested in whether the employer can really look at the employee's report / test at any time and also process the employee's health card number. According to what is written, professors can see if the students are negative on the tests or not, and it is not even written for the employees who has insight into this. The unit within the employer does conduct testing, but you don’t understand why the employer would only have insight into the results and the health card number. Can an employer request that a test result be provided to him? As follows from the link, testing is not mandatory, is it considered that by participating in the testing you automatically agree to the terms of personal data processing when they are stated?

On the basis of the information you have provided to us, in accordance with Article 58 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data Directive 95/46 / EC (hereinafter the General Regulation on Data Protection), point 7 of the first paragraph of Article 49 of the Personal Data Protection Act (Official Gazette of the Republic of Slovenia, No. 94/07-UPB1, hereinafter ZVOP-1) and 2 In accordance with Article of the Information Commissioner Act (Official Gazette of the Republic of Slovenia, No. 113/05, hereinafter ZInfP), we provide our non-binding opinion on your question. At the same time, IP emphasizes that it cannot assess specific processing of personal data outside the inspection procedure.

The IP clarifies at the outset that the controller must have an appropriate legal basis for the lawful processing of personal data. These are set out in Article 6 (1) of the General Data Protection Regulation. Personal data relating to the physical or mental health of an individual, including the provision of health services, and disclosing information about his state of health are defined in Article 4 (15) of the General Data Protection Regulation as data on state of health. The latter are classified under Article 9 (1) of the General Data Protection Regulation as a special type of personal data the processing of which is prohibited unless one of the exceptions listed in points (a) to (j) of Article 9 is granted. ) General Data Protection Regulations.

Article 48 of the Employment Relationships Act (Official Gazette of the Republic of Slovenia, No. 21/13 et seq .; hereinafter ZDR-1), which stipulates in the first paragraph that personal data of employees may be collected, is particularly relevant for the processing of data in employment relationships. process, use and transmit to third parties only if this is determined by this or another law or if it is necessary for the exercise of rights and obligations arising from the employment relationship or in connection with the employment relationship. Which personal data are those that the employer may process for the purpose of exercising the rights and obligations arising from the employment relationship or in connection with the employment relationship must be assessed on a case-by-case basis. It is up to the employer to justify why the employee needs certain personal data in order to exercise the rights and obligations arising from the employment relationship or in connection with the employment relationship. Pursuant to the third paragraph of Article 48 of ZDR-1, the personal data of employees for the collection of which there is no longer a legal basis must be deleted immediately and cease to be used.

The employer does not, in principle, need the information as you provide, unless required to do so by sectoral regulations such as mandatory testing orders for employees in certain activities. However, even in such a case, the personal data processed by the employer must, in accordance with the principle of minimum data referred to in point (c) of Article 5 of the General Data Protection Regulation, collect or process only those data that are relevant and relevant for that purpose.

Order on the implementation of a special screening program for early detection of SARS-CoV-2 virus infections for persons performing medical activity (Official Gazette of the Republic of Slovenia, no. 36/2021, 61/2021, 74/2021, 76/2021; hereinafter the Order ) provides for the implementation of a special screening program for early detection of SARS-CoV-2 virus infections for persons performing medical activity (special program for medical activity) at all health care providers performing medical activity in accordance with the law governing medical activity (contractors). Article 2 of the Order stipulates that healthcare professionals and healthcare professionals who perform work for providers (healthcare professionals) must take part in testing for the SARS-CoV-2 virus (testing) within the framework of a special program for healthcare activities before starting to provide healthcare services. .

Article 3 of the Order specifies which persons and when do not need to be tested, namely it is stipulated that persons who submit evidence of a negative test result with a PCR test or a rapid antigen test are not required to be tested; have proof of vaccination against COVID-19; have evidence of a positive PCR test result that is older than ten days, unless the physician judges otherwise, but not older than six months; or have a doctor’s certificate that he has contracted COVID-19 and no more than six months have passed since the onset of symptoms. Notwithstanding the above, testing is mandatory for healthcare professionals with COVID-19 signs.

The order in Article 4 further stipulates that the provider shall appoint an authorized person to whom the negative results of tests performed within the framework of a special program for medical activity shall be communicated.

According to the Order, healthcare professionals are, as a rule, obliged to inform the authorized person that they have been on the prescribed testing and that the result was negative. The healthcare professional is therefore obliged to report only a negative test result. If the employee has not been tested by a provider who performs testing for a particular institution, the authorized person may also request information from the healthcare provider at which provider the healthcare provider was tested and check with the provider whether the testing was actually performed for the healthcare professional. For the purposes of fulfilling the above-mentioned order for an individual healthcare professional, he / she may only keep in the records a statement of the employee on the negative test, the date of the negative test and information on where the test was performed.

In the event that a healthcare professional does not need to be tested for the reasons stated in Article 3 of the Order, he must inform the authorized person for what reason he does not need to be tested and provide him with access to the evidence confirming his statement. In this case, for the purposes of complying with the Order, only the employee's statement that he meets the conditions from Article 3 of the Order and by when they are met and an official note on access to the evidence (eg certificate no.… Or certificate of…), but not the reason for this (it is therefore not entered in the records that he is, for example, a patient or that he has been vaccinated).

At this point, the IP adds that, at the same time, the arrangements mentioned above for healthcare professionals include for employees in education activities the Order on the implementation of a special screening program for early detection of SARS-CoV-2 virus infections for persons engaged in education. (Official Gazette of the Republic of Slovenia, Nos. 11/21 and 64/21). In the case as you state, both orders could be considered.

IP is not a known regulation that would give the employer a general legal basis for processing a health insurance card number. In the case as you state, it could also be an intertwining of the powers that the employer has in relation to processing for the purposes of the employment relationship and for the purpose of healthcare. In particular, given the purpose as one of the fundamental principles of personal data protection, the mere fact that the controller has certain data (for example, the processing of health insurance card data is usually necessary for the purpose of health care) does not allow the use of such data for other purposes. case for the exercise of rights and obligations arising from or in connection with an employment relationship). There must be a (separate) legal basis for each individual purpose. The manager, in your case an employer who acts in several roles, must also take care to separate the processing actions he performs in different roles and not to mix or unite the databases he processes in different roles.

In addition, the IP emphasizes that the processing of the employee's personal data on the basis of his personal consent is permissible only in exceptional cases, provided that its refusal has no consequences for the employment relationship or the employee's legal position. Personal consent in employment is therefore more the exception than the rule, because the employer is a stronger party in relation to the employee and the chances of abusing this institute in employment are all the greater. The guidelines of the European Data Protection Board (EDPB) on consent as a legal basis for the processing of personal data in employment relationships also emphasize the involuntary nature of the worker-employer relationship, which hampers the validity of consent. According to the EDPB, the basic criterion for the admissibility of consent in employment is that giving or refusing consent for employees does not have any negative consequences. In doing so, more detailed provisions regarding the conditions under which consent is considered valid, set out in Article 7 of the General Data Protection Regulation, must be observed. The consent of the individual must be a concrete, comprehensible statement or other unequivocally affirmative act and provable. Silence or any inaction thus does not constitute consent. The individual must therefore clearly give his or her consent to the collection and processing of his or her personal data for a specific purpose. IP emphasizes that consent in cases where data processing involves several different purposes must be given on a case-by-case basis. The purpose must be clearly and unambiguously defined, as the concrete, explicit and legitimate purpose of the processing is a precondition for obtaining valid consent. The controller must be able to prove that the individual has consented to the processing of his or her personal data. The individual also has the right to revoke his consent at any time.

In any case, when collecting data, employees must already have access to relevant information on the processing of their personal data, as provided for in Article 13 of the General Data Protection Regulation, for example to whom the data is sent, for what specific purpose, on what basis, what is the deadline retention, who is the controller, what rights an individual has in relation to his data or the provision of data is mandatory and the like.

The IP can only make a final assessment of the lawfulness of the processing of personal data in the inspection procedure. If you believe that in the case as you state it is a violation of regulations in the field of personal data protection, you can address a report of the violation to the IP. The form available for the purpose of reporting a personal data breach on the website https://www.ip-rs.si/obrazci/varstvo-osebnih-podatkov/ can also help you with this. The application can also be submitted anonymously.

Greetings,

Mojca Prelesnik,
Information Commissioner

Žiga Veber,
state supervisor
for the protection of personal data


This opinion was developed in the framework of the project "Justice, Equality and Citizenship Program 2014-2020", funded by the European Union.
The content of this opinion is an optional opinion of the Information Commissioner and is his sole responsibility. The European Commission does not accept responsibility for any use which may be made of the information contained therein.