IP - 07120-1/2020/345
|IP - 07120-1/2020/345|
|Relevant Law:||Article 5(1)(c) GDPR|
Article 9(2)(b) GDPR
Article 58(3) GDPR
|National Case Number/Name:||07120-1/2020/345|
|European Case Law Identifier:||n/a|
|Original Source:||Informacijski Pooblaščenec (in SL)|
Using its power under Article 58(3)(b) GDPR, the Slovenian DPA (IP) issued a non-binding opinion on the parameters for employers when processing data concerning the health of their employees.
The individual requesting the opinion is an employee at a primary school that required its employees to obtain a signed statement specifying whether or not they belonged to an "at-risk" group of workers who would be unable to carry out their work on a school premises due to the SARS-CoV-2 (COVID-19) crisis. Alongside the statement, employees were asked to include evidence supporting it, such as personal health records.
Does the GDPR permit employers to obtain and store data regarding their employee's health in the form of signed statements or personal health records?
According to the IP, for the purposes of Article 9(2)(b) GDPR, employers are only entitled to process (ie obtain and store) general information on their employee's health for employment purposes, such as a statement declaring their inability to work in a specific workplace. Article 9(2)(b) GDPR does not permit the processing of more specific health data, such as personal health records. However, there may be some exceptions to this, such as an employee's estimated time of leave, or if the employee has a particular movement regimen determined by the doctor.
The IP applied the principle of data minimisation in Article 5(1)(c) GDPR to underpin its rationale for this opinion.
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details.
Date: 18.05.2020 Title: COVID and the collection of declarations of incapacity for work due to belonging to a risk group of workers Number: 07120-1 / 2020/345 Subject matter: Employment relationships, Special types, Legal basis Legal act: Opinion On 8 May 2020, you addressed a letter to the Information Commissioner (hereinafter IP) stating that you were employed at one of the primary schools in connection with the re-establishment of educational work on the institution's premises during the implementation of the ordered measures. SARS-CoV-2 (COVID-19) to obtain a statement of signature as to whether, according to your medical or family certificates, you belong to a risk group of workers, which means that you cannot their contractual obligations of direct educational work on the premises of the institution. The statement, which will be kept in the personal file of the employee, must be accompanied by evidence at the discretion of the employee in relation to the protected personal data. It also follows from the statement that the employee received a circular from the Ministry of Education, Science and Sport dated 06.05.2020, no .: 6030-1 / 2020/3 and the RSK Guidelines of the Ministry of Health dated 05.05.2020 and 30.04.2020 and that in the event of a summons, he will immediately submit to the competent organizations, as proof of this statement, all necessary documentation at his disposal in his personal health record or in the possession of a family member or a person in the household or in his personal health record. You are wondering if this is a standard way to obtain data because you will not have the time and opportunity to obtain a properly neutral personal physician certificate. On the basis of the information you have provided to us, in accordance with Article 58 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data Directive 95/46 / EC (General Regulation on Data Protection; hereinafter: General Regulation), point 7 of the first paragraph of Article 49 of the Personal Data Protection Act (Official Gazette of the Republic of Slovenia, No. 94/07-UPB1, hereinafter ZVOP- 1) and Article 2 of the Information Commissioner Act (Official Gazette of the Republic of Slovenia, No. 113/05, hereinafter ZInfP), we provide our non-binding opinion on your above-mentioned issue. **** IP emphasizes at the outset that it cannot assess specific processing of personal data outside the inspection procedure or other administrative procedure. It can only give general explanations in the opinion, but it cannot assess the adequacy of individual measures in the current emergency situation and it cannot and cannot take responsibility of individual entities for their operations, similarly to other inspection bodies. For this reason, we only provide you with a general opinion and explanations regarding the processing of personal data of employees. The legal basis for processing t.i. specific types of personal data, including health-related data, are set out in Article 9 of the General Regulation, according to which the processing of such personal data is permissible only if one of the reasons specified in the second paragraph of this Article applies. These reasons include, inter alia, the reason referred to in point (b) of the second paragraph of Article 9 of the General Regulation, according to which the processing of specific types of personal data is permissible if necessary for the purposes of fulfilling obligations and exercising special rights of the controller personal data, in the field of labor law and social and social security law, where Union law or the law of a Member State or a collective agreement so permits in accordance with the law of a Member State providing appropriate safeguards for the fundamental rights and interests of the data subject. personal data. The general legal basis governing the processing of personal data of employees in the Republic of Slovenia is set out in the first paragraph of Article 48 of the Employment Relationships Act (Official Gazette of the Republic of Slovenia, No. 21/13, with sperm, hereinafter ZDR-1), which stipulates that personal data of employees may be collected, processed, used and passed on to third parties only if this is determined by this or another law or if it is necessary for the exercise of rights and obligations arising from the employment relationship or in connection with the employment relationship. As the controller of personal data, the employer must, in addition to the lawfulness of the processing, comply with other provisions of the General Regulation when collecting and further processing personal data, such as e.g. basic principles regarding the processing of personal data referred to in Article 5 of the General Regulation and the duty to provide individuals with transparent and comprehensible information regarding the collection and processing of personal data (Articles 12 and 13 of the General Regulation). At this point, it is important to emphasize the principle of the minimum amount of data (point (c) of the first paragraph of Article 5), according to which personal data processed must be relevant, relevant and limited to what is necessary for the purposes for which processed to prevent the collection of personal data "in stock". In addition, the duty to provide transparent and comprehensible information under Article 13 of the General Regulation, where personal data controllers are required to provide the individual with all information referred to in paragraphs 1 and 2 of this Article (identity and contact details of the controller and the data protection officer, the purposes for which the personal data are processed, as well as the legal basis for their processing, users or categories of users of personal data, etc.). **** At a time of epidemic, when we are facing the spread of COVID-19 infections and both individual and public health are at risk, the employer is entitled, in the light of the above, to IP, under Article 9 (2) (b) of the General Regulation With the first paragraph of Article 48 of ZDR-1, it obtains from the employee a statement as to whether he or she belongs to the risk group of workers in relation to his or her personal health condition or the health condition of members of his or her household, as a result of which he or she cannot on the premises of the institution. However, according to IP, the employer is not entitled to require the employee to submit evidence or. documentation from which the concrete reasons for the worker's danger arise. According to the IP, it is only the health profession that can assess which workers belong to the risk group, which is why employers are not entitled to the processing of employee health data, such as e.g. diagnosis or information on specific signs of the disease. It should also be noted that, as a rule, employees of the employer are not even qualified for the professional interpretation of medical documentation. From the point of view of personal data protection, the employer is entitled only to general data on unspecified health reasons for inability to work in the workplace, but is not entitled to data on specific health problems (ie health status) and specific treatment. The exception is general information about the regimen and reasons for treatment, e.g. estimated time of sick leave, movement regime determined by the doctor and data that are regularly stated on the sick list (isolation, care, injury, (). The IP therefore considers that an employer can ask a worker who declares that, due to his or her state of health or the health of members of his or her household, he or she belongs to a risk group of workers unable to perform his or her contractual obligations during direct educational work. on the premises of the institution, as evidence requires, for example, an ordinary medical certificate (which merely confirms the fact that the employee belongs to a risk group and can usually be issued by a selected personal physician) or other evidence that does not give specific health reasons for inclusion in the risk group. We also advise you to read other opinions, positions and recommendations of the IP regarding the protection of personal data during the COVID-19 pandemic, which are published at the following link: https://www.ip-rs.si/index.php ? id = 897. Greetings, Prepared: Jože Bogataj, Deputy Information Commissioner Mojca Prelesnik, B.Sc. dipl. right, Information Commissioner