IP - 07121-1/2020/1180

From GDPRhub
IP - 07121-1/2020/1180
LogoSE.png
Authority: IP (Slovenia)
Jurisdiction: Slovenia
Relevant Law: Article 6(1)(a) GDPR
Article 49(1) GDPR
Article 58 GDPR
Type: Advisory Opinion
Outcome: n/a
Decided: 29.07.2020
Published: n/a
Fine: None
Parties: Informacijski Pooblaščenec
National Case Number/Name: 07121-1/2020/1180
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Slovenian
Original Source: Informacijski Pooblaščenec (in SL)
Initial Contributor: n/a

The Information Commissioner of the Republic of Slovenia issued an opinion regarding the conduct of employers towards their employees in the context of testing for the spread of coronavirus. It was held that an employer must take a holistic approach to defining which measures to put in place to curb the spread of the virus, which could include asking their employees to get tested, and in some instances, asking for the results of their test. However, it was held that employers could not require that their employees tell them which countries they will be visiting on their annual leave.

English Summary[edit | edit source]

Facts[edit | edit source]

Following the receipt of a series of questions about what an employer could require from its employees in the context of halting the spread of coronavirus, the Information Commissioner issued an opinion addressing the questions referred.

Dispute[edit | edit source]

Whether in order to prevent the spread of coronavirus, an employer may make it mandatory for employees to get tested upon their return from holidays, require that they disclose the results of their test and provide the employer with information on which countries they will travel to for annual leave.

Holding[edit | edit source]

In reference to the question of whether an employer can make it obligatory for an employee to get tested, the Information Commissioner held that it was beyond their competence to provide direct instructions on this. However, the Information Commissioner went on to state that in the context of preventing the spread of coronavirus, an employer must take a holistic approach to defining measures to curb the spread of infection. In particular, an employer must establish whether and to what extent measures that do not require the processing of personal data are sufficient, and in which individual cases the processing of certain personal data may be necessary.

In such individual instances where the processing of personal data may be necessary, an employer must provide an appropriate legal basis for the processing, after having justified:

1. the appropriateness of the processing 2. the need for processing 3. the proportionality of the processing

With regards to the question of whether an employer is entitled to the test results of their employee, the Information Commissioner held that although an employer must take into account the principle of data minimization, they are entitled to receive test results if it is appropriate, necessary, and proportionate within the context of each specific case.

In reference to the question of whether the employer had the right to ask their employees for the details of their annual leave, the Information Commissioner reaffirmed that non-employment travel falls within the private sphere of individuals, and an employer would be infringing individual privacy by requiring this information from them. However, the Information Commissioner did go on to say that an employer could collect this information from their employees on the basis of valid consent.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details.

The Information Commissioner of the Republic of Slovenia (hereinafter IP) has received your question - whether the employer may, in order to prevent the introduction of a new coronavirus (SARS-CoV-2) into the company, after returning workers from holidays abroad:

to refer an employee for mandatory testing (costs would be covered by the employer)?
ask the employee for information on which country he will travel to for annual leave?
After the testing, to request the test results from the employee (on the basis of Articles 35, 36 and 37 of ZDR-1 in connection with point d or f of Article 6 (1) of the GDPR)?
 

On the basis of the information you have provided to us, in accordance with Article 58 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data Directive 95/46 / EC (hereinafter: the General Regulation on Data Protection), point 7 of the first paragraph of Article 49 of the Personal Data Protection Act (Official Gazette of the Republic of Slovenia, No. 94/07-UPB1, hereinafter ZVOP-1) and Article 2 of the Information Commissioner Act (Official Gazette of the Republic of Slovenia, No. 113/05, hereinafter ZInfP) provides us with our optional opinion regarding your questions.

 

In the context of a non-binding opinion, the IP cannot provide instructions for the consistent conduct of the data subject regarding the processing of personal data in a specific case. In a specific case, the IP can establish legality only within the framework of an inspection or other appropriate procedure, after examining all the circumstances of the case.

 

IP emphasizes that in order to justify the lawful processing of personal data of employees in order to prevent the spread of new coronavirus infection, the employer must take a holistic approach to defining measures to curb the spread of infections - taking into account the infection prevention system dictated by the competent institutions. Obligation to inform the employer about individual occurrences of the virus, No. 07121-1 / 2020/387 ). Only in this way can the adequacy, necessity and proportionality of any concrete processing of personal data necessary for this be justified , on which any processing of personal data must be based in order for an interference with the human right to personal data protection to be considered admissible.

 

To this end, the employer must establish:

whether and to what extent measures that do not require the processing of personal data are sufficient, and
in which individual cases, according to the instructions of the medical profession, certain processing of personal data may also be necessary.
 

For these, the employer must provide an appropriate legal basis after first justifying in particular:

the appropriateness of the treatment (justification that the treatment would achieve the pursued goal of preventing the spread of infections),
the need for processing (justification that the same goal cannot be achieved by milder means that would be less intrusive on privacy) and
proportionality of processing (justification that the collection of specific personal data does not unduly interfere with the reasonably expected privacy or other fundamental rights and freedoms of the employee).
 

The employer is therefore first obliged to assess the risk in specific circumstances and, within the instructions of the competent authorities (NIJZ, authorized person for occupational medicine), to comprehensively assess which measures are necessary to curb the spread of infections.

 

If the employer finds that, in accordance with the instructions of the NIJZ and the assessment of the medical profession, personal data must be collected in certain cases in order to prevent the spread of the new coronavirus infection, it must prove the existence of an appropriate legal basis. Legal bases that may be considered for the processing of 'ordinary' personal data are, for example: Article 48 of ZDR-1, another law or one of the points of Article 6 (1) of the General Regulation. However, in the case of the collection of specific types of personal data, the legal bases set out in Article 9 of the General Regulation in conjunction with national rules may apply.

 

The question - whether and when the employer should obligatorily refer the employee for health testing - does not fall within the competence of the Information Commissioner, as it concerns the exercise of rights and obligations from the employment relationship or. regulations regarding measures to prevent the spread of infectious diseases, which is supervised by the Labor Inspectorate ( gp.irsd @ gov . si ) or health inspectorate.

 

To answer the question of whether the employer is entitled to the test results or. to the information on the infection , the above-mentioned opinion no. 07121-1 / 2020/387, which primarily refers to the observance of the instructions of the competent institutions that the employer should take appropriate measures with regard to the assessment of the risk and risk of infection in view of the nature of the work and other specific circumstances. In doing so, the IP draws particular attention to the principle of the minimum amount of data required according to the purpose of the collection. Namely, in principle, the employer is not entitled to collect data on diagnoses and the specific health status of employees, except for those data which, in accordance with the applicable regulations and legal obligations of employers, are necessary for the safe implementation and organization of the work process. Therefore, the employer can only collect the information that is necessary in the light of the above, in order for the employer to implement the prescribed measures to prevent the spread of infection. If such reasons are not given, then the collection of personal data for such a purpose is also not permissible.However, given the specific circumstances of the work in order to prevent the spread of infections in a particular case, there is a legal basis for this (which in particular follows from the instructions of the competent institutions) and it is appropriate, necessary and proportionate, the employer may receive information about the infection complete diagnosis data and test results).

 

Regarding the collection of data on workers' leave abroad, the IP has already issued an opinion Monitoring employee travel, no. 07121-1 / 2020/1142 and we suggest that you familiarize yourself with it. The position applies both to the collection of data on intended places of leave and to any formal inquiries by the employer as to where the worker has taken leave; also whether he was on holiday in Slovenia or not.The opinion states that the non-employment travel of employees falls within the private sphere of individuals and that the employer would unduly infringe on their privacy by processing this information. Therefore, the IP does not in principle see a legal basis for the processing of this data in terms of exercising rights and obligations arising from the employment relationship or in relation to the employment relationship, as provided by Article 48 of ZDR-1, unless for certain cases and for certain data in a limited the scope of an individual regulation stipulates otherwise (eg paragraph 5 of Article 15 of the Intervention Measures Act in preparation for the second wave of Covid-19). However, in the absence of specific rules, such a collection could possibly be admissible only on the basis of valid consent (as is clear from the above-mentioned opinion No 07121-1 / 2020/1142, consent under Article 6 (1) (a) of the General Regulation could be valid). , provided that it would not be coerced, eg by being accompanied by a warning that the individual has the right not to give consent without any consequences for his employment or legal position).

 

Greetings,

 

               

Prepared:

Anže Novak, B.Sc. dipl. right

Adviser to the Prevention Commissioner

 

Mojca Prelesnik, B.Sc. dipl. right

Information Commissioner