IP - 07121-1/2020/387

From GDPRhub
IP (Slovenia) - 07121-1 / 2020/387
LogoSI.png
Authority: IP (Slovenia)
Jurisdiction: Slovenia
Relevant Law: Article 9 GDPR
Type: Advisory Opinion
Outcome: Other Outcome
Started:
Decided: 20.03.2020
Published:
Fine: None
Parties: Anonymous
National Case Number/Name: 07121-1 / 2020/387
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Slovenian
Original Source: Informacijski Pooblaščenec (in SL)
Initial Contributor: n/a


The Slovenian Supervisory Authority (IP) issued an opinion as foreseen under Article 58(3) GDPR on the issue of the health data sharing under Article 9 GDPR in the employer - employee context. It held that there is no reason to collect such data by all organisations and companies, since in principle such information is provided through the National Institute of Public Health (NIJZ) epidemiological service. For all the other cases, the respective exceptions under Article 9(2) GDPR may apply.

English Summary

Facts and questions arising

The IP received a request whether at the time of the pandemic, an employee may be required to notify an employer about the infection with the corona virus. The purpose of such notification would be to ensure safe working conditions in the unit where the employee performs their work.

Holding

The IP was of the view that the employer may request that employees inform the employer about the infection, if the NIJZ deems it necessary. Such information falls under the special category personal data under Article 9 GDPR. The processing of such data is prohibited unless one of the exceptions referred to in Article 9(2) GDPR applies.

In the event of the COVID-19 pandemic, which threatens both the individual and public health, these exceptional circumstances may require measures that interfere with the processing of special category personal data. The IP held that the measures that otherwise interfere with the processing of special category personal data may be in the interests of protecting the vital interests of employees, the legitimate interests of the company, and in the public interest.

If such a member of the medical staff decided that an obligation to process the health data exists, the explicit consent cannot be a suitable basis for processing since the legal basis derives from the above mentioned rules and labor law. The principle of proportionality should always be respected and only the data that is necessary to achieve the purpose should be processed. However, this information must be adequately protected by the employer. In principle, statistics (eg, only information on the occurrence of an infection in a particular company, class, floor, etc.) are sufficient to provide further information, without other information that enables the individual to be identifiable.

Therefore, there is no reason to collect such data in all organizations and companies, since in principle such information is provided through the NIJZ epidemiological service. Should the NIJZ epidemiological service in a particular institution confirm a case of infection with the new coronavirus either among employees or among users, the NIJZ epidemiologist will immediately contact the organisation and give them clear instructions on the follow-up procedures and measures to be taken.

Comment

Share your comments here!

Further Resources

The IP invited to get familiar with detailed information on the processing of personal data at the time of pandemic, which it made available on its website:

https://www.ip-rs.si/novice/odgovorno-ravnanje-vseh-je-kljucno-v-casu-virusne-krize-1170/

English Machine Translation of the Decision

The decision below is a machine translation of the original. Please refer to the Slovenian original for more details.

Date: 03/20/2020
Title: Obligation to inform the employer of individual occurrences of the COVID-19 virus
Number: 07121-1 / 2020/387
Subject matter: Employment relations, Specific types, Legal bases
Legal act: Opinion
The Information Commissioner (hereinafter referred to as IP) has received your question whether it is permissible, at the time of the epidemic, to require the worker to notify the employer in the event of coronavirus infection. Namely, we need the information to ensure safe working conditions in the unit where the worker performs his work.
On the basis of the information you have provided to us, in accordance with Article 58 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Directive 95/46 / EC (hereinafter referred to as the General Data Protection Regulation or Decree), point 7 of the first paragraph of Article 49 of the Personal Data Protection Act (Official Gazette RS, No. 94/07-UPB1, hereinafter ZVOP- 1) and Article 2 of the Information Commissioner Act (Official Gazette RS, No. 113/05, hereinafter ZInfP) provide IP explanations.
It is not possible to speak automatically and in all cases of such an obligation on the employee. However, such an obligation of the employee may be ordered by an individual company or organization at the discretion of the competent institutions and the authorized person for occupational health (depending on the specific nature and organization of work) and taking into account the ZDR-1 in connection with sectoral regulations and measures for ensuring health and safety at work. This is a question that needs to be answered primarily by the health care profession, especially by an authorized occupational health officer. So if this is the nature of work, where, despite quarantine, workers come to work or were at work at a time when they could infect others and infection information may be relevant to the employer because of the urgent need to take the necessary measures to protect the vital interests of employees or third parties, such a requirement could be justified in the given emergency. 
According to the NIJZ, employers should alert or urge sick workers to stay home and follow the instructions. The NIJZ also provided accurate instructions on how to deal with a respiratory illness in the workplace. Epidemiological service the competent health care institutions are the only persons who can give the sick persons the only concrete instructions on the measures in case of confirmed infection, as well as the companies and / or companies. provide guidance to organizations where such employees were present.
The eligibility of such an obligation therefore depends on the type of work involved, how the employer has arranged it and the nature of the work (eg the risks of infection and consequently the measures are different in the case of work with people, health professionals, teachers, work involving close work). contacts). 
Employers are not entitled to the processing of employees' health data, including information about the diagnosis, body temperature of employees, etc., in accordance with the provisions of labor law. Generally, with regard to employer notification obligations, the provisions of the ZDR-1 apply, which are the same for the public and private sectors. In accordance with Article 35 of the ZDR-1, the worker is obliged to observe and implement the rules and measures on safety and health at work and to carry out his work carefully in order to protect his life and health and the life and health of others. In accordance with Article 36 of the ZDR-1, an employee must also inform the employer of material circumstances that affect or could affect the fulfillment of his contractual obligations, and of any changes to the data that affect the fulfillment of his employment rights. The worker must inform the employer of any threatening danger to life, health or material damage he or she perceives at work. Therefore, the employer may request that employees be informed of the infection, if the occupational health care professional or the competent authority (NIJZ) deems it necessary. Such information is a specific type of personal data and the General Regulation in Article 9 stipulates that its processing is prohibited unless one of the exceptions referred to in Article 9 (2) is given. In the event of an epidemic emergency when we are dealing with the spread of COVID infections -19, and which threatens both the health of the individual and public health, these special circumstances may require measures that also interfere with the processing of specific types of personal data. It should be borne in mind that measures that otherwise interfere with the processing of specific types of personal data may also be in the interests of protecting the vital interests of employees, the legitimate interests of the company and also in the public interest. However, this is a question that needs to be answered primarily by the medical profession, in the case described above, in particular by an authorized occupational health officer. If such an obligation exists, specific consent is not foreseen, since the legal basis derives from the abovementioned rules and labor law, always the principle of proportionality should be respected and only the data necessary to achieve the purpose should be processed. However, this information must be adequately protected by the employer, and without the appropriate legal basis, it is not entitled to forward it. In principle, statistics (eg, only information on the occurrence of an infection in a particular company, class, floor, etc.) are sufficient to provide further information, without other information that enables the individual to be identifiable.
Therefore, there is no reason to collect such data in all organizations and companies, since in principle such information is provided through the NIJZ epidemiological service. Should the NIJZ epidemiological service in a particular institution confirm a case of infection with the new coronavirus either among employees or among users, the NIJZ epidemiologist will immediately contact the institution and give him clear and clear instructions on the follow-up procedures and measures to be taken. In the course of the epidemiological examination, the epidemiologist, in an interview with the patient, identifies all the persons with whom the patient has been in contact. According to the definition of the case, he then orders further action - whether individuals will be tested, quarantined, or will receive instructions for self-observation, etc.
IP has posted information on the processing of personal data in this regard on its website:
https://www.ip-rs.si/novice/odgovorno-ravnanje-vseh-je-kljucno-v-casu-virusne-krize-1170/
For specific guidance on how to act in the event of a case of infection between persons (employees, students or students, clients) in a particular institution, building, etc. however, we suggest that you contact the NIPH, which can provide you with clear and clear guidance on what to do next and what steps you can take.
To this end, NIJZ provides up-to-date information for the general and professional public on the NIJZ website www.nijz.si and on social media channels. For general questions, toll-free telephone numbers 080 14 04 are available to residents every day between 8am and 8pm, and NIJZ's General Public Telephone Numbers 031 646 617 and 031 619 118 are open daily between 9am and 5pm. where an expert is available to talk to concerned residents and try to answer their specific questions.
An IP outside the inspection process and in advance may not and cannot judge what specific information may, or even must, be processed in relation to the current situation, but only by the competent institutions.
Best regards,
Prepared by:
Alenka Jerše, univ. dipl. right.
Deputy Information Commissioner
Mojca Prelesnik, univ. dipl. right.,
Information Commissioner