IP - 07121-1 / 2020/1159

From GDPRhub
IP - 07121-1 / 2020/1159
LogoSE.png
Authority: IP (Slovenia)
Jurisdiction: Slovenia
Relevant Law: Article 6 GDPR
Type: Advisory Opinion
Outcome: n/a
Decided: 23.08.2020
Published: n/a
Fine: None
Parties: n/a
National Case Number/Name: 07121-1 / 2020/1159
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Slovenian
Original Source: Information Commissioner's website (in SL)
Initial Contributor: Marco Blocher

In a non-binding opinion, the Slovenian data protection authority (Information Commissioner) held that employers are not permitted to process employees' personal data to monitor their compliance with imposed quarantine.

English Summary[edit | edit source]

Questions raised[edit | edit source]

The Information Commissioner had been asked, if employers are allowed from a data protection viewpoint to supervise the compliance with quarantine imposed on their employees.

Opinion[edit | edit source]

The Information Commissioner held that:

  • The processing of employee's personal data for the supervision of the compliance of quarantine is in principle not necessary for the exercise of rights and obligations arising from the employment relationship.
  • The employer only needs proof that the quarantine has been imposed and related necessary information (e.g. start or duration of quarantine or special restrictions) in order to handle an employee's quarantine.
  • Only competent state bodies are entitled to supervise quarantine and to sanction non-compliance.
  • Imposed quarantine is not the same situation as an employee's sick leave. Compliying with quarantine is not the exercise of an employee's right, but observance of a coercive measure in the public interest that does not depend on the will of the employee.
  • From a data protection stance, only informal contacts with a quarantined employee are allowed, but no of systematic and documented supervision.

Comment[edit | edit source]

The Information Commissioner did not cite any speficic section of Article 6 GDPR to give reason to its opinion. However the opinion seems to revolve around the questions on whether quarantine supervsion by an employer is lawful under Article 6(1)(b) GDPR (i.e. necessary for the performance of the employment contract) or Article 6(1)(c) GDPR (i.e. if there is a legal obligation of the employer).

Suprisingly, the Information Commissioner did also not deal with the question of lawfulness under Article 6(1)(f) GDPR ("does the employer have legitimate interests in monitoring quarantine compliance?") or Article 9(2) GDPR ("quarantine supervsion by the employer as processing of special categories of data?").

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details.

Date: 23.07.2020
Title: Supervision of quarantine by the employer
Number: 07121-1 / 2020/1159
Subject matter: Employment relations, Medical personal data
Legal act: Opinion

On 29 June 2020, we received your question from the Information Commissioner (IP) on whether the company-employer can supervise the implementation of quarantine imposed on their employees (especially those from Serbia, Bosnia and Herzegovina and Kosovo). The control would be carried out by security guards in the company.

On the basis of the information you have provided to us, in accordance with Article 58 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data Directive 95/46 / EC (hereinafter: the General Regulation on Data Protection), point 7 of the first paragraph of Article 49 of the Personal Data Protection Act (Official Gazette of the Republic of Slovenia, No. 94/07-UPB1, hereinafter ZVOP-1) and Article 2 of the Information Commissioner Act (Official Gazette of the Republic of Slovenia, No. 113/05, hereinafter ZInfP) provides our non-binding opinion on your issue.


Quarantine control by the employer in terms of the processing of personal data (eg systematic personal control at home with recording of findings or control via mobile applications) is not permitted. However, it is permissible for the employer to become acquainted with the fact and proof that the employee has been ordered quarantined and with other information regarding the ordered quarantine, which is important for the exercise of rights and obligations arising from the employment relationship. and specific restrictions).



Explanations:

In the case of employer control in the sense of systematic monitoring of quarantine enforcement (eg visits by authorized workers at home or monitoring of movement via mobile applications), which involves the processing of personal data, such control is not permissible or no legal basis, e.g. in Article 48 of ZDR-1 or in point (b) or (f) of the first paragraph of Article 6 of the General Regulation on Data Protection. The reasons for this are in particular:
• Supervision over the observance of the ordered quarantine or data related to the observance of quarantine are in principle not necessary for the exercise of rights and obligations arising from the employment relationship. In other words, non-compliance with the ordered quarantine is not in itself a violation of the employment relationship or the employee's obligations in this area, and therefore in principle has no direct consequences for the employment relationship;
• In relation to quarantine, the employer only needs proof that the quarantine has been ordered and the related necessary information (eg start or duration, conditionally location of execution and order, reasons for the order and special restrictions) necessary for the assessment of rights and obligations (eg to assess whether force majeure is given and whether there are reasons for termination of employment in exceptional cases, for planning or organizing work, for calculating the salary);
• Violation of quarantine can be sanctioned in the field of administrative law and supervision can only be carried out by a competent state body, as it is an administrative measure;
• In the case of quarantine, this is not the same situation as in the case of sick leave due to illness or isolation, and therefore there are no obvious reasons for allowing supervision by analogy with sick leave of up to 30 days. Quarantine is not the exercise of a worker's right (eg in the field of health insurance), but a coercive measure in the public interest that does not depend on the will of the worker and by not respecting quarantine the worker does not "cheat" or play justified absences from work. as is possible in certain cases in sick leave.

From the point of view of personal data protection, only informal contacts with a quarantined worker are allowed, which are not carried out in the manner of systematic and documented supervision.

Best regards,


Prepared:
mag. Urban Brulc, Univ. dipl. right.
independent IP consultant

Mojca Prelesnik, B.Sc. dipl. right.
Information Commissioner