Since vaccinations against Covid-19 became available, employers are increasingly seeking to know the vaccination status of their employees, usually to ensure workplace safety. However, vaccination data is health data, which is special category data under the General Data Protection Regulation (GDPR). Due to the personal and sensitive nature of this data, it is subject to stricter data protection rules and may only be processed in very limited cases (see Art. 9 (2) GDPR). Hence, this article will give your company guidance on whether it is permissible to process employee vaccination data and if so, under which circumstances.
Can employers legally process employee vaccination data?
Vaccination data is health data and therefore special category data under the GDPR. The processing of special category data is only lawful if it is based on one of the grounds for processing laid down in Art. 6 GDPR and, in addition, a separate condition for processing under Art. 9 GDPR is met.
Whether there is a legal basis for the processing of vaccination data by employers under Art. 9 GDPR is viewed differently throughout Europe. Guidance from several countries, such as France, Germany, Belgium, Netherlands, and Ireland, indicate that employers are not allowed to ask employees for their vaccination status, as there is no legal basis for it.
But there might be exemptions to this rule: The Data Protection Conference of the German Supervisory Authorities just announced that vaccination status requests by employers may be allowed in case of wage compensation claims. If employees have to undergo quarantine, they may receive a compensation for loss of earnings, but only if they could not have avoided the quarantine by receiving an officially recommended vaccination. Since employers are obliged to pay the compensation for the competent authority and the vaccination status is a prerequisite for the employee’s compensation claim, the employer may process the vaccination (or recovery) data.
However, other countries, such as Austria, Spain, Finland and the UK, indicate that employers are allowed to collect vaccination data from employees as long as the information is necessary to ensure workplace safety (e.g., to prevent Covid-19 infections at the workplace). In their view, this can be based on Art. 9 (2) (b) GDPR, which allows the processing of special category data “for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment”.
Therefore, it is important for your company to assess national legislation and guidance on the processing of vaccination data before any data is collected.
A processing of vaccination data based on employees’ consent (see Art. 9 (2) (a) GDPR) is usually not possible. Due to the imbalance of power between you as an employer and your employees, consent is usually not “freely given” and is therefore invalid.
GDPR principles as key considerations for the lawful processing of vaccination data
However, even if national laws indicate that the collection of data on your employees’ vaccination status is permissible, there is often little guidance on the scope of the permissible processing. In this case, general data protection principles provided by the GDPR can be helpful to assess if and how vaccination data can be legally processed.
First, you always need a lawful basis for the processing of data. Therefore, you have to identify the purposes for which the employee vaccination data is to be collected and processed and identify whether there is a legal basis for this processing of special category data according to Art. 6 and Art. 9 GDPR, before any data is processed. Even in the countries that indicate that vaccination data can be processed by employers, the processing is only lawful if the vaccination data is collected for the purpose of ensuring workplace safety.
Moreover, you must inform your employees and provide them with all relevant information on the collection, use (and its purposes), possible disclosure and retention period of their health data.
You are only allowed to collect data that is strictly necessary for the purposes identified, which means that you have to minimize the data you collect from your employees. An example for a lack of necessity would be collecting vaccination data from employees that continue to work remotely. The principle of data minimization obliges you to limit the collection of vaccination data to employees working in an office or other facility in this case, as only this data is necessary to ensure workplace safety.
Moreover, you have to limit the retention of vaccination data to the period that is strictly necessary to achieve the purpose. Therefore, your company should establish a retention schedule for employee vaccination data (and inform the employees about it). Moreover, it might be useful to establish a secure deletion procedure for vaccination data as soon as public health authorities declare the end of the pandemic.
National laws may impose additional requirements, like storing employee health data in a separate file from the general personnel file.
With special category data, such as health data, security is especially important. Therefore, your company should have administrative and technical safeguards in place, such as limiting access to vaccination data to persons responsible for monitoring health and safety in the workplace.
Moreover, you must store employee vaccination data securely. Due to the sensitivity of the data, special safeguards, such as high-level encryption and strict access controls, should be implemented.
In general, due to its sensitivity, you can only process vaccination data under very limited circumstances. If you want to do so, you should first assess whether the data protection authorities of the respective countries consider the processing of employee vaccination data permissible and under which circumstances. If this is not the case, you should refrain from processing employee vaccination data. If processing is considered to be permissible, you should nevertheless always keep the above mentioned GDPR principles in mind and adhere to them.