LGP Slovakia / News / Legal aspects of the coronavirus – second wave / Processing of Employees’ Personal Data

Processing of Employees’ Personal Data

Processing of Employees’ Personal Data

Dated: 19.11.2020

In connection with the comprehensive testing of the population of the Slovak Republic, several government resolutions were adopted, such as Decree-Law no 678/2020 and 693/2020 (Decrees-Law). The alleged Decree-Law constitute restrictions on freedom of movement. The Decrees-Law in question provide, inter alia, for exemptions for persons who can prove a certificate of negative RT-PCR test or a certificate issued by the Ministry of Health of the Slovak Republic with a negative result of an antigen test certified in the European Union for COVID-19. 

In this context, the question of the legality and constitutionality of the obligation to prove the results of the above COVID-19 tests is appropriate. In order to protect public health as well as the health of employees, it is expedient for persons to prove themselves to the employer by such certificates.

The Decrees-Law were the subject of a survey by the Office for Personal Data Protection of the Slovak Republic, which reached, among other things, the following conclusions: “Decrees-no. 678, also no. 693, from the point of view of personal data protection, we do not consider dating a sufficient legal basis for the processing of this data. However, regarding point C.1 of Decree-Law no. 693/2020, we perceive the recommendation of the government, to clarify the obligation to prove a negative result or a certificate by a decree, positively. The issuance of the said decree is necessary, regarding the clarification of the obligation to prove with a negative test / certificate imposed by Decree-Law. The decree must stipulate, from the point of view of processing operations with personal data, the persons who are to request proof (taking into account the principle of necessity), the persons who are obliged to perform it against them, for how long and for what purpose such proof will be carried out.“

The Public Defender of Rights of the Slovak Republic also commented on this issue, whose opinion is as follows: “After the analysis of the Decree of the Public Health Authority of the Slovak Republic no. 16/2020 and related legislation, following the obligations of persons as well as operators of facilities in the context of the GDPR Regulation, I came to the conclusion that the obligations set out therein do not constitute a violation of fundamental rights and freedoms contrary to the Constitution of the Slovak Republic and international obligations by which Slovak Republic is bound. If one of the exceptions to the general curfew and the subsequent ban on entry to the facility is conditioned by proof of a negative result of the RT-PCR test, respectively antigen test, the exercise of the right to inspect such confirmation is less intrusive on the right to privacy, such as the curfew itself and the ban on entry into the facility.“

Is the employer allowed to require information from customers or employees about their health in the context of COVID-19?

The answer is stipulated by a Decree of the Public Health Authority of the Slovak Republic no. 16/2020 that imposes measures on persons to enter the premises of the employer in the event of endangerment of public health (Decree).

The Decree in accordance with the Resolution stipulates a prohibition of persons to enter the premises of the employer. The Resolution, as well as the Decree, stipulate an exemption for persons with negative COVID-19 tests.

The employer, except for stipulated exemptions, is allowed to require submission of the relevant document from an employee entering the premises of the employer for the purpose of verification of the aforementioned exemption. The employer has the right to view the contents of the document.

However, if we consider the aforementioned conclusions of the Office for personal data protection of the Slovak Republic to be correct, we have to deal with this issue mainly on the basis of provisions of the Regulation no. 2016/679  from 27th of April 2016 of the European parliament and the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46 / EC (GDPR: General Data Protection Regulation); Act no. 355/2007 Coll .; resp. Act no. 124/2006 Coll.

Pursuant to Art. 6 par. 1 letter d) of the GDPR the processing of personal data is lawful only if and to the extent that the processing is necessary to protect the vital interests of the data subject or of another natural person.

Pursuant to Art. 9 of the GDPR, among other things, the processing of personal data is prohibited, except if the processing is necessary for the purposes of preventive or occupational medicine, the assessment of an employee's capacity to perform the work, medical diagnosis, or if processing is necessary in the name of public interest of public health, such as protection. against serious cross-border threats, based on Union law or the law of a Member State stipulating appropriate and specific measures for the protection of the rights and freedoms of the person concerned, in particular professional secrecy.

The application of the principle of adequacy and data minimization is here especially important. The employer should only request health information to the extent necessary.

Based on the contents of the Decree, it can be concluded that if the employee does not prove himself with a document proving an exception to the ban to enter the premises, it is considered that this person does not meet the requirements of health and safety at work under Article 5 of Act no. 124/2006 Coll.

Pursuant to Article 52 par. 1 letter a) of Act no. 355/2007 Coll. it is stipulated that natural persons-entrepreneurs and legal entities are obliged to comply with measures to prevent diseases and measures in the event of threats to public health. The same legal regulation in the article § 12 par. 2 stipulates that such a measure is also a prohibition or restriction on the pursuit of a profession of ill persons with a transmissible disease or persons suspected of having a transmissible disease.

From the above-mentioned, it is obvious that there are legal reasons for employer to obtain information about employee's COVID-19 test result. Since conditions stipulated by GDPR for processing personal data (in this context mainly protection of life and health) are also met, it is not necessary to consent such processing of personal data by employee. In case, that employee won't provide employer with option to review employee's COVID-19 test result, according to the decree, resp. already mentioned legislation with higher legal power, employer is entitled to prohibit entry to workplace for such employee.

At the same time, we are of the opinion that even in case of possible shortcomings of the Decree, as expressed by the Office for Personal Data Protection of the Slovak Republic, employer is entitled to require reviewal of employee's COVID-19 test result in accordance with the above provisions of the relevant legal regulations. In case employee rejects such process, we believe that employer is entitled to prohibit employee's entry to workplace, which shall be considered as application of statutory measures for protecting other workers at the workplace and supporting public health protection. 

Is employer authorized to report, that an employee is infected with COVID-19 to a colleague or external party?

Employers should inform other employees about their colleagues being positive on COVID-19 and take safety measures, however they shall not provide more information than necessary. Employer is obliged to notify employees about presence of the infected employee at workplace, but at the same time, if possible, he should keep the infected person anonymous. In cases, in which it is absolutely necessary to disclose name of the employee(s) infected by virus (e.g. in preventive context) and national law regulation allows such procedure, the concerned employees must be informed in advance and the principles of personal data processing must be applied.

What kind of information regarding COVID-19 are employers authorized to obtain?

As already mentioned, employers can review the results of their employees’ tests on COVID-19 and thus become acquainted with the information and personal data contained in such testing results.

Author:

Mgr. Tomáš Popovič, associate