Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

EU: Vaccine certificates and passes - privacy considerations for employers

With the COVID-19 vaccination programs well underway in various parts of the world and lockdowns being gradually lifted with the prospect of reopening services and employment premises, keeping track of the people that have been vaccinated through vaccine passports and certifications has become a priority for many industries. However, as vaccine certificates include personal data related to individuals' health, employers must consider privacy and data protection issues when relying on certificates to allow employees' or visitors' access to employment venues or other services. OneTrust DataGuidance examines global regulatory approaches on vaccine certificates and data protection compliance focusing specifically on their use in the context of employment.

Photo by Diana Polekhina on Unsplash

EU

Across the European Union, there have been some attempts to regulate, from a data protection standpoint, the collection of vaccination data and the issuing of vaccination certificates. While the information provided for each jurisdiction may not directly address the use of vaccination passes or requests for vaccination in the employment sector, it aims to shed light on the question of how vaccination data processing is regulated from a data protection standpoint.

France

In France, a decree proposed by the Ministry of Solidarity and Health (Decree No. 2020-1690 authorising the processing of personal data for COVID-19 vaccination purposes) entered into force on 25 December 2020following an opinionby the French data protection authority ('CNIL') on the same. In its opinion, CNIL highlighted the need to comply with the principle of data minimisation outlined under Article 5 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and to specify the types of pseudonymised data that can be transmitted in the context of the vaccination program. Further to this, the decree specifies in Article 1 the purposes of the processing of data in the context of vaccination, which includes the monitoring of the supply of vaccines and the sending to a person that has been vaccinated a summary including information related to the vaccination. Article 2 outlines the categories of personal data that can be processed in the context of vaccination, including data related to the side effects associated with the vaccination and the contact details of the person vaccinated or their legal representative. It should be noted that Article 3, which provides a list of the recipients of data related to vaccination, does not cover private entities but instead national health agencies, health professionals, and persons that are authorised to have access to said data for the purposes of research and measuring the effectiveness of vaccines.

Further to Decree No.2020-1690, CNIL issued two pieces of guidance related to vaccination and personal data processing. One piece of guidance focuses on data collection in the context of vaccinating for COVID-193, while the other focuses on data processing by local authorities for vaccination-related purposes4. The first piece of guidance covers the creation of a registry titled 'Covid Vaccine' which includes information on the people invited to be vaccinated or on those that have already been vaccinated. The guidance emphasises that the data processing based on this registry is related to the management of the supply of vaccines and the carrying out of research, as well as noting that this data can be accessed by healthcare professionals and their team and the doctors treating the vaccinated individual, subject to the individual's vaccination. The second piece of guidance also notes that the data collected related to vaccination is for the purpose of monitoring vaccine administration.

Therefore, from the legislation and the guidance already in place in France, the framework on vaccine certificates in the employment context, especially when vaccine certificates are requested by private entities that are unrelated to healthcare, remains to be seen. Based on the existing regime regarding vaccination and the emphasis on the existence of a legal basis founded upon national law, such as the aforementioned decree, it could be expected that any data processing operations, such as the issuing and disclosure of vaccine certificates, may need to be founded upon explicit legal provisions to this effect.

Italy

The Italian data protection authority ('Garante') issued Frequently Asked Questions ('FAQ')5 on the processing of data relating to COVID-19 vaccination in the employment context. In particular, the Garante noted that employers cannot ask their employees to provide information on their vaccination status or copies of documents as proof of vaccination against COVID-19, as well as highlighting that consent of employees for processing of data related to vaccination is not a lawful basis for processing because of the imbalance of power inherent in employment relationships. In respect to requesting COVID-19 vaccination as a condition for accessing the workplace and performing certain tasks, the Garante noted that in the health sector context, it may be possible to process personal data relating to employee vaccination and take them into account when assessing potential suitability for the job. On this same topic of asking for vaccination as a condition for accessing premises or services, the Garante highlighted6 that any processing of vaccination data as a precondition for accessing premises or services should be based upon national law and that, in the absence of said legal provisions, the Garante reserves the right to decide upon the lawfulness of both private and public entities' use of vaccination passes.  

Therefore, on the basis of the above, it seems that the Garante has adopted a strict stance towards the processing of personal data found in vaccination certificates, by noting that such processing needs to be founded upon national law and that employers are prohibited from requesting data on their employees' vaccination status.

Belgium

In Belgium, steps have been taken to provide clarification on the question of recording and processing of vaccination data and data protection. The Belgian Data Protection Authority ('Belgian DPA') issued Frequently Asked Questions ('FAQ')7on the processing of personal data regarding vaccination which also cover employers asking for proof of vaccination. Similarly to the Garante, the Belgian DPA has adopted a strict view towards the processing of vaccination data by the employer. More specifically, the Belgian DPA noted that, given the classification of health data as a special category of data, processing of said data can occur on the basis of a specific legal provision or the consent of a data subject. However, with regards to consent, the Belgian DPA noted that consent will likely not be free in employment relationships.

Moreover, the Belgian DPA provided some clarification on whether the employer can ask that all workers be vaccinated in the context of meeting legal occupation safety and health obligations. More specifically, the Belgian DPA noted that the employer has a legal obligation under labour law to ensure that the work is carried out under suitable conditions considering the safety and health of workers. In this context, the Belgian DPA specified that if the processing of vaccination data, which constitutes health data, occurs for the purpose of fulfilling controller obligations under labour law and social security, the processing may satisfy the exceptions to the prohibition of processing of special category of data under Article 9(1) of the GDPR.

To conclude, vaccination passes and certificates and their use in the employment context raise data protection issues. These concerns are mostly related to the sensitive nature of the data that will be processed by the employer and the imbalance of power between employers and employees. While there have been some attempts to provide some guidance on the issuing of vaccination certificates and their use in the employment context, more clarification is needed as the practice of issuing vaccination certificates becomes more prominent.

Suzanna Georgopoulou Privacy Analyst
[email protected]

Theo Stylianou Privacy Analyst
[email protected]