Europe: COVID-19 vaccination status - What can employers collect?
With restrictions being lifted across Europe and businesses planning their return to the office, many employers, in an endeavour to prevent the spread of COVID-19, are faced with the dilemma of whether they can require their employees to be vaccinated or to show proof of their vaccination status. Besides the health and safety concerns associated with the introduction of such measures, there are also some key privacy-related considerations. In particular, an individual's vaccination status falls within the scope of health data under Article 4(15) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and is therefore a special category of personal data under Article 9 of the GDPR, meaning processing is generally prohibited, unless an exception applies.
Vaccination in the UK is only mandatory in certain circumstances. Specifically, the Department of Health and Social Care ('DHSC') announced, on 4 August 2021, that, from 11 November 2021, anyone working or volunteering in a care home will need to be fully vaccinated against COVID-19, unless exempt1. Similarly, the Scottish2 and Welsh3 governments, respectively, published their proposals for mandatory vaccination certification schemes.
In response to the DHSC's announcement, the Information Commissioners Office ('ICO') published, on 29 September 2021, a statement4 highlighting that it has been advising governments across the UK on how to ensure privacy is considered from the outset, noting the expectation of high standards of governance and accountability to ensure compliance with data protection principles, including transparency, fairness, data minimisation and storage limitation, and utilising a 'Data Protection by Design' approach as part of their planning.
Checking employees, customers, or visitors' COVID status
The 'Vaccination and COVID pass checks' guidance5 ('the Vaccination Guidance') highlights that, in some parts of the UK, it is now a legal requirement to check people's COVID status in certain settings. In addition, the Vaccination Guidance confirms that where it is not a legal requirement, checking this information is at the discretion of the business or organisation. Therefore, the Vaccination Guidance outlines that before a company checks the COVID status/pass of its employees, customers, or visitors, they need to identify their objectives and how these can be achieved through disclosure of people's COVID passes, be clear and transparent about the same, and abide by the data minimisation principle.
Furthermore, the Vaccination Guidance provides that companies that are not required to collect this information but are considering doing it on a voluntary basis should consider the sector in which they operate in and the health and safety risks to help to decide if there is a compelling reason to check people's COVID status.
Applicability of the UK GDPR
Further to this, the Vaccination Guidance explains that the UK General Data Protection Regulation ('UK GDPR') will not apply where the company only conducts a visual check of COVID passes (either a hard-copy document or a pass held on a digital device) and does not retain any personal data from it, as this would not be regarded as 'processing'. On the contrary, the Vaccination Guidance identifies the below activities which would trigger the applicability of the UK GDPR:
- conducting checks digitally (for example, by scanning the QR code displayed on the pass), irrespective of whether the company keeps any records of it; and
- making a record of any personal data, whether through conducting visual or digital checks.
Employers looking to collect such information will also need an appropriate legal basis for processing it. The Vaccination Guidance outlines that in some cases legitimate interests may be the most appropriate, whereas in other situations, employers may be able to rely on legal obligation as a basis for processing, notably when such checks are required by law. Importantly, the Vaccination Guidance confirms that consent as a lawful basis under the UK GDPR is rarely appropriate in an employment setting given the imbalance of power between the employer and employee. Similarly, the Vaccination Guidance states that consent is unlikely to be appropriate where checking if an individual's COVID status is a legal requirement or a condition of entry into the premises.
Please note that, at the time of publication, the Vaccination Guidance was undergoing a review to reflect on the changes to the COVID certification schemes in Scotland and Wales.
Retention and storage of employees' vaccine status
The Vaccination Guidance does not specify a retention period for the storage of information regarding employees' vaccine status, however it does highlight that companies must ensure they do not keep such information for longer than is necessary, as well as only use the information for the purposes originally specified. In addition, the Vaccination Guidance provides that companies must accurately record the information that they collect and ensure that the collection and storage is secure, respect any duty of confidentiality owed, and only disclose a person's vaccine status if they have a legitimate and necessary reason to do so.
Moreover, the Vaccination Guidance explains that in most circumstances, companies will probably only need to make a check of someone's COVID status certificate or pass without retaining any information, hence any retention of information would have to be clearly justified.
On-site testing for employees
The guidance on 'Data protection and coronavirus – advice for organisations'6 ('the COVID Guidance') published by ICO highlights that employers do not necessarily need to make testing or checking for COVID-19 symptoms mandatory for their staff, as such a measure would require consideration of other factors, beyond data protection, such as employment law and contracts with employees, health and safety requirements and equalities issues, and any sector-specific guidance and requirements. As such, the COVID Guidance outlines that when deciding whether measures such as collecting employee health information or asking staff to be tested for COVID-19 are necessary, employers should consider the specific circumstances of the organisation and workplace, including:
- the type of work;
- the type of premises;
- other health protection measures in place; and
- whether specific regulations, health and safety requirements, and duties of care apply to the organisation or staff.
The COVID Guidance notes that, taking into consideration the wider framework, it will better inform employers on how to apply data protection law. As a result, once the above information has been gathered, the COVID Guidance recommends that employers consider whether they really need the information and if they could achieve the same outcome without collecting personal information. Employers should show that the approach is reasonable, fair, and proportionate.
In order to demonstrate that the chosen approach is compliant with data protection requirements, the COVID Guidance outlines that a Data Protection impact Assessment ('DPIA') can be used as a way of demonstrating accountability.
The Conference of Independent Data Protection Supervisors of the Federation and the Länder ('DSK') issued, on 29 March 2021, a resolution called 'Coronavirus: proof of vaccination, proof of negative test result and proof of recovery in the private sector and in the employment relationship should be regulated by law!'7 ('the Resolution'). In particular, the Resolution states that information about a person's vaccination status is considered to be health data and that health data is subject to the particularly strict protection of the GDPR and may only be processed under narrowly defined exceptions.
In addition, the DSK published, on 19 October 2021, a resolution on the processing of the COVID-19 vaccination status of employees by their employers8. In particular, the DSK highlighted that employers are generally not allowed to process the vaccination status of their employees, without explicit legal authorisation, even in the context of COVID-19 pandemic.
The DSK, however, noted that in individual cases, the processing of an employee's vaccination status may be permitted on the basis of statutory regulations, for instance, certain employers in the healthcare sector may process the vaccination status of their employees under the legal conditions specified in Sections 23a and 23(3) of the Federal Infection Protection Act ('IfSG'). In addition, the DSK noted that certain employers providing day-care facilities for children and outpatient care services may process the vaccination status of their employees in connection with COVID-19 under the conditions specified in Section 36(3) of the IfSG.
Furthermore, the DSK outlined that employers may process the vaccination status of those employees who assert a claim for monetary compensation (wage replacement) against them pursuant to Section 56(1) of the IfSG, since one of the prerequisites for a claim is whether there was the possibility of a vaccination. Moreover, the DSK noted that employers may also process the vaccination status of employees, insofar as this is stipulated by legal ordinances, to combat the Coronavirus pandemic on the basis of the IfSG.
The DSK noted that the processing of the vaccination status on the basis of employee consent is only possible if consent is freely given, and thus legally effective, emphasising that this is generally not the case in the workplace, due to the relationship of superiority and subordination existing between employers and their employees. In addition, the DSK observed that processing in connection with the vaccination status must also comply with other principles established by the GDPR, namely data minimisation, storage limitation, right to erasure, and accountability. In particular, the DSK outlined that if the vaccination status is to be stored, no copies of vaccination cards or comparable certificates (original or copy) may be included in the personal file and that it is sufficient if it is noted that these have been presented in each case. Moreover, the DSK stated that once the purpose for storing the vaccination status has ceased to exist, this personal data must be deleted.
The Federal Commissioner for Data Protection and Freedom of Information ('BfDI') issued, on 18 August 2021, an opinion on vaccination status and tests in the service or employment relationship9 ('the Opinion'). In particular, the Opinion states that the BfDI is of the view that, at present, the legal situation is as follows:
- Apart from a few exceptional cases, such as in the health sector, the vaccination status of employees cannot be processed by the employer, nor can any kind of testing obligation be imposed or enforced.
- Sections 26(1) and 26(3) of the Federal Data Protection Act of 30 June 2017 (implementing the GDPR) as amended on 20 November 201910 ('BDSG'), in conjunction with occupational health and safety regulations, is not applicable, because the SARS-CoV-2 Occupational Health and Safety Ordinance, the SARS-CoV-2 Occupational Health and Safety Standard, and the SARS-CoV-2 Occupational Health and Safety Rule conclusively define what is necessary for operational protection against infections in view of the Coronavirus pandemic. Hence, the Opinion states that it does not provide any authority or requirement for employers to process vaccination status or to conduct mandatory testing of employees in any manner.
- Even if, in accordance with the current resolutions of the Conference of Prime Ministers with the Federal Chancellor, extensive testing obligations are stipulated in statutory instruments, this does not in itself create a basis for employers to process vaccines internally.
The Baden-Württemberg data protection authority ('LfDI Baden-Württemberg') announced, on 2 October 2021, that it had released a position paper on continued wage payments in the case of quarantine11. In particular, the paper states, among other things, that the employer may inquire about the vaccination status of the employees when paying compensation according to Section 56 of the IfSG. However, the employees are not obliged to disclose their vaccination status or other health data, such as pregnancy or illness, to the employer. Specifically, the paper notes that such an obligation does not arise from the IfSG, from Section 26(3) of the BDSG, nor from Article 9(2)(b) of the GDPR. In addition, the paper outlines that the employer's processing powers are addressed, but not the data subject's obligations to provide information. Therefore, if an employer has obtained such data regarding vaccination status lawfully (e.g. through a voluntary declaration by the employee), the employer may use it and transmit it to the relevant authority. However, the paper further explains that this disclosure must be distinguished from the employee's obligation to provide information, which must be expressly determined by formal law. Moreover, the paper states that such an obligation to provide information cannot be based on the employment contract with the employer, though there is certainly a contractual secondary obligation of the employee to support the employer in asserting claims against authorities within the scope of what is reasonable, which may also include the provision of personal data of the employee, but certainly not the provision of special categories of personal data pursuant to Article 9 of the GDPR. The paper further details that the voluntary information provided by the employee to the employer is subject to the principles of purpose limitation. In particular, the paper adds that, after using data to obtain reimbursement of its compensation payment from the competent authority, the employer must delete such data immediately and may not use them to set up an internal vaccination register or for any other purpose.
The LfDI Baden-Württemberg further published, on 15 October 2021, a statement12 in which it outlined that it has not commented on the possibility of individual employees to disclose their vaccination status to their employer, nor has it vetoed relief for employees. In addition, the LfDI Baden-Württemberg stated that data protection as a fundamental right to informational self-determination gives every citizen the right to share their vaccination status with others, including the employer, and that particularly in the employment relationship, it is important to ensure that no undue pressure is exerted on this decision, and that is why the employer is generally not allowed to ask for health data of his/her employees.
The Bavarian data protection authority ('BayLfD') released, on 5 August 2021, guidelines regarding processing of personal data by employers and civil service employers in connection with the Coronavirus pandemic13. In particular, the guidelines state that even if the processing of health data is generally only possible in a restrictive manner, data can be collected and used for various measures to contain the Coronavirus pandemic or to protect employees in accordance with data protection regulations, but the principle of proportionality and the legal basis must always be observed.
In addition, the guidelines state that the following measures to contain and combat the Coronavirus pandemic can be considered legitimate under data protection law:
- The collection and processing of personal data (including health data) from employees by employers in order to prevent or contain the spread of the virus among employees as best as possible. This includes, in particular, information on the cases:
- in which an infection has been detected or an individual has had contact with a person known to be infected; or
- in which there was a stay in an area classified as a risk area by the Robert Koch Institute ('RKI') in the relevant period.
- Collection and processing of personal data (including health data) from guests and visitors, in particular to determine whether they:
- are infected themselves or have been in contact with a person who has been known to be infected; or
- have stayed in an area classified as a risk area by the RKI during the relevant period.
- In contrast, the disclosure of personal data of persons who are proven to be infected or suspected of being infected in order to inform contact persons is only lawful if knowledge of the identity is exceptionally necessary for the preventive measures of the contact persons.
The guidelines also note that after the respective processing purpose no longer exists (usually at the latest at the end of the pandemic), the data collected must be deleted immediately.
The Data Protection Authority of Bavaria for the Private Sector ('BayLDA') released, on 22 September 2021, guidelines on the vaccination status of employees14 ('Bavarian Guidelines'). In particular, the Bavarian Guidelines state that an employer may not ask its employees about their vaccination status with regard to SARS-CoV-2 in order to carry out the employment relationship, unless one of the few cases expressly regulated by law exist that entitle the employer to process information about the vaccination status of employees, for example in the area of medical care.
In addition, the Bavarian Guidelines state that the processing of vaccination data by employers for special reasons of pandemic control is provided for by law only in the narrowly limited cases specified in Sections 23a and 36(3) of the IfSG. In this context, Section 36(3) of the IfSG presupposes the determination of an epidemic situation of national scope by the German Bundestag in accordance with Section 5(1)(1) of the IfSG (currently until 24 November 2021) and permits a query only insofar as this is necessary to prevent the spread of COVID-19. Thus, the Bavarian Guidelines state that processing of vaccination data by the employer is only permitted for employees of facilities pursuant to Section 23(3) of the IfSG, such as hospitals, medical practices, and during an established epidemic situation of national scope pursuant to Section 5(1)(1) of the IfSG, and as far as it is necessary to prevent the spread of COVID-19, for employees of, for example, day-care centres for children, schools, institutions for the disabled and nursing homes, institutions for the communal accommodation of asylum seekers, other mass accommodations, correctional institutions, and outpatient nursing services. As a result, the Bavarian Guidelines state that there is no right of the employer to ask about the vaccination status of employees except in the cases expressly mentioned by law according to Section 23a and in the future Section 36(3) of the IfSG. However, the Bavarian Guidelines also note that irrespective of this, an employer is authorised to at least collect or take note of the vaccination status if it is voluntarily provided by the employee in order to be exempt from a legally regulated obligation to test in accordance with applicable state law regulations on pandemic containment (e.g. Section 9 of the 14th Bavarian Infection Protection Measures Ordinance).
In addition, the BayLDA issued, on 23 July 2021, guidelines concerning data protection questions about corona tests of employees15 ('Corona Test Guidelines'). The Corona Test Guidelines state that, since 22 April 2021, employers have had to offer all employees who do not work exclusively in their home a Coronavirus test at least once a week and employees who are exposed to a particular risk of infection during their work are entitled to a test at least twice a week. However, the Corona Test Guidelines note that, for the vast majority of groups of employees, carrying out the tests is voluntary, hence, the employer is obliged to make an offer, but employees are not obliged to accept the offer. The Corona Test Guidelines outline that this is different only for groups of employees for whom a test obligation is expressly regulated by the legislature or by order of the district administrative authority. In addition, the Corona Test Guidelines note that the employer is not required by law to document whether an employee has accepted the test offer (i.e. has performed a test) or not, therefore, processing of personal data of employees by the employer in connection with the performance of Coronavirus tests by employees is not mandatory by law. Furthermore, the Corona Test Guidelines outline that, according to the Federal Ministry of Labor and Social Affairs, there is no obligation on the part of the employee to notify the employer of the positive test result (Section 6.19 of the FAQ of the Federal Ministry of Labor and Social Affairs), such notification would therefore always be voluntary, hence as a rule, the employer is not entitled to the disclosure of a positive test result against the employee due to the contractual loyalty obligation.
The Hamburg Commissioner for Data Protection and Freedom of Information ('HmbBfDI') issued, on 1 October 2021, its updated guidelines regarding COVID-19 in the employment relationship16 ('Updated COVID Guidelines'). Specifically, the Updated COVID Guidelines state that inquiries about the vaccination status of employees cannot be based on Section 9(2)(h) and (i) of the GDPR as the legal basis.
Nevertheless, the Updated COVID Guidelines state that the HmbBfDI has made use of its authority to issue ordinances in accordance with Sections 28c of the IfSG and has created a data processing basis for employees in the context of the so-called two-G access model in Section 10j(3) of the HmbSARS-CoV-2 containment policy17. Nonetheless, the Updated COVID Guidelines note that there is generally no obligation for employees to provide information about their vaccination status, however, if employers have knowledge of which employees have been vaccinated, this knowledge can be used in accordance with Section 2, Paragraph 1 of the SARS-CoV-2 Occupational Safety and Health Ordinance of 10 September 2021 when designing the company's occupational safety concepts. The Updated COVID Guidelines provide that if there is no information about the vaccination status, it can be assumed, according to the ordinance, that the employees have not been completely vaccinated or have recovered and that higher occupational safety standards must therefore be observed. The Updated COVID Guidelines also state that insofar as employers process the vaccination status of the employees, only a note about the existence of the vaccination certificate and the existing vaccination protection may be included in the personnel file, however, a copy of the vaccination certificate is not required and is therefore not permitted under data protection law.
Furthermore, the Updated COVID Guidelines note that requirement of data economy and data minimisation also applies when processing the vaccination status. In this respect, employers may only process the vaccination status of employees for as long as it is necessary for the performance of their duties.
The guidelines regarding the processing of employee's vaccination status18 ('Vaccination Guidelines') issued by the Hessen data protection authority ('HBDI') state that consent may be considered as a legal basis for employers to process the vaccination status of employees. However, the Vaccination Guidelines state that the requirements for an effective declaration of consent should not be underestimated by responsible employers and that, given the issues regarding the voluntary nature of consent in an employment context, consent will probably only be suitable in a few cases. The Vaccination Guidelines also state that Section 26(3) of the BDSG can also be considered as a legal basis for the processing of the vaccination status of employees, although a specific legal basis is generally required. In addition, the Vaccination Guidelines state that even in the event that Section 26(3) of the BDSG is considered relevant, the prerequisites of the legal provision are generally not met because:
- no legal obligation under labour law, social security law, and social protection is identifiable for the processing of the employee's vaccination status; and
- the prerequisites for the qualified necessity of processing the vaccination status according to Section 26 of the BDSG are not met.
The Vaccination Guidelines also state that collective agreements can also create legal grounds for authorisation under data protection law for the processing of special categories of personal data, thus also for the processing of the vaccination status of employees. However, the guidelines note that the requirements of Article 88(2) of the GDPR and Section 75(2) of the Works Council Constitution Act ('BetrVG') must be observed.
The North Rhine-Westphalia State Commissioner for Data Protection and Freedom of Information ('LDI NRW') published, on 27 September 2021, frequently asked questions ('FAQs') relating to questions and measures taken by employers to protect against coronavirus19. In particular, the LDI NRW noted that an employer can ask employees about positive Coronavirus testing as, should employees receive feedback after a doctor's visit that they have been infected with the Coronavirus, the usual rules apply in the event of illness, namely the submission of a certificate of incapacity for work. In addition, the LDI NRW noted that if a Coronavirus disease has been found, the employer can request information about it so that it can fulfil its duty of care and protection and protect the health concerns of other employees. Furthermore, the LDI NRW stated that the duty of loyalty in the employment relationship also obliges employees to inform the employer accordingly in the event of a corresponding illness, due to the high risk of infection, since this is the only way to take protective measures against the spread of the virus and warn employees.
The LDI NRW noted that there is currently no legal basis for assessing the vaccination status by employers who do not fall under special standards (such as Sections 23a of the IfSG or 36(3) of the IfSG)). Accordingly, the LDI NRW noted that vaccination certificates may not be recorded within the personnel file.
However, LDI NRW noted that Section 4(7) of the Corona Protection Ordinance of 17 August 2021 stipulates that non-immunised employees who have not worked for at least five consecutive working days after 1 July 2021 due to holidays and comparable leaves of absence from work must provide employers with proof of a negative test on the first working day after this interruption of work or carry out a documented supervised test as part of employee testing before or at the start of work on the first working day.
The Saxon data protection authority ('SächsDSB') issued, on 29 September 2021, a statement20 which outlines that the introduction of the 2G option model for business does not entitle employers to process the vaccination or recovery status of individual employees, but that this in fact requires a clear legal basis. Moreover, the statement outlines that the legal basis for the processing of the vaccination status of employees by employers may, among others, be consent or collective agreements.
In accordance with Article 11 of the Dutch Constitution and Article 8 of the European Convention on Human Rights, COVID-19 vaccination is voluntary in the Netherlands.
The Government's guidance21 for employers ('the Guidance') states that neither testing or vaccination can be made compulsory for employees. Further, guidance released by the Dutch data protection authority ('AP') on Corona in the workplace22 ('Workplace Guidance') outlines that employers are not allowed to process medical data of their employees and are therefore not permitted to ask employees about their health status.
However, the Guidance outlines that employers are permitted to ask employees whether or not they have been vaccinated provided there is a 'valid reason' for asking, for example if the employee works with vulnerable individuals.
Regarding testing, the Workplace Guidance provides that employers are not permitted to test their employees themselves, instead a company doctor may conduct the test and only share the results with the employee. In relation to company procedures, the Guidance stresses the need for employers to establish a plan for dealing with employees who are not vaccinated or refuse confirmation of the same.
In addition, the Government's Q&A on vaccinations in the workplace23 addresses privacy considerations such as data storage, notably stating that an employer is not permitted to record the vaccination status of employees. Furthermore, the Q&A notes that since health data is considered a special category of personal data according to the GDPR it must not be process in lieu of a statutory exception.
Moreover, the guidance outlines that employers who are responsible for offering employees a safe and healthy working environment may ask those with COVID-19 symptoms to work from home and close the workplace entirely if this is deemed necessary. However, the guidance confirms that employers cannot force employees to take leave days.
Regarding the adjustment of an employee's work, the guidance outlines that if the employer knows that an employee has not been vaccinated, or if an employee does not want to say this for any reason, then adjustment of work is a possibility with options including working from home, the use of personal protective equipment, or an adapted work schedule. If alternative measures are possible, and the employer comes up with a reasonable proposal, the employee will have to accept that alternative. The guidance states that if an employee refuses such arrangements, the employer and the employee have the option to go to court if no agreement can be reached on the manner of performance of the work in relation to protection against COVID-19.
The Q&As outline that the COVID entry pass system has been mandatory by the Government from 25 September 2021 for access by visitors and customers to companies and organisations active in specific sectors, however, notes that there is currently no legal basis for asking employees in those sectors to do the same.
The AP's guidance on temperatures during corona ('the Temperature Guidance') clarifies that measuring individuals body temperature is only permitted if the following apply:
- the temperature recording is not kept in a file, such as an excel list with names;
- the measurement has not been taken automatically, as is the case with a thermal camera; and
- the processing has no automated consequences, for example gates that open based on the result of the test.
The Temperature Guidance notes that if the above conditions are not met, the GDPR will be apply. Furthermore, the Temperature Guidance states that if the temperature can be traced back to a specific person it will be considered personal data under the GDPR and can only be processed if an exception applies, such as consent. Notably, the Temperature Guidance cautions that consent is often not a feasible option in an employment context due to the requirement that it must be freely given and the nature of an employment relationship.
Requirement for employees to present vaccination pass
Pursuant to Decree Law No. 127 of 21 September 2021 Urgent Measures to Ensure the Safe Performance of Public and Private Work by Extending the Scope of the COVID-19 Green Certification and Strengthening the Screening System24 ('Decree 127'), all employees in the public and private sector must be in possession of the COVID-19 Green Pass in order to access places of work during the state of emergency from 15 October 2021 to 31 December 2021. This obligation also extends to all individuals who carry out their business for any reason, e.g. training or volunteering, in the places of work, including contractors (Article 3(2) of Decree 127).
COVID-19 Green Passes can be achieved by vaccination, a negative swab test, or recovery from COVID-19 within certain time limits.
Decree 127 provides that the above requirements do not apply to individuals who cannot receive a COVID-19 vaccination, subject to appropriate medical certification.
Requirement for employers to verify vaccination and implement policy
Pursuant to Article 3(4) of Decree 127, all private-sector employers are obliged to verify that employees are in possession of the COVID-19 Green Pass. Additionally, employers are required to define the operational procedures for organising the checks referred to in Article 3(4) of Decree 127, providing, where possible, that such checks are carried out at the time of access to the workplace, and identifying individuals in charge of ascertaining violations of the obligation to possess a COVID-19 Green Pass.
Sanctions for employers and employees
Under Article 3(6) of Decree 127, private-sector employees who do not present a valid COVID-19 Green Pass are considered unjustified absentees from the first day of absence and shall lose their salary during their period of absence, but they do not risk suspension or dismissal or other disciplinary consequences.
For companies with less than fifteen employees, after the fifth day of unjustified absence, the employer may suspend the worker for the duration corresponding to that of the employment contract stipulated for the replacement, in any case for a period not exceeding 10 days, renewable for one time only, and no later than the aforementioned deadline of 31 December 2021 (Article 3(7) of Decree 127).
Employees found to enter their place of work without a valid COVID-19 Green Pass may face penalties ranging from €600 to €1,500, while the penalties for employers who fail to carry out the required checks ranges from €400 to €1,000.
Verification and privacy measures
Decree of the President of the Council of Ministers 12 October 2021 amending the Decree of the President of the Council of Ministers of 17 June 2021 and Introducing New Methods for Verifying the COVID-19 Pass in the Public and Private Workplace25 ('the Decree on Verification Methods'), published in the Official Gazette on 14 October 2021, provides for the verification of the possession of the COVID-19 Green Pass to be carried out in multiple ways, including through the use of a software development toolkit to be integrated into access control systems, a specific functionality of the public administration personnel management platform, or the National Institute for Social Security institutional portal, for which technical and organisational measures must be adopted to guarantee a level of security adequate to the risks presented by the processing.
In its opinion on the Decree on Verification Methods26, adopted on 12 October 2021, the Italian data protection authority ('Garante') highlighted that the verification activity must not involve the collection of data subjects' personal data, unless strictly necessary for the adoption of measures resulting from the lack of a valid COVID-19 Green Pass, and that, in any case, the systems used must not retain QR codes, nor process the information collected for any other purposes.
Furthermore, the Garante clarified that only employees in service and for whom access to the workplace is envisaged may be subjected to the verification process, and that employees must be appropriately informed of the processing of personal data carried out.
Since 15 September 2021, as part of the national protocol to ensure the health and safety of employees in the context of COVID-1927, all those who work in close contact with vulnerable persons, including those working or volunteering in health services, are required to be fully vaccinated. According to the Government guidelines, although exemptions do apply to this compulsory vaccination, these must be justified and proved28.
CNIL has voiced various opinions on the Health Pass system, compulsory and voluntary vaccinations, and the processing of personal data therein throughout its stages of implementation29. France has also established a Vaccination Information System, in response to which CNIL has issued a statement30, in January 2021, noting that the data subjects' right to object can be exercised at any time before they consent to vaccination and that, after having consented to the vaccination, data subjects can object to their data being transmitted to the central health data platform for research purposes.
However, most recently, in September 2021, CNIL released two sets of comprehensive questions and answers, on the one hand, on the collection of personal data in the workplace ('the Workplace Data Collection Q&As'), and on the Health Pass and compulsory vaccinations31 ('the Vaccinations Q&As').
The Workplace Data Collection Q&As clarify that the return of a worker to the workplace should not be made condition on vaccination against COVID-19. Furthermore, CNIL added that the employer does not have the right to be informed either of information related to the vaccination status of employees or their intention to be vaccinated. Further, the Workplace Data Collection Q&As summarise that the employer may not receive any information on the vaccination status of the employee, beyond that which is required by law to monitor compulsory vaccinations and to receive proof of vaccination for the same as part of the Health Pass scheme.
CNIL has reiterated the importance of its role in monitoring compliance of the Health Pass, and its accompanying TousAntiCovid Verif application which is explicitly for use by workers, with data protection legislation. Among other things, the Workplace Data Collection Q&As specify that TousAntiCovid Verif does not store QR codes after verification is completed. Establishments or events requiring the provision of a Health Pass are considered data controllers for the information involved in verifying the same. As such, data controllers must, among other things, provide the appropriate information to data subjects, use TousAntiCovid Verif or an alternative app authorised by the Ministry of Health, and maintain a record of individuals authorised to handle operations related to Health Passes.
Angela Potter Privacy Manager (Research)
Alexis Galanis Lead Privacy Analyst
Marina Ioannou Senior Privacy Analyst
Amelia Williams Privacy Analyst
Alexandra From Privacy Analyst
7. You can find the Resolution, only available in German, at: https://www.datenschutzkonferenz-online.de/media/en/20210331_entschliessung_impfdatenverarbeitung.pdf
8. You can read the resolution, only available in German, at: https://www.bfdi.bund.de/SharedDocs/Downloads/DE/DSK/DSKBeschluessePositionspapiere/DSK_202111025_Beschluss-Impfstatus-Besch%C3%A4ftigte.pdf?__blob=publicationFile&v=2
9. You can find the Opinion, only available in German, at: https://www.bfdi.bund.de/SharedDocs/Downloads/DE/DokumenteBfDI/Stellungnahmen/2021/StgN_Impfstatus-Abfrage-Arbeitgeber.pdf?__blob=publicationFile&v=1
10. You can read the BDSG at: https://www.dataguidance.com/legal-research/federal-data-protection-act-30-june-2017
11. You can find the position paper, only available in German, at: https://www.baden-wuerttemberg.datenschutz.de/wp-content/uploads/2021/10/Positionspapier_Lohnfortzahlung_Rechtslage.pdf
12. You can read the statement, only available in German, at: https://www.baden-wuerttemberg.datenschutz.de/lockerung-der-maskenpflicht-fuer-beschaeftigte-scheitert-nicht-am-datenschutz/
13. You can find the guidelines, only available in German, at: https://www.datenschutz-bayern.de/corona/arbeitgeber.html
14. You can find the Vaccination Guidelines, only available in German, at: https://www.lda.bayern.de/de/thema_impfstatus.html
15. You can find the Corona Test Guidelines, only available in German, at: https://www.lda.bayern.de/de/thema_corona_test.html
16. You can read the guidelines, only available in German, at: https://datenschutz-hamburg.de/pages/corona-faq
17. Only available in German at: https://www.hamburg.de/verordnung/
18. You can read the press releases, only available in German, at: https://datenschutz.hessen.de/datenschutz/arbeitgeber-und-besch%C3%A4ftigte/ist-die-verarbeitung-des-impf-und-genesenenstatus-von and the guidelines, only available in German, at: https://datenschutz.hessen.de/sites/datenschutz.hessen.de/files/Handreichung%20-%20Verarbeitung%20des%20Impf-und%20Genesenenstatus%20von%20Besch%C3%A4ftigten%20durch%20Arbeitgeber_0.pdf
19. You can read the FAQs, only available in German, at: https://www.ldi.nrw.de/mainmenu_Datenschutz/submenu_Datenschutzrecht/Inhalt/Personalwesen/Inhalt/Corona/Corona.html
20. You can read the statement, only available in German, at: https://www.saechsdsb.de/images/stories/sdb_inhalt/Pressearbeit/20210928_Stellungnahme_Abfrage_Impfstatus_2G_Optionsmodell.pdf
22. Only available in Dutch at: https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/corona/corona-op-de-werkvloer
24. Only available in Italian at: https://www.gazzettaufficiale.it/atto/serie_generale/caricaDettaglioAtto/originario?atto.dataPubblicazioneGazzetta=2021-09-21&atto.codiceRedazionale=21G00139&elenco30giorni=false
25. Only available in Italian at: https://www.gazzettaufficiale.it/eli/id/2021/10/14/21A06126/sg
26. Only available in Italian at: https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9707431
27. Only available in French at: https://travail-emploi.gouv.fr/IMG/pdf/protocole-nationale-sante-securite-en-entreprise.pdf
28. Although exemptions do apply to this compulsory vaccination, these must be justified and proved, see: https://www.gouvernement.fr/info-coronavirus/vaccins (only available in French).
29. Only available in French at: https://www.cnil.fr/fr/coronavirus-covid-19/avis-cnil-covid
31. Only available in French at: https://www.cnil.fr/fr/covid-19-questions-reponses-sur-la-collecte-de-donnees-personnelles-sur-le-lieu-de-travail