New Ways of Working

Explore and keep track of key legal and compliance considerations for multinational employers as new ways of working become increasingly embedded as the pandemic begins to recede. Learn more about the response taken in specific countries or build your own report to compare approaches taken around the world.

Choose countries

 

Choose questions

Choose the questions you would like answering, or choose all for the full picture.

11. What are the key privacy considerations employers face in relation to ascertaining and processing employee medical and vaccination information?

11. What are the key privacy considerations employers face in relation to ascertaining and processing employee medical and vaccination information?

Flag / Icon

France

  • at Proskauer Rose
  • at Proskauer Rose
  • at Proskauer Rose

Moreover, regarding the processing of data relating to an employee’s vaccination, the CNIL has not yet issued a directive on the specific subject of the processing of employee vaccination data by employers. Because of their sensitive nature, data relating to employee health are subject to special legal protection: they are in principle prohibited from being processed. Employers, therefore, may not keep a list of vaccinated employees, or disclose the names of those who do not wish to be vaccinated.

In fact, according to the CNIL, "because of their sensitive nature, data relating to a person's health are subject to special legal protection: they are in principle prohibited from being processed. In order to be processed, its use must necessarily fall within one of the exceptions provided for by the GDPR, thus guaranteeing a balance between the desire to ensure the security of individuals and respect for their rights and fundamental freedoms. Moreover, their sensitivity justifies that they be processed under very strong conditions of security and confidentiality and only by those who are authorized to do so.

The exceptions that can be used in the context of work are limited and can generally be based on either :

  • the need for the employer to process this data to meet its obligations in terms of labour law, social security and social protection: this is the case for the processing of reports by employees,
  • the need for a health professional to process such data for the purposes of preventive or occupational medicine, (health) assessment of the worker's capacity to work, medical diagnoses etc.

For these reasons, employers who would like to initiate any steps aimed at ascertaining the state of health of their employees must rely on the occupational health services.

The CNIL points out that only competent health personnel (in particular occupational medicine) may collect, implement and access any medical forms or questionnaires from employees/agents containing data relating to their health or information relating in particular to their family situation, their living conditions or their possible movements"

However, we find these exceptions difficult to apply in the context of covid-19.

For employees subject to mandatory vaccination, the law allows the employer, or regional health agency if applicable, to store the result of the check on the proof of vaccination status.

Please note that the employer may not keep the proof of vaccination. In other words, the employer may not keep the QR code, only the “Yes/No” result of the test. Keeping the result is limited in time (currently until 15 November 2021).

The information thus collected is personal data subject to the General Data Protection Regulation (GDPR).

Last updated on 21/09/2021

Flag / Icon

Germany

  • at CMS Hasche Sigle

Data that an employer collects to draw inferences about an employee's health is special category personal data. Such data is granted special protection under the General Data Protection Regulation and the German Federal Data Protection Act. The collection and processing of employee health data for the employment relationship is only permitted if the employee consents, or if it is necessary for the exercise of rights or to meet legal obligations under employment law and if there is no reason to assume that the interests of the employee involved in the protection of his or her data prevails. In case of doubt, a distinction will have to be made according to the type of information and the environment in which the employee is employed. Employers are entitled under the temporary amendments to the Infection Protection Act to store and process the personal data on vaccination or immunisation status for up to six months. The data may also be used to adapt the company hygiene policy based on risk assessment, as far as is necessary. Regardless, employers must comply with the requirements of data protection, in particular by taking appropriate and specific measures to protect the health data of the persons concerned in accordance with the GDPR and the German Federal Data Protection Act.

Furthermore, it is permissible to ask whether an employee has symptoms of covid-19. It is equally admissible – albeit contentious – to ask whether a worker is currently ill with covid-19. This is because, without knowledge of the specific danger of an illness, the employer cannot take any special protective measures and might endanger other employees and third parties by employing that employee.

Last updated on 30/11/2021