An increasingly pressing question for employers is whether they can ask employees whether they have been vaccinated, whether they can only allow vaccinated employees back to the office, or whether they can provide extra paid days off to those who have a health insurance card. Although the data protection authority has issued guidelines on the subject, the answer to most questions is still not clear.
According to the regulation, various service providers that are currently only open to those with a health insurance card – such as restaurants, hotels, gyms, cinemas – can only ask guests to show the card (or the mobile application), but they are expressly prohibited from any further data processing – i.e. recording or making a copy of the card data.
Persons with a protection card can therefore clearly enjoy certain benefits, but service providers are not entitled to process protection-related data. The question therefore arises as to whether the same applies to employers?
The National Authority for Data Protection and Freedom of Information (NAIH) has addressed this issue in a highly controversial and rather ambiguous guideline. The data protection authority concluded that employers can ask their employees whether they are protected against COVID-19, but only in very limited circumstances and only if certain conditions are met. While the guideline provides the necessary clarity on certain issues, much remains unclear, and the guideline itself emphasises that it applies mainly to employees in employment relationships and not to other legal relationships (e.g. those employed under a contract of employment). It also points to the need for a uniform, statutory approach to the issue.
The NAIH made it clear that the processing of this type of health data of employees must be necessary and proportionate and based on a prior, well-documented, objective risk assessment. The existence of necessity must be assessed on a case-by-case basis and, according to the NAIH, only applies to certain high-risk occupations or groups of employees, such as hospital maintenance workers, social workers or employees who meet a lot of customers.
In these cases, knowing the protection status of employees can be crucial to avoid infection of employees, patients and customers. In contrast, the wording of the guidelines suggests that simple office work in most cases qualifies as low-risk work, where necessity can hardly be established.
The NAIH also stressed that data on protection may only be processed for the purpose of fulfilling the relevant employment law obligations, i.e. ensuring health and safety at work, and for work organisation purposes, in order to introduce specific measures. Such measures could include, for example, placing the workstation of the protected employee next to the workstation of the non-protected employee or providing permanent home working for non-protected employees.
This latter proposal is rather strange, as the management of the COVID-19 protection status of office workers – who are the only ones who can reasonably work from home – does not seem to be permissible in most cases under the NAIH guidelines. This calls into question whether office workers are by definition a low-risk group, or whether an objective risk assessment is conceivable that could support the management of protection data by the employer in their case as well.
