Netherlands: Considerations for Employers to Use the CoronaCheck App | Small
Employers who wish to scan the QR code on their employees’ CoronaCheck app would do well to develop a policy that outlines measures to provide a safe workplace. If, as part of this policy, it is necessary to know who has been vaccinated, tested and / or who has recovered, the use of the CoronaCheck app is probably justifiable.
Based on the outcome of using the CoronaCheck app – or a refusal to show it – the employer could make any suggestions needed to adjust the work situation, such as having the employee wear protective gear extra or let him work from home. What is needed will vary by industry and type of business activity.
Employers should keep in mind that the pursuit of such a policy is very innovative and lies in uncharted territory. There is as yet no case law on this issue.
Position of the government and the Dutch Data Protection Authority
Much has been said and written about the authorized pandemic policies set by employers. In the Netherlands, it is clear that employers cannot demand that employees get vaccinated. However, according to the government, employers are free to ask employees for their immunization status, as long as the employer has a clear plan on how to proceed if the employee is found to be unvaccinated or does not wish to disclose their immunization status. . Employees do not have to answer questions about their status, but an employer can suggest adjustments to the work schedule or work location to employees who they know have not been vaccinated or who do not. do not wish to disclose their vaccination status. If this suggestion is reasonable, the employee must agree to the adjustment, according to the government.
The Dutch Data Protection Authority (DDPA), on the other hand, seems to be of the opinion that an employer cannot make such suggestions. According to the DDPA, the General Data Protection Regulation (GDPR) classifies health-related data as special personal data, which can only be processed if there is a specific legal basis for doing so. The Government also indicates that employers cannot save in any way, whether employees are vaccinated or not, but he apparently doesn’t see that as a barrier to suggesting adjustments. According to the DDPA, however, there is little an employer can do with an answer to the question of an employee’s immunization status. How are these two positions related to each other? The answer may depend somewhat on the employer’s involvement in the health sector or not.
Health sector employers
It is true that the GDPR prohibits the processing of health data unless certain conditions are met. For example, treatment is permitted, inter alia, if it is “necessary for the purposes of preventive or occupational medicine, the provision of health or social care, or the management of health care systems and services, on the basis of Union or Member State law or under contract with a healthcare professional.
The GDPR implementing law is the basis of national law which provides that healthcare providers or healthcare establishments can process the healthcare data necessary for the proper treatment of the data subject or for the management of the establishment or practice. concerning. This database provides enough latitude for employers in the healthcare sector to process immunization data if, for example, this step is necessary to protect the services provided by the employer. The employer can carry out the treatment himself, in which case he is bound by secrecy, or have it carried out by a person subject to professional secrecy, such as an occupational physician.
The employer can also scan the QR code of the CoronaCheck app. After all, then it does not directly process medical data on vaccination status.
Employers in other sectors
However, it does not seem to be excluded that employers other than healthcare may also process data on the immunization status of employees. The GDPR allows processing if it is “necessary for the purposes of fulfilling obligations and exercising specific rights in the field of labor and social security law, to the extent that it is authorized by law. Union or the law of the Member States or a collective agreement providing for appropriate guarantees for the fundamental rights and interests of the data subject.
Again, the GDPR implementing law provides the foundation in national law. This law provides that the prohibition of processing health data does not apply to employers if the processing is necessary for the proper implementation of the legal provisions which provide for rights which depend on the state of health of the person concerned. . We consider that such rights exist in this situation.
An employer is required by law to take measures to prevent his workers from being harmed at work. The employer is responsible for the damages suffered by the workers if he does not adequately respect this obligation. Compliance with this obligation, and therefore respect for the right of workers to a safe workplace, most certainly depends on the state of health of the workers concerned. As long as the processing does not go beyond what is strictly necessary to provide a safe workplace, there appears to be no reason for an employer to violate the GDPR.
Therefore, it is probably justifiable for employers to require employees to demonstrate that they do not present a – presumed – corona risk, without knowing whether this is due to the vaccination, a recovery certificate or a negative test. The CoronaCheck application is a suitable tool for this purpose.
For employees who cooperate, it will be clear whether they pose a risk. For those employees who do not cooperate, then it will be clear that they may present a risk from the coronavirus. The question is whether health data is collected during this process; after all, the employer does not know if employees are not vaccinated, not tested or tested, but simply does not disclose it.
Scanning the QR code on the CoronaCheck workplace app may still be necessary, however, especially for companies where workers can only work on site without sufficient physical distancing. In this case, any restriction on employee privacy would seem proportionate to the objective of fulfilling the legal obligation to provide a safe and healthy workplace for everyone in the company.