The Dutch Data Protection Authority recently fined a company for registering its employees’ health data. The reason for reporting sick was recorded in the company’s absenteeism records. The register contained sensitive information on the employees’ physical or mental condition and information on the nature and cause of the sickness reports.

Prohibited

The processing of employee health data is prohibited. In privacy legislation, health data are classified as special personal data that require extra protection. The nature and cause of a sick report may therefore not be registered, not even when an employee provides such information on his or her own initiative.

Report

In January 2019, the Data Protection Authority received a notification that the company in question processed employee health data. It was furthermore apparent from the notification that the absenteeism registration was online and could be accessed without any form of authentication. When personal data are processed, the party responsible for processing them must arrange for adequate security. That was clearly not the case here. The Data Protection Authority seriously reprimanded the company in question for both violations. The fine for this first offender immediately amounted to EUR 15,000.

Significant impact

This demonstrates that the Data Protection Authority takes strict enforcement measures when it comes to the processing of special personal data. In its press release in response to the fine it imposed, the Data Protection Authority stated that knowledge of an employee’s physical and emotional condition allows employers to form an opinion or make decisions that have a significant impact on the employee. Partly for that reason, everyone has the right to keep special personal data (such as health data) to themselves insofar as possible, which also applies to employees, according to the Data Protection Authority.

Vaccinated or unvaccinated

In practice, we see that employers regularly wonder whether they are allowed to register whether or not their employees have been vaccinated against corona. We addressed this issue in our last newsletter already and concluded that, for the time being, the answer to this question is “no”. The fining decision addressed in this article and the Data Protection Authority’s explanation of that decision once again demonstrate that employers are most likely treading on thin ice when they decide to do so nevertheless, since the question whether or not a person has been vaccinated is regarded as data on his or her health. Although the Data Protection Authority often first issues warnings and instructions, it is apparent from this fine report that even a “first offender” may immediately be fined by the Data Protection Authority. We therefore strongly advise against registering vaccinations and other health data of your employees.

For information or advice on this subject please contact Lise van den Heuvel (+31-6-23492248).

This article was published in the Newsletter Vestius of July 2021

Return to overview