Because health data represents a special category of data, the GDPR allows processing only in exceptional situations indicated in Art. 9(2).
In the context of measures aimed at containing the spread of COVID-19, organizations are asking which is the correct basis (the exemption) which would allow them to collect data about the health situation of employees. This article sums up certain opinions published by Data Protection Authorities from the EU on this issue.
Processing necessary for complying with employment law
GDPR Art. 9(2)(b) – processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
Several EU authorities have validated Art. 9(2)(b) as a basis for employers who need to process health information about their employees and people who visit their premises, as long as there are obligations in employment and occupational safety laws which apply to organisations. See, for example, the opinions from Ireland, Spain and Hungary.
For instance, national employment or occupational safety law might provide that the employer has obligations to protect employees from health risks. Some laws also indicate the obligations of employees to report any health risk factors identified at the workplace and to protect their colleagues (for example, to report immediately if they believe that certain COVID-19 risk factors apply to them).
Even if this provision is invoked for processing health data for managing COVID-19 risks at the workplace, the processing activities must be accompanied by the implementation of all other GDPR principles – fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality and, of course, accountability.
Depending on the case, there might be other Art. 9(2) exemptions applicable.
GDPR Art. 9(2)(h) – processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;
This basis applies, for example, when an occupational health physician would ascertain the conditions of the employees. However, it is important to point out that relying on this exemption to process health data must be accompanied by suitable safeguards applied to the data processing – e.g. security, restricted access, strict retention periods, staff training.
GDPR Art. 9(2)(c) – processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
GDPR Art. 9(2)(g) – processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
GDPR Art. 9(2)(i) – processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
The Irish DPC indicated that Art. 9(2)(i) might be applicable where organisations are acting on the guidance or directions of public health authorities, or other relevant authorities. The EDPB, in its Statement on the processing of personal data in the context of the COVID-19outbreak, validates the possibility to rely on art. 9(2)(c) and 9(2)(i).
Although some might be quick to rely on the provision in letter (c), please note that the exemption only applies when the data subject is physically or legally incapable of giving consent.
Could explicit consent be relied on?
GDPR Art. 9(2)(a) – the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;
Although, theoretically, obtaining the explicit consent of the data subject allows the processing of health data, remember that in the context of employment consent is rarely an appropriate basis for data processing.