Employee health data – COVID vs. GDPR

During the spread of the COVID pandemic, employers were keen to collect disease-related data from their employees in order to maintain a healthy workplace and safe working conditions. However, as the pandemic is easing, the legality of the COVID pandemic-related health data-records is being questioned.

At most of the companies the following data collection and storage was identified during the consultations:

  • name
  • the existence of the disease or the fact of having had it
  • the results of tests carried out at the workplace
  • recovered
  • suspicious cases.

Given the sensitive nature of the above data, their processing requires particular care and should be avoided wherever possible.

According to Article 9 (1) of the GDPR Regulation prohibits the processing of personal data linked to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data or biometric data revealing the identity of natural persons, health data and personal data concerning the sex life or sexual orientation of natural persons.

“Health data” under the Regulation means it is personal data concerning the physical or mental health of a natural person, including data relating to health services provided to a natural person which contain information about the health of the natural person.

The data listed above and similar data collected by the employer fall into this category and Article 9(2) gives a narrow possibility to process it.

The possibility to process health data can be provided on the legal basis on Article 9(2) of the GDPR for the employer. It says the legal basis for the collection of data is the fulfillment of obligations arising from the legal requirements governing employment (based on the occupational safety and health regulations aimed at ensuring safe and healthy working conditions). The legal basis for data processing is Article 6 (1) (c) of the GDPR: the fulfilment of a legal obligation – which is implemented by Article 2 (2) of Act XCIII of 1993 – the employer’s responsibility for the implementation of safe and healthy working conditions.

Given that the current epidemiological situation is not critical and the government lifted the state of emergency at the beginning of the summer, there does not exist any circumstance that would require data collection.

Although Article 9(2)(a) of the GDPR Regulation allows the collection of data on the basis of consent in relation to sensitive data, according to the position of NAIH (which is the abbreviation in Hungarian of National Authority for Data Protection and Freedom of Information) this cannot be interpreted or applicated in an employment relationship.

On the legal basis mentioned above, it is extremely risky to collect data on workers’ health, even if only statistical data are stored.