The Italian privacy authority issued its FAQs on the Covid-19 vaccination of employees, setting stringent limits on what personal data and information employers can process.
The raise of questions on Covid-19 vaccination of employees
With the first wave of Covid-19 vaccinations unfolding throughout Italy, we received several requests of advice from clients seeking instructions on whether they can investigate the vaccination of their employees and limit the access to the workplace to only vaccinated employees.
The Garante was faster than the pace of vaccination in the country and issued its FAQs on some issues that emerged in recent months concerning the processing of personal data related to Covid-19 vaccination in the workplace. The Italian privacy authority provided answers relating to several critical issues raised by companies, institutions, and governmental authorities in the context of the processing of personal data of their employees and the role of the occupational doctors to promote a consistent approach to the GDPR and other provisions relating to the processing of personal data, even in emergency circumstances.
The position taken by the Italian privacy authority on Covid-19 vaccination of employees
The Italian data protection authority addressed the following three questions:
1. Can the employer ask its employees to confirm that they have been vaccinated?
The Garante argues that an employer cannot ask its employees to provide information on their vaccination status or copies of documents that prove the vaccination against Covid-19, excluding that this activity can be based on their consent. In light of Recital 43 of the GDPR, the Italian data protection authority emphasizes that “the employer cannot consider lawful the processing of data relating to vaccination based on the consent of employees, since consent cannot constitute in this case a valid condition of lawfulness“.
2. Can the employer ask the occupational doctor for the names of employees vaccinated?
The Garante clarifies that the occupational doctor is not authorized to provide the employer any data relevant to the names of employees who have received the Covid-19 vaccine. In line with this approach, they deem that “only the occupational doctor can process health data of workers and among them, if any, information relating to vaccination, as part of health surveillance and verification of suitability for the specific task“. The Italian privacy authority believes that the employer is entitled though to acquire valuations of suitability for the specific task of the employee and the prescriptions/limitations contained therein.
3. Can the Covid-19 vaccination of employees be required as a condition for access to workplaces and certain tasks’ performance (e.g., in the health sector)?
The Italian data protection authority emphasizes that, at present, in the absence of a regulatory framework that “assesses whether to place the Covid-19 vaccination as a requirement for carrying out certain professions, work activities and tasks“, the “special protection measures” provided for certain working environments apply in cases of direct exposure to “biological agents” during work, such as in the health context that involves high levels of risk for workers and patients.
In this regulatory framework, the occupational doctor is the only person authorized to process personal data relating to the vaccination of employees and, where appropriate, to consider the vaccination status when assessing the suitability of the worker to the specific task. On the other hand, the employer “will instead be limited to implementing the measures indicated by the occupational doctor in cases of a judgment of partial or temporary unfitness for the task to which the worker is used“.
The additional feedback on the pass for vaccinated individuals
In addition to the above-mentioned vaccinations, the Italian privacy authority held that the practice of developing apps able to identify individuals who were vaccinated to allow them access to specific locations, such as airports, train stations, gyms, and hotels, is not compliant with the GDPR.
The Garante believes that such a practice would be legal only with an ad hoc law enabling such a kind of checks. Indeed, the Italian data protection issued’s message sounds like a warning against the indiscriminate collection of personal data relating to vaccinated individuals.
In this respect, it is worth mentioning that public interest can be a legal basis of the data processing under Italian law only if expressly identified by a law allowing the processing of personal data associated with that practice.
On a similar topic, you may find interesting the article “The new position on coronavirus checks of the Garante privacy in Italy“.
Image courtesy Département des Yvelines