The ongoing health emergency has made it necessary for the Italian Data Protection Authority to address a series of issues relating to the processing of data in the workplace according to the measures imposed on the public and private companies to contain the spreading of the Covid-19 infection, as provided for by the applicable legislation.

With specific reference to data protection issues, the Italian Data Protection Authority recently issued a clarification on the topic of workers’ vaccination and the possibility of data processing by employers.

The Italian Ministry of Health has developed a strategic plan to identify the categories and priority for the vaccination campaign against the SARS-CoV-2/COVID-19 virus. The plan has been based on the information available on the vaccines. To date this vaccination campaign seems to be the only solution to control the pandemic that, in the medium term, will guarantee the safety of the community.

In consideration of the protraction of this emergency situation, the issue of the anti Covid-19 vaccination is also of great interest to employers, looking for suitable ways to guarantee health and safety in the workplace and the safe continuity of work and production activities. The prospect of vaccinating against Covid-19 seems to be a definitive measure for the prevention of the virus in a work environment.

The current emergency has made it an issue in the treatment of so-called particular categories of personal data – that is, pursuant to EU Regulation 679/2016, namely the data suitable concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sexual life or sexual orientation – in the work environment context and the necessary precautions that must be taken by the data controller regarding those sensible aspects. As is well known, numerous regulatory provisions justify the processing of data belonging to particular categories by the employer but the processing of data by the latter must necessarily comply with measures that guarantee its safety; moreover, the same precautions must be respected by all subjects who have access or process data  on behalf of the data controller.

On February 17, 2021, the Italian Data Protection Authority intervened with an update of the FAQ published on its website in order to clarify the processing of the employees’ personal data in a work environment with specific reference to the topic of vaccinations.  In particular, the Authority’s FAQ clarifies who can process data relating to employees’ vaccination at its place of employment. The Authority clarified that the employer cannot ask their employees for confirmation of the vaccination, nor copies of documents proving that the vaccination against Covid-19 has been done. In fact, the processing of such data is not permitted by the regulations on health and safety in a work environment, nor by the emergency legislation issued to date. Furthermore, the Authority specified that this processing of personal data cannot be based on the employee’s consent: this consent would not be valid pursuant to EU Regulation 679/2016, due to the imbalance of the relationship between the data controller and the data subject in the working environment.

Even in the current emergency, the right to process data relating to health (such as information relating to the vaccination status of the employees) remains reserved to the competent doctor; only the latter can in fact process the health data of workers as part of its health surveillance activity, as required by the current legislation. The Authority therefore reiterated that the employer cannot request the doctor to communicate the names of the employees’ who have been vaccinated, but it can only acquire the judgments of suitability for a specific job and any prescriptions and / or limitations contained therein (as required by Legislative Decree no. 81 / 2008).

The FAQ on the “Processing of data relating to anti Covid-19 vaccination in the place of work” are added to the FAQs already published by the Authority and in particular those relating to “Data processing in the public and private working areas in the situation of the sanitary emergency”. The intervention of the Authority provides practical information to employers, providing guidance to the latter and ensuring that they can process personal data in compliance with current legislation on the processing of personal data.

WHY IS IT IMPORTANT:

As the emergency situation continues, employers continue to have to face new issues related to the processing of employees’ health data; even in the current situation, it is however necessary that the processing of such data is carried out in accordance with the provisions laid down in the current legislation. Therefore, the intervention of the Italian Data Protection Authority is essential to provide practical guidelines to employers also in order to prevent possible unlawful processing of data in consideration of the current health emergency.