Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.
Employers that want to scan the QR code on their employees' CoronaCheck app would do well to draw up a policy that outlines the measures for providing a safe workplace. If, within the context of this policy, it is necessary to know who has been vaccinated, tested and/or who has recovered, the use of the CoronaCheck app likely is justifiable.
Based on the outcome of the use of the CoronaCheck app - or a refusal to show it - the employer could make necessary suggestions for adjusting the work situation, such as having the employee wear additional protective equipment or letting them work from home. What is necessary will vary by industry and type of business activities.
Employers should bear in mind that the pursuit of a policy like this is highly innovative and is in unchartered territory. There is, as yet, no case law on this issue.
Position of the government and the Dutch Data Protection Authority
Much has been said and written about permissible pandemic-related policies set by employers. In the Netherlands, it is clear that employers cannot require employees to get vaccinated. However, according to the government, employers are free to ask employees about their vaccination status, provided that the employer has a clear plan on how to proceed if the employee turns out to be unvaccinated or does not want to disclose vaccination status. Employees do not have to answer questions about their status, but an employer may suggest adjustments to the work schedule or the workplace to employees it knows have not been vaccinated or who do not want to disclose their vaccination status. If that suggestion is reasonable, the employee must accept the adjustment, according to the government.
The Dutch Data Protection Authority (DDPA), on the other hand, seems to be of the opinion that an employer may not make such suggestions. According to the DDPA, the General Data Protection Regulation (GDPR) classifies data about health as special personal data, which may be processed only if there is a specific legal basis for doing so. The government also indicates that employers may not record in any way whether or not employees are vaccinated, but it apparently sees this as no impediment to suggesting adjustments. According to the DDPA, however, an employer cannot do much with an answer to the question of an employee’s vaccination status. How do these two positions relate to each other? The answer may depend somewhat on whether the employer is engaged in the healthcare industry.
It is true that the GDPR prohibits the processing of health data unless certain conditions are met. For example, processing is permitted, among other things, if it is "necessary for the purposes of preventive or occupational medicine, the provision of health or social care, or the management of health care systems and services, on the basis of Union or Member State law or pursuant to contract with a health professional.”
The GDPR Implementation Act is the basis in national law that provides that healthcare providers or healthcare institutions may process health data that are necessary for the proper treatment of the data subject or for managing the institution or practice concerned. This basis provides sufficient scope for healthcare employers to process vaccination data if, for example, this step is necessary to safeguard the services the employer provides. The employer may do the processing itself, in which case it is bound to secrecy, or have it carried out by a person subject to professional secrecy, such as an occupational physician.
The employer also may scan the QR code of the CoronaCheck app. After all, it is then not directly processing medical data about the vaccination status.
Employers in other industries
However, it does not seem to be ruled out that employers in industries other than health care also may process data about the vaccination status of employees. The GDPR allows processing if it is “necessary for the purposes of carrying out the obligations and exercising specific rights in the field of employment and social security law, in so far as it is authorised by Union law or Member State law or a collective agreement providing for appropriate safeguards for the fundamental rights and interests of the data subject.”
Again, the GDPR Implementation Act provides the ground in national law. That act provides that the prohibition on processing health data does not apply to employers if processing is necessary for the proper implementation of statutory regulations that provide entitlements that depend on the health status of the data subject. We consider such entitlements to be present in this situation.
An employer is required by law to take measures to prevent its workers from suffering harm while on the job. The employer is liable for the damage suffered by workers if it fails to meet this obligation adequately. Fulfilling this obligation, and thus fulfilling the right of workers to a safe workplace, most certainly depends on the health status of the workers concerned. As long as the processing does not go beyond what is strictly necessary for providing a safe workplace, there appears to be no reason why an employer should be in breach of the GDPR.
Therefore, it likely is justifiable for employers to ask employees to demonstrate that they do not pose an - alleged - corona risk, without finding out in doing so whether that is because of vaccination, a recovery certificate, or a negative test. The CoronaCheck app is a suitable tool for this purpose.
For employees who cooperate, it will be clear whether they pose a risk. For employees who do not cooperate, it will then be clear that they may pose a coronavirus-related risk. The question is whether any health data are collected in this process at all; after all, the employer does not know if employees are unvaccinated, untested, or tested but simply not disclosing that.
Scanning the QR code on the CoronaCheck app at the workplace may nonetheless be necessary, especially for companies where workers can only work on-site, without sufficient physical distancing. In that case, any curtailment of employee privacy would seem to be proportionate to the purpose of fulfilling the legal obligation to provide a safe, healthy workplace for everyone in the company.