An agency may process personal data:
Posted: Wed Dec 18, 2024 4:17 am
Mployers are confronted with the corona virus. The RIVM and the Dutch government provide information about what you may and may not do. Nike closed its office after an infected employee was found. DSM and Engie also ask employees to stay home because of corona. But under the General Data Protection Regulation (GDPR), you are not allowed to process medical data as an employer? What about privacy in the event of an epidemic?
What does the GDPR say?
According to the GDPR, you need a basis for processing personal data (Article 6) and when processing medical data, there must be an exceptional situation as stated in Article 9.
Basis
With the consent of the person concerned
If this is necessary for the performance of an hong kong telegram data agreement
When this is required by law
If this is necessary for the vital interests of the data subject or a third party
In the context of carrying out a task of general interest or maintaining public order
If this is necessary for a legitimate interest of that authority, provided that the privacy interest of the data subject does not prevail
Exceptional situation
Article 9 prohibits the processing of medical data, unless an exception applies. For example, you may process medical data with consent (a), if this is necessary for preventive occupational medicine (h) or for reasons of general interest in the field of public health (i).
Doctor must report cases and may isolate people
According to the GDPR, the doctor may process data from an infected employee, because the law obliges him to do so and because this is necessary for public health. In January of this year, a ministerial regulation of the Public Health Act (Wpg) was adopted that introduces a reporting obligation for the corona virus (Covid 19). If a (company) doctor working in the Netherlands suspects or detects the corona virus, he must immediately report this to a municipal health service. He may also isolate infected persons. Based on the Wpg, an infected person may be prohibited from working by the chairman of the safety region and regulations may be issued regarding grounds and buildings.
AP: Employer may not record anything about the nature of the illness
According to the Dutch Data Protection Authority (AP), the employer has no basis to register anything about the nature of an employee's illness. This is not necessary, it states in its policy rules The sick employee . This applies to a cold, a broken leg and therefore also the corona virus.
That conclusion does indeed seem to be in line with the GDPR. The employer has no legal obligation, nor does he in principle fulfil a task of general interest. And in the case of medical data, an employer cannot rely on legitimate interest either.
Permission only in exceptional situations
Permission also offers insufficient security. The AP says.
What does the GDPR say?
According to the GDPR, you need a basis for processing personal data (Article 6) and when processing medical data, there must be an exceptional situation as stated in Article 9.
Basis
With the consent of the person concerned
If this is necessary for the performance of an hong kong telegram data agreement
When this is required by law
If this is necessary for the vital interests of the data subject or a third party
In the context of carrying out a task of general interest or maintaining public order
If this is necessary for a legitimate interest of that authority, provided that the privacy interest of the data subject does not prevail
Exceptional situation
Article 9 prohibits the processing of medical data, unless an exception applies. For example, you may process medical data with consent (a), if this is necessary for preventive occupational medicine (h) or for reasons of general interest in the field of public health (i).
Doctor must report cases and may isolate people
According to the GDPR, the doctor may process data from an infected employee, because the law obliges him to do so and because this is necessary for public health. In January of this year, a ministerial regulation of the Public Health Act (Wpg) was adopted that introduces a reporting obligation for the corona virus (Covid 19). If a (company) doctor working in the Netherlands suspects or detects the corona virus, he must immediately report this to a municipal health service. He may also isolate infected persons. Based on the Wpg, an infected person may be prohibited from working by the chairman of the safety region and regulations may be issued regarding grounds and buildings.
AP: Employer may not record anything about the nature of the illness
According to the Dutch Data Protection Authority (AP), the employer has no basis to register anything about the nature of an employee's illness. This is not necessary, it states in its policy rules The sick employee . This applies to a cold, a broken leg and therefore also the corona virus.
That conclusion does indeed seem to be in line with the GDPR. The employer has no legal obligation, nor does he in principle fulfil a task of general interest. And in the case of medical data, an employer cannot rely on legitimate interest either.
Permission only in exceptional situations
Permission also offers insufficient security. The AP says.