On Monday, November 15, 2021, President Zuzana Čaputová signed a new law introducing stricter pandemic measures. This is Act No. 412/2021 Coll., which amends and supplements certain laws in connection with the third wave of the COVID-19 pandemic. In this article, you will learn what specific measures have been approved and what obligations apply to employers under the new law and the GDPR.
New Measures
The measures that took effect with the signing of Act No. 412/2021 amend the Act on Misdemeanors, specifically regarding offenses in the healthcare sector. This addresses the current situation concerning insults against healthcare workers and the forgery of COVID-19-related documents (fake COVID passes and tests). Under the new rules, fines will be imposed for such offenses. The changes also affect the areas of pandemic sick leave and endangering healthcare.
However, the most anticipated changes concern employees. The new measures amend the Labor Code regarding the employer’s obligation to check employees upon entry to the workplace. This involves temporarily requiring relevant documentation for entry to the workplace, if so stipulated by measures ordered by the competent public health authority and issued pursuant to a special regulation. In practice, this means that upon entering the workplace, an employee will be required to present proof of COVID-19 vaccination, or a certificate confirming recovery from COVID-19, or a certificate of a negative COVID-19 test result, or by undergoing a COVID-19 test at the employer’s premises. The proof presented by the employee upon entry must be valid in accordance with the prescribed measure (the Public Health Authority will issue the measure based on a decision by the Slovak government). If an employee fails to present the required documentation, the employer is not required to allow them entry to the workplace.
These measures are subject to a specific regulation issued by the Public Health Authority; however, Act No. 412/2021 allows for temporary restrictions on entry to the workplace even if no specific regulation has been issued. Such a procedure, however, must be necessary for the purpose of ensuring occupational health and safety. In such a case, however, this does not constitute an obstacle to work on the part of the employee.
Tests, COVID pass, and proof of recovery from the disease – is the processing of such personal data in compliance with the GDPR?
We currently do not have the latest version of the decree regulating employee access to the workplace, and therefore the new measures defined by Act No. 412/2021 are still awaiting implementation. As mentioned above, the law allows for restricting access to the workplace even without a specific regulation having been issued. If the controller decides to make employee access to the workplace conditional, it must do so in a legitimate manner, specifically by merely reviewing the relevant documents. The controller must also commit to not storing the personal data provided in any way or further processing it in any manner.
The legal basis for such processing would be Article 6(1)(d) of the GDPR, where processing is necessary to protect the vital interests of the data subject or another natural person. This legal basis concerning the protection of life and health is applicable only for as long as the public health authority has not issued a specific regulation ordering a temporary restriction on access to the workplace. From the moment the regulation is issued and enters into force, the legal basis for such processing will be Article 6(1)(c), where processing is necessary for compliance with a legal obligation to which the controller is subject.
The scope of personal data that individuals provide upon entering the premises by allowing an authorized person to inspect the relevant document is as follows:
- in the case of presenting a negative test result: first name, last name, date of birth, and test result;
- in the case of presenting proof of COVID-19 vaccination: first name, last name, date of birth, type of vaccine. Note: For vaccinated individuals, there is the option to scan the QR code using a company mobile phone with a QR code reader that does not record personal data. The operator will only see a message that the QR code is valid, and the employee will be allowed to start work.
- In the case of proof of recovery from the disease: first name, last name, date of birth, and test result.
In addition to standard personal data, these documents also contain personal data falling under the special category of personal data—specifically, data regarding the data subject’s health status (recovery from illness, vaccine type, test result). Such data may only be processed if one of the exceptions listed in Article 9(2) of the GDPR applies. In this case, we consider the exception under Article 9(2)(i) of the GDPR to be applicable, where processing is necessary for reasons of public interest in the area of public health, such as the protection against serious cross-border threats to healthor ensuring a high level of quality and safety of healthcare and medicines or medical devices, based on Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy. The application of the relevant exception is also justified by reference to Recitals 52 through 54 of the GDPR. These processing principles apply in all circumstances.
It is also very important that the employer take all necessary technical and organizational measures to ensure the protection of the personal data collected and, when processing such data, act in accordance with the GDPR and Act No. 18/2018 Coll. in cases where this Act applies.
Technical and organizational measures ensuring the protection of personal data:
- transparency – the employer, pursuant to Article 13 of the GDPR, provides data subjects with detailed information on how personal data is handled, e.g., through the duty to provide information;
- personal data is processed only in the form of preview;
- personal data must not be recorded in any way;
- as part of the personal data protection management system, the employer must have a detailed procedure in place for the processing of personal data (methodological guideline);
- the employer must ensure that persons authorized to view the relevant documents (test result confirmation, proof of recovery from COVID-19, confirmation of full COVID-19 vaccination) are properly instructed and that such instruction is documented;
- authorized persons must be bound by confidentiality regarding the personal data obtained;
- the principle of data minimization must be observed both in terms of the scope of personal data processed and the number of authorized persons.
We will inform you of any changes and updates in a timely manner.
Sources:
https://www.slov-lex.sk/pravne-predpisy/SK/ZZ/2021/412/20211115
