On October 24, 2020, Resolution No. 678 of the Government of the Slovak Republic of October 22, 2020, came into force, introducing a curfew valid until November 1, 2020. The restriction on movement has been extended until November 8, 2020, by the new Resolution of the Government of the Slovak Republic No. 693 of October 28, 2020. However, the curfew does not apply to certain exceptions. Until November 1, these exceptions include travel to and from work and travel for business or other similar activities. From November 2, 2020, this exception does not apply, and for the purposes of performing work or business activities, an exception is introduced for persons who can prove a negative RT-PCR test result performed between October 29, 2020, and November 1, 2020, or a certificate issued by the Ministry of Health of the Slovak Republic with a negative antigen test result certified by a certified laboratory. October 2020 to November 1, 2020, or a certificate issued by the Ministry of Health of the Slovak Republic with a negative result of an antigen test certified in the European Union for COVID-19 performed between October 29 October 2020 to 1 November 2020 by an entity participating in the nationwide testing program "Joint Responsibility".
This means that from November 2, 2020, only people with a negative COVID-19 test result will be allowed to leave their homes. This also applies to going to work outside the employee's home.
Based on this, employers (personal data controllers) have decided that, starting Monday, November 2, 2020, they will require employees and other persons entering their premises to provide proof of a negative COVID-19 test result. 2020, they will require employees and other persons entering their premises to provide proof of a negative COVID-19 test result.
Is such proof appropriate in view of personal data protection?
The scope of personal data provided by persons upon entering the premises in the form of access to the relevant document by a designated person is name, surname, date of birth (personal data) and test result (special category of personal data). From the perspective of the GDPR and Act No. 18/2018 Coll. on personal data protection, this therefore constitutes the processing of personal data. However, employers should not carry out any further operations with this personal data, i.e. no recording, provision to third parties, etc. Defining the legal basis for carrying out such processing operations could currently be controversial given the differing opinions of state institutions, also in view of the situation where the Public Health Authority of the Slovak Republic issued a Decree on September 30, 2020, imposing measures in the event of a threat to public health regarding the regime for entry of persons into the premises of businesses and employers.2020, which imposes measures in the event of a threat to public health regarding the regime for the entry of persons into the premises of businesses and employers, available here: https://www.uvzsr.sk/docs/info/ut/vestnik_ciastka_12_2020.pdf (hereinafter referred to as the "Decree").
Decree issued pursuant to Section 59b of Act No. 355/2007 Z. on the protection, support and development of public health and on amendments to certain laws (hereinafter referred to as "Act No. 355/2007 Z. z.") imposes measures in the event of a threat to public health pursuant to Section 48(4)(e), (s), (x) and (z) of Act No. 355/2007 Coll. An important measure is the prohibition of entry to the outdoor and indoor areas of facilities by operators of facilities. Similarly, the obligation to prohibit entry to the premises is also imposed on employers with regard to their employees. This prohibition of entry does not apply to the exhaustively listed exceptions, which persons should prove to the operator/employer with the relevant document, which the operator/employer is only entitled to inspect. This means that the operator/employer will act in a legitimate manner if they only inspect the test result confirmation and, based on this, allow or deny the employee or other person access to their premises.
However, in the opinion of the authors of this article, it may be debatable, given the wording and phrasing used in the Decree, whether this Decree is capable of being a relevant legal basis for the processing of personal data of data subjects under Article 6(1)(c) of the GDPR (i.e. compliance with the controller's legal obligation). The Decree does not expressly impose an obligation on controllers/employers to request the relevant document, but only regulates the right of controllers/employers. However, this does not affect the legitimacy of the right of controllers and employers to request the provision of such documentation. It may, however, affect the identification of the legal basis for the processing of such personal data.
The authors of the article are of the opinion that controllers/employers may use a different legal basis for the processing of such personal data.
After nationwide testing, every natural person who tests positive or refuses to be tested must be placed in mandatory quarantine and is subject to a curfew (with certain exceptions).
Based on the wording of the Decree, it can be concluded that if an employee does not present a document proving an exception to the ban on entry to the premises, that person is deemed not to meet the occupational health and safety requirements under Section 5 of Act No. 124/2006 Coll. on occupational health and safety and on amendments to certain acts, as amended.
What legal basis for the processing of personal data will be used in such a case?
Operators would thus be able to rely on the legal basis within the meaning of Article 6(1)(d) of the GDPR, according to which processing is necessary to protect the vital interests of the data subject or another natural person. According to recital 46 of the GDPR, the processing of personal data should also be considered lawful if it is necessary for the purposes of the vital interests of the data subject or of another natural person. The processing of personal data based on the vital interests of another natural person should, in principle, only be carried out when such processing cannot be based on another legal ground. Certain types of processing may serve important public interest purposes as well as the vital interests of the data subject, for example where processing is necessary for humanitarian purposes, including monitoring epidemics and their spread or in humanitarian emergency situations, in particular in the event of natural or man-made disasters.
Since the test result, together with the person's identification data, such as name, surname, and date of birth, is a special category of personal data, it is necessary to apply the exception to the prohibition of processing, whereby an exception within the meaning of Article 9(i) of the GDPR , where processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring a high level of quality and safety of healthcare and of medicinal products or medical devices, on the basis of Union or Member State law laying down suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy. The application of the relevant exception is also justified with reference to Articles 52 to 54 of the GDPR.
In order for the above exception to apply, the condition of necessity for reasons of public health, including protection against serious cross-border threats to health, which can be inferred, for example, from Part Seven of Act No. 355/2007 Coll. In this case, the condition of cross-border threat to health is also met, which can be understood as a threat of a global nature, where the health of people in at least two Member States is threatened as a result of a single impact. We also base our assessment on the World Health Organization (WHO) declaration of 11 March 2020 declaring the spread of COVID-19 a global pandemic. These conclusions are also taken as a basis by European authorities and institutions, which are pushing for a coordinated approach by Member States.
At the same time, it is required that appropriate and specific measures to protect the rights and freedoms of the data subject be laid down in Union law or the law of the Slovak Republic, which may also include legal provisions on the protection of personal data under the GDPR and Act No. 18/2018 Coll. on the protection of personal data, specifically referring to Section 79 of this Act, which regulates the obligation of confidentiality regarding personal data (note: the relevant provision of the Act applies to relations in accordance with Section 3 of Act No. 18/2018 Coll. We note that there may also be other specific legal regulations that impose an obligation of confidentiality regarding the personal data obtained, etc.
For the sake of completeness, with regard to the condition of necessity of this processing, we refer to the obligation of natural persons-entrepreneurs and legal entities under Section 52(1)(a) of Act No. 355/2007 Coll. on the protection, support and development of public health and on amendments to certain laws, to implement measures to prevent diseases pursuant to Section 12(2)(a) to (c), (e) and (g) to n) of this Act, whereby pursuant to Section 12(2)(h), one of these measures is also the prohibition or restriction of the practice of a profession by persons suffering from a communicable disease or suspected of such a disease.
In support of the above opinion, we would also like to refer to the Statement of the European Data Protection Board (EDPB) on the processing of personal data in relation to the COVID-19 outbreak, adopted on 19 March 2020, which is available in English here: https://edpb.europa.eu/news/news/2020/statement-processing-personal-data-context-covid-19-outbreak_sk.
The EDPB expressed the basic idea that data protection rules (such as the GDPR) do not prevent measures taken to combat the coronavirus pandemic and that an emergency situation is a legal condition that can legitimize restrictions on freedoms, provided that these restrictions are proportionate and limited to the exceptional period. The EDPB naturally emphasizes ensuring the lawfulness of personal data processing and ensuring its protection.
The EDPB expressly comments on the processing of personal data related to the COVID-19 pandemic in the context of employers, and has expressed the view that in the context of employment, the processing of personal data may be necessary for employers to fulfill their legal obligations to ensure safety and health at the workplace or in the public interest, for example in the control of diseases and other health risks. The EDPB states that the GDPR provides for exceptions to the prohibition on processing special categories of personal data, such as data concerning health, where necessary for reasons of substantial public interest in the area of public health (referring to Article 9(2)(i) of the GDPR), as recital 46 of the GDPR explicitly refers to epidemic control. of the GDPR Regulation expressly refers to the control of epidemics.
Based on the above, it can be concluded that the employer's request for the employee to provide proof of a negative test is only a means of fulfilling its legal obligation under Act No. 355/2007 Coll. z., and the personal data obtained in this way must be used exclusively for this purpose. Once the purpose has been fulfilled, the personal data may not be further processed.
At the same time, however, it is very important that the employer takes all necessary technical and organizational measures to ensure the protection of personal data obtained in this way and processes it in accordance with the GDPR and Act No. 18/2018 Z.z. in cases where this Act applies.
In its statement, the EDPB also emphasizes several basic principles that need to be taken into account in connection with the outbreak of the COVID-19 pandemic and the processing of personal data to prevent its spread. Personal data necessary to achieve these objectives should be processed only for specific and explicit purposes, and the data subject must be provided with transparent information about the processing activities and their main characteristics. It is also particularly important to apply the principles of proportionality and data minimization, according to which employers should only request health information to the extent permitted by national law(author's note: the above-mentioned laws and the Decree may be applied here).
Based on the EDPB statement, the competent authorities of several Member States have issued their own statements, taking into account their national regulations. An interesting example is the approach taken by the Irish Data Protection Commission, which, on the one hand, emphasized the obligations of employers to protect their employees and their privacy, but noted that Article 9(2)(i) of the GDPR allows employers to process employees' personal data relating to their health status in connection with COVID-19, in conjunction with national law imposing obligations on employers to ensure the protection and safety of health and good working conditions in the workplace. A similar approach is also applied by other Member States, and we therefore consider it justified that these legal bases and exceptions arising from the GDPR in conjunction with the national legal norms of the Slovak Republic should also be applied in Slovakia.
Is it necessary for the person presenting the proof to give their consent to the presentation?
Since the legal basis for such an act – presentation of a negative COVID-19 test result – is the protection of life and health pursuant to Article 6(1)(d) of the GDPR, and not consent to the processing of personal data pursuant to Article 6(1)(a) of the GDPR, it is not necessary to obtain such consent from the data subjects.
What technical and organizational measures should be taken to protect personal data?
1. Transparency should be ensured through an information obligation, whereby you will inform the data subjects in detail, in accordance with Article 13 of the GDPR, about how you process personal data.
2. After the certificate of non-infectiousness has been checked by an authorized person, no further processing of personal data may take place, whether automated or non-automated.
3. Personal data obtained in this way may not be stored or recorded in any way.
4. As part of the personal data protection management system, the controller must have a detailed procedure in place for such processing of personal data.
5. Persons performing specific tasks on behalf of the controller in verifying the negative test results of the data subject, i.e. authorized persons, must be properly instructed within the personal data protection management system, and such instruction should be documented.
6. The authorized person must be bound by an obligation of confidentiality regarding the personal data obtained.
7. The principle of minimization must be observed, not only in terms of the scope of processing but also in terms of the number of authorized persons, i.e., such data collection and verification shall only be carried out in relation to persons whose access to the employer's premises is necessary.
Finally, we would like to draw your attention to the preliminary opinion of the Slovak Data Protection Authority on proving a negative test result/certificate from mass testing, available here: https://dataprotection.gov.sk/uoou/sk/content/predbezne-stanovisko-uradu-k-preukazovaniu-sa-negativnym-vysledkom-testu-certifikatom-z . We do not fully agree with the opinion of the Office and we hold the opinion presented above. We continuously monitor and consult the opinions of the Office.
Based on the above, our partner consulting companies Top privacy s.r.o. and law firm Hronček & Partners, s. r. o. are prepared to provide you with more detailed advice and prepare the necessary documents required by the relevant legal regulations.
If you have any questions on this issue, please do not hesitate to contact us at the following email addresses: info@topprivacy.sk/info@legalfirm.sk or call us at +421 908 230 438/ +421 908 602 103.
Note: The article reflects the opinion of the author. This opinion is subject to change and is not binding. In preparing the article, the author relied on information that he considered reliable.
*The article is for informational purposes only, and neither the author nor the company publishing the article is responsible for the accuracy, completeness, or timeliness of the opinions expressed in the article.
