COVID-19 pandemic has undoubtedly brought significant changes not only to the everyday life of citizens but also to the operations of business entities, i.e. to the way of establishing and conducting the work process.
One of the current issues, i.e. a question which is lately often asked, is the permissibility and justification of so-called COVID passes, especially in the context of their introducing as a condition for employees to access their workplaces. Namely, on the one hand, the employer’s interest is to ensure the stable running of the work process, while also having the liability to organize it in a way that provides safety and protection of life and health at work, whereby, on the other hand, the employee’s interest is not only protection of its health at work, but also protection of its personal data, and especially the prevention of discrimination based on its health condition.
At a very first glance, it is clear how complex the topic of conditioning the accession of employees to the work by undertaking an inspection of the certificate on vaccination against COVID-19, recovery from illness or negative test result is, i.e. from how many different angles (both legal and those of ethical and practical nature) it is necessary to consider it in order to give a certain judgment thereof.
In this text, we will try to make a brief look at the aforesaid issue from the aspect of regulations of the Republic of Serbia governing personal data protection.
What Does the Act on Personal Data Protection say?
We believe that – even to a legal layman – it is apparent that data on immunization, recovery from illness, or test results on COVID-19 represent personal data in sense of the Act on Personal Data Protection (Official Gazette of RS, no. 87/2018) (the “APDP”). Also, making insight into this type of data represents the processing of personal data in terms of this regulation. In addition to the above, it is important to note that data on health status (physical or mental health and provision of health services) represent a special type of personal data, subject to very restrictive processing rules. In other words, it is necessary to meet, i.e. acquire multitude conditions in order for it to be lawful.
Thus, the APDP stipulates that personal data must be collected for purposes that are specifically determined, explicit, justified, and lawful and that it cannot be processed in a manner that is not in accordance with those purposes, as well as that processing is lawful (among other cases) only if it is necessary in order to pursue the legitimate interests of the controller (or a third party) unless those interests are overridden by the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data (especially if the data subject is a minor). The APDP also sets out the so-called principle of minimization of personal data, meaning that data must be appropriate, relevant, and limited to what is necessary in relation to the purpose of processing. In addition to the above, the APDP explicitly provides for cases in which the processing of individuals’ health data is allowed.
What Can We Conclude from the Above?
It is clear, therefore, that the answer to the question of whether – from the APDP and other domestic regulations with regards to the personal data protection point of view – employers can condition employees to come to work by inspecting their certificate on vaccination against COVID-19, recovery from illness or negative test result, cannot be uniform, but depends on numerous circumstances of the specific case, such as the nature of the employer’s business activity, a number of active COVID-19 cases in the relevant area, measures prescribed by the competent authorities which are in force in a particular moment, etc.
Additionally, we emphasize that except for the position that processing of data on the health status of employees can be done only in accordance with the acts of competent authorities related to the pandemic and with full respect for the principles of data processing pursuant to the APDP, at the moment there is no relevant practice of domestic competent authorities thereof.
What Can We Do?
Having in mind all the above, it remains to be seen whether – given the frequency and importance of this issue – the appropriate guidelines of competent authorities will be enacted in the coming period, as well as what specific solutions will arise out of the practice of business entities in these unquestionably specific circumstances.
This article is to be considered as exclusively informative, with no intention to provide legal advice. If you should need additional information, please contact us directly.
By Lara Maksimovic, Senior Associate, PR Legal