Italian Data Protection Authority Issues Guidelines on Data Processing Relating to Employees' COVID-19 Vaccinations at the Workplace
The Italian Data Protection Authority ("DPA") has issued guidelines on data protection rules applying to COVID-19 vaccinations at the workplace.
On May 13, 2021, the Italian DPA issued guidelines on data protection rules applying to COVID-19 vaccinations at the workplace that can be organized by employers in accordance with a national protocol on workplace vaccinations adopted on April 6, 2021.
The DPA confirmed that employers may not collect, either directly or indirectly (including through healthcare professionals), any personal data of employees participating in the workplace vaccination campaign, including their participation in such campaign, vaccination status and any other information about employees' health conditions. Unless otherwise provided by law (e.g., healthcare professionals subject to mandatory vaccination requirements), employees can freely decide whether or not to participate in the vaccination campaign without incurring any positive or negative consequences as a result of their choice.
Moreover, according to the DPA guidelines:
- Under the current legal framework, the processing of vaccination data is permitted as being necessary for the purposes of preventive or occupational medicine (as per Article 9 (2) (h) of GDPR);
- Data relating to the participation in the vaccination campaign of identified or identifiable employees must be processed only by healthcare professionals, while employers can process only certain aggregated anonymous data (e.g., number of vaccines to be administered);
- Adequate technical and organizational measures must be implemented to ensure that employers do not have access to employees' vaccination data while organizing the vaccination campaign;
- Workplace vaccinations must be organized in such a way to guarantee the confidentiality and dignity of employees (as well as with regard to the organization of the vaccination space); and
- Employees who choose to be vaccinated can justify their absence from work through a certificate issued by the healthcare professional, which should only mention the provision of a generic healthcare treatment without specifying that the employee has been vaccinated. Should the certificate mention the specific healthcare treatment (i.e., that the employee has been vaccinated), employers are prevented from processing such additional information for any purpose other than retaining the certificate as proof of a justified absence for the employee.
In addition to the COVID-19 vaccination guidelines described above, the Italian DPA issued specific guidelines on data protection rules applying to company doctors with respect to the processing of employees' healthcare data. These guidelines need to be considered as well, as the company doctor is the healthcare professional entitled to process employees' healthcare data, including those in relation to COVID-19 vaccinations.