Pay attention to employee sensitive data processing in accordance with the GDPR

Schaffer News

The same as the recent Personal Data Protection Act, the new General Data Protection Regulation (the GDPR) contains rules on processing of the so-called sensitive data, which are labelled with the term of a special category of personal data. They are data revealing the racial or ethnic origin, political opinions, religious and philosophical beliefs, trade union membership, information about genetic and/or biometric data for the purpose of uniquely identifying a natural person, data concerning health and sexual life and orientation of a person.

The sensitive/special data about health of employees:

Typically, processing an employee’s sensitive personal data in connection with temporary incapacity for work could take place – if an employee submits a proof of incapacity for work I a form of a standard sick note issued by a doctor, the procedure is perfectly in accordance with the Regulation as the certificate only contains information on the fact itself, whereas no specific information about the employee’s health. The information that an employee is unfit for work is not information on an employee’s health as seen by the GDPR and, therefore, not sensitive. On the other hand, the situation is completely different with a medical report or a similar medical record containing their diagnosis and/or further information about their health being submitted by the employee – the information represents a sensitive personal data on the employee’s health.

Should the employer aim to process medical records containing sensitive personal data, they need to meet the legal requirements; since the law does not require such data (i.e. data on specific state of health) to be processed, the employer will not usually have a legal title for the processing, and should they decide to solve the situation by acquiring a consent, which has to be explicitly given to sensitive data processing, such consent might not be deemed valid. According to the current standpoints of 29 Working Party, processing of personal data is generally unacceptable on the basis of employees’’ consent within the scope of labor-law relationships. As the relationship of the employee and employer is very specific and based on a certain type of dependence, certain doubts regarding the freedom of a given consent will always appear.

With the above borne in mind, it is always highly recommendable that only standard sick notes, which do not contain any specific information of the employee’s health, should be accepted by the employers as proofs of temporary incapacity for work. If they accept documents with a specific diagnosis, they may commit an administrative offence in the field of personal data processing with the only exception of the employer keeping records of accidents at work and occupational diseases.   

Processing of biometric data in connection with attendance:

Nowadays, many employers make use of attendance systems recording the employees’ presence at their workplace on the basis of fingerprints; most of the systems operate on the principles of fingerprint encoding – it means that the system encodes the employee’s fingerprints in such a manner they cannot be obtained back from the system. Up to now, such procedure of a one-way transfer into a code represented, based on both the Personal Data Protection Act and the standpoint of Office for Personal Data Protection, sensitive information about the employee; thus, no sensitive data was processed.

With the GDPR, the attitude towards fingerprints and their processing as biometric data has been altered – the current opinion of the Office has it that the fingerprint processing on the basis of their encoding is indeed a sensitive data processing. As the GDPR provides more protection to biometric data, the one-way transfer of fingerprints is deemed to be included in the special categories of personal data.

Taking the current conclusion of the Office into consideration, the employers will have to acquire explicit consent from employees to their sensitive personal data (e.g. their fingerprints) processing; should they fail to do so, they will breach the ban of the sensitive personal data processing since they will not meet any of the requirements for personal data processing authorization. We would like to point out that the stance of the Office is current one and may change in the future.

Further sensitive data:

As other sensitive data are regarded, such as information on racial and ethnic origin, political opinions, religious and philosophical beliefs or trade union membership, the full ban on their processing within labor-law relationships still applies. The ban is stipulated by the Labor Code which bans the employers from requiring their employees (and job applicants) to provide such information.