Background
Since the rollout of COVID-19 vaccination program in Romania, employers are struggling to find out whether they can lawfully collect and process information about the COVID-19 vaccination status of their employees. In the context of the successive return-to-work phases, this piece of information was a key factor in an employer's assessment and decision process for physical workplace re-opening in a safe working environment.
To date, there is still no legislation in Romania regulating the impact of vaccination on the employment status of employees, such as checking employees' COVID-19 status as a condition of employment or continuation of employment.
We do however have since September 2021 a draft law (454/2021), which makes the COVID-19 green certificate mandatory in the workplace. The draft law generated a lot of fuss in the Romanian society, it was rejected (with a very small difference in votes) by the Romanian Senate on 27 October 2021 and is to enter soon into the debating stage before the Chamber of Deputies, which is the decisional forum. Provided that such draft law will become a law, the categories of employers listed within the law should be able to rely on a strong and clear legal basis for checking employees' COVID-19 status when entering the workplace.
Current legal basis for data processing
There are two sides of the vaccination story from an employer's perspective:
- How to legally obtain the information (e.g. for implementing certain HSE measures) and
- What would be the legal consequences of not being vaccinated against COVID -19 or (periodically) tested on the employment contract.
While the second one has a huge legal impact and is perceived as a threat to the fundamental constitutional rights of a natural person, from a data protection perspective only the first question is actually relevant. The data regarding COVID-19 status reveals health data, which is subject to stricter rules due to its sensitive nature and can only be processed in very limited situations as provided by the GDPR (Article 9(2)).
Needless to say that those employers who collect and process information about the COVID-19 vaccination status of their employees must ensure that they have a legal basis for processing such information under Article 9(2) of the GDPR.
As consent of the data subject may be a questionable legal basis for data processing in the employment context (as the consent of the employee may not be considered as "freely given" due to the imbalance of power between the employer and the employee), the employers may seek to rely on other conditions under Article 9 (2) of GDPR for data processing, such as:
- Article 9(2)(b) – processing necessary to comply with legal obligations in the field of employment; or
- Article 9 (2)(h) – processing necessary for the purposes of preventive or occupational medicine; or
- Article 9(2)(i) – processing necessary for reasons of public interest in the area of public health.
To date, and prior to the enaction of the draft law 454/2021, the only explicit Romanian legal provision justifying an employer's potential right (or obligation) to request information regarding vaccination status from their employees is the one granting employees the right to one paid day off for each dose of vaccine against COVID-19, with the corelative obligation of the employer to grant such paid day-off (Law 221/2021, amending Law 55/2020 that regulates the state of alert, provision in force as of 29 July 2021). While this legal provision helps an employer to get a good sense of who is being vaccinated and who is not, employees are of course not mandated to disclose the vaccination status.
We therefore believe that currently the legal basis for such processing of the data that is being voluntarily disclosed by the employees is Article 9(2)(b) GDPR, as employers need to comply with their legal obligation under Law 221/2021 to grant a paid day-off per administered vaccine dose.
ANSPDCP opinion on the matter
The Romanian Data Protection Authority ("ANSPDCP") does not provide on its website any specific guidance on justifiable grounds for collecting COVID-19 vaccination data of employees.
However, ANSPDCP has answered in July 2021 to a request to issue an opinion on the practice of employers to collect the COVID-19 vaccination status of employees. The opinion is however pre-existing to the legal ground under Law 221/2021, being rather triggered by the practice of employers to open collective accounts on the national vaccination platform for programming their employees to vaccination.
Though not expressly stated in the said opinion, ANSPDCP seems to favor the consent of the data subject as legal basis for processing health data of employees, such as data regarding COVID-19 vaccination status of the employees, provided that employers comply with the conditions stated by Article 7 in conjunction with Article 4(11) and Recital (32) of the GDPR, respectively employers ensure that such consent is freely and validly given.
Other data protection elements to be considered by employers
Employers must provide employees with information about how and why their personal data on COVID-19 vaccination is being processed according to GDPR requirements, prior to starting such processing. This could be an update to an existing privacy notice or a separate information note.
Also, if the use of such data is likely to result in a high risk to individuals (e.g. denial of an employment opportunity) or processed on a large scale, employers should consider carrying out a data protection impact assessment before processing COVID-19 vaccination data.
To the extent that employers collect and process data relating to the COVID-19 vaccination of their employees, this must be done in accordance with the GDPR principles on processing of personal data, respectively it has to be adequate, relevant and limited to what is necessary in relation to the purposes of the processing under the GDPR.
Article provided by INPLP member: Adelina Iftime-Blagean (Wolf Theiss, Romania)
Co-authoreded with: Nina Lazar
Discover more about INPLP, the INPLP-Members and the GDPR-FINE database
Dr. Tobias Höllwarth (Managing Director INPLP)