Can companies ask to see their employees’ corona passports?

The decision to introduce the corona passport in Denmark is part of a political agreement, and there is not yet any proposed draft bill on how this solution will be administrated. The Danish government has suggested that the corona passport, among other things, can be used to protect employees and ensure reopening by ensuring that only employees who has tested negative or are vaccinated against coronavirus can gain access to the workplace. The Digital Green Certificate proposed by the EU Commission will include the same type of information but will be valid across EU Member States. But whether these new solutions can play a role when reopening the workplace will depend on whether companies can even ask to see and process the health information included in an employee’s corona passport, regardless of the form.

According to current information available on the new corona passport introduced in Denmark, the solution will give companies a “consent-based” overview of the employees “corona status”. Consequently, according to the developer, the solution will help ensure a safe reopening of the workplace. However, depending on how the final digital version of the corona passport ultimately will look, it appears – from a first look - that the passport in itself ensures a lawful basis for the processing of data under the applicable data protection rules. Nonetheless, a consent-based solution can hardly be considered the correct lawful basis for processing activities and would in any case be insufficient for companies to rely on to comply with the rules of the Danish Health Information Act.

The Danish Health Information Act trumps consent

Both information on an employee’s test result or vaccination status with respect to coronavirus is health information. Companies must therefore first of all comply with the rules under the Danish Health Information Act when they process the information. Here, the main rule is that a company cannot ask to collect, receive, or otherwise make use of health information in connection with or during the employment, to determine the employees’ risk to develop an illness or get sick.

Precisely because the Danish Health Information Act has strict requirements, a new act was implemented at the end of 2020 in Denmark, giving companies access to require that their employees to get tested for coronavirus and to receive the test results. However, the new act does not give companies access to information regarding whether the employee has been vaccinated. We have taken a closer look at this issue here and here.

Should companies want to see their employees’ corona passport in a situation where it shows their vaccination status, it would require that one of the exceptions to the Danish Health Information Act could be applied. Otherwise, obtaining the information would be unlawful under the Danish Health Information Act. In this situation, consent under the applicable data protection rules will also be insufficient, as the Danish Health Information Act has more strict requirements.

Should companies want to see their employees’ corona passport in a situation where it only shows the employees’ test results, it would be possible for the company to see the corona passport in accordance with the special new act, subject to certain conditions being met. In this situation, in accordance with applicable data protection rules, there would be no need for the employees’ consent. Instead, the lawful basis allowing companies to ask to see their employees’ test results would be based on this special new act, and therefore the processing activity would be necessary due to “significant interests of society”. Therefore, it would be wrong to process the data on the basis of consent from the employees, as the solution for the corona passport suggests.

Because companies’ access to see the corona passport is determined by whether the passport only contains test results or also has information regarding vaccination, it can easily cause problems as it is the employee that decides what information the corona passport contains, and the passport can include both types of data.

IUNO’s opinion

New opportunities arise with the introduction of the new Danish corona passport and potentially later, the European Digital Green Certificate, for an effective reopening. However, companies need to be cautious if the corona passport is used as part of the reopening of the workplace. Health information is a special category of data under applicable data protection rules. This triggers increased requirements and risks when processing takes place. We have previously written about the requirements here.

There are still a lot of uncertainties regarding the lawful basis that we hope will be clarified in connection with the implementation of the political agreement, and later, potentially, the Digital Green Certificate. IUNO recommends that companies thoroughly examine the special requirements that apply with respect to requesting health information from employees, requiring testing for coronavirus and other data protection issues before guidelines or policies are introduced, requiring that employees use or show their corona passport as part of their work.

[Tripartite agreement on the plan for reopening of Denmark between the government (Socialdemokratiet) and Venstre, Dansk Folkeparti, Socialistisk Folkeparti, Radikale Venstre, Enhedslisten, Det Konservative Folkeparti, Liberal Alliance and Alternativet agree on a joint framework agreement for the reopening of Denmark of 22. March 2021 and the Proposal for a Regulation of the European Parliament and of the Council on a framework for the issuance, verification and acceptance of interoperable certificates on vaccination, testing and recovery to facilitate free movement during the COVID-19 pandemic (Digital Green Certificate) by the European Commission of 17 March 2021]