EN
HR Legal Technology

Remembering data protection when receiving employees’ test results

logo
Legal news
calendar 25 February 2020
globus Denmark, Sweden, Norway


The Danish Data Protection Authority is currently investigating a company that allegedly had used a WhatsApp group to exchange test results. With the many new rules which either allows companies to require that employees get tested or require companies to ensure that foreign employees are tested, it is important that companies pay special attention to how this sensitive data is processed.

Employees at a test provider were allegedly instructed to use a WhatsApp group to handle information on individuals who were tested positive for coronavirus. Consequently, the Danish Data Protection Agency has initiated an investigation to, among other things, determine who the data controller was, if information was disclosed to others and if the appropriate safeguards had been taken.

In Denmark, companies have since the last part of 2020 had access to require that employees get tested for coronavirus and to receive the rest result when certain conditions are met. In the beginning of 2021, new statutory requirements also introduced an obligation upon companies to ensure that foreign employees get tested for coronavirus after entry in Denmark. We have described the requirements in more detail here and here.

In Sweden, the main rule is that companies cannot require that employees get tested for coronavirus. Whether companies should have the possibility to introduce such a requirement must be determined on a case-by-case basis, by balancing the interests of the company to have all or certain employees tested against the employees’ interests and personal integrity. Also, if the company is subject to a collective bargaining agreement, consultations should always be initiated here first.

In Norway, companies have access to require that employees are tested for coronavirus and to receive the test results when necessary to safeguard safety and health. Companies can also have access to require to receive and process information on whether an employee is or has been infected with coronavirus in connection with the obligation to pay sick pay.

Test results contain health information

Companies that receive employees’ test results or otherwise receive information on whether or not an employee is or has been infected with coronavirus, must be attentive to the fact that such information is health information. Because health information qualifies as a special category of personal data, stricter requirements are triggered under applicable the data protection rules.

Besides for national requirements which apply depending on how the health information is obtained, companies must also – as data controllers - be aware:

  • That there must be a so-called “double lawful basis” under both article 6 and 9 in the Regulation

  • That there is a separate duty to inform employees on the processing activities under the Regulation

  • That stricter safeguards must be introduced when processing such special categories of data

  • That companies must comply with the requirements on data minimisation, as far as possible, in accordance with the data processing principles

  • That these, for many, new processing activities will trigger requirements to update internal records

IUNO’s opinion

Companies must be aware that the more sensitive the data which is being processed is, the stricter the requirements under the applicable data protection rules are. Consequently, that also means that it is an aggravating circumstance in the assessment of the Danish, Swedish or Norwegian Data Protection Authorities’ assessments if a breach of the rules concerns special categories of data.

IUNO recommends that companies which in the course of attempting to ensure a healthy and safety work environment or seeks to comply with national obligations receives information on employees’ test results or in other ways gets information on whether or not employees have been infected with coronavirus, carefully examines national requirements, including potential duties to inform or consult, in connection with ensuring compliance with applicable data protection rules.

Employees at a test provider were allegedly instructed to use a WhatsApp group to handle information on individuals who were tested positive for coronavirus. Consequently, the Danish Data Protection Agency has initiated an investigation to, among other things, determine who the data controller was, if information was disclosed to others and if the appropriate safeguards had been taken.

In Denmark, companies have since the last part of 2020 had access to require that employees get tested for coronavirus and to receive the rest result when certain conditions are met. In the beginning of 2021, new statutory requirements also introduced an obligation upon companies to ensure that foreign employees get tested for coronavirus after entry in Denmark. We have described the requirements in more detail here and here.

In Sweden, the main rule is that companies cannot require that employees get tested for coronavirus. Whether companies should have the possibility to introduce such a requirement must be determined on a case-by-case basis, by balancing the interests of the company to have all or certain employees tested against the employees’ interests and personal integrity. Also, if the company is subject to a collective bargaining agreement, consultations should always be initiated here first.

In Norway, companies have access to require that employees are tested for coronavirus and to receive the test results when necessary to safeguard safety and health. Companies can also have access to require to receive and process information on whether an employee is or has been infected with coronavirus in connection with the obligation to pay sick pay.

Test results contain health information

Companies that receive employees’ test results or otherwise receive information on whether or not an employee is or has been infected with coronavirus, must be attentive to the fact that such information is health information. Because health information qualifies as a special category of personal data, stricter requirements are triggered under applicable the data protection rules.

Besides for national requirements which apply depending on how the health information is obtained, companies must also – as data controllers - be aware:

  • That there must be a so-called “double lawful basis” under both article 6 and 9 in the Regulation

  • That there is a separate duty to inform employees on the processing activities under the Regulation

  • That stricter safeguards must be introduced when processing such special categories of data

  • That companies must comply with the requirements on data minimisation, as far as possible, in accordance with the data processing principles

  • That these, for many, new processing activities will trigger requirements to update internal records

IUNO’s opinion

Companies must be aware that the more sensitive the data which is being processed is, the stricter the requirements under the applicable data protection rules are. Consequently, that also means that it is an aggravating circumstance in the assessment of the Danish, Swedish or Norwegian Data Protection Authorities’ assessments if a breach of the rules concerns special categories of data.

IUNO recommends that companies which in the course of attempting to ensure a healthy and safety work environment or seeks to comply with national obligations receives information on employees’ test results or in other ways gets information on whether or not employees have been infected with coronavirus, carefully examines national requirements, including potential duties to inform or consult, in connection with ensuring compliance with applicable data protection rules.

Receive our newsletter

Anders

Etgen Reitz

Partner

Kirsten

Astrup

Senior associate

Similar

logo
HR Legal

30 January 2022

Not discrimination to pay female employee less

logo
HR Legal

16 January 2022

Norwegian Supreme Court: Automatic set-off clauses are no longer valid

logo
HR Legal

9 January 2022

New draft bill on earmarked leave for parents

logo
HR Legal

19 December 2021

New rules restrict the use of temporary employees

logo
HR Legal

19 December 2021

Company was not responsible for its contractors’ work environment

logo
HR Legal

15 December 2021

EU narrows when standby time is working time

The team

Akina

Ørum Masaki

Legal assistant

Amalie

Starup Poulsen

Legal Advisor

Anders

Etgen Reitz

Partner

Caroline

Wochner

Communication assistant

Cecillie

Groth Henriksen

Associate

Julie

Meyer

Communication assistant

Kirsten

Astrup

Senior associate

Mathilde

Baudry

Communication assistant

Nora

Tägtgård Coter

Senior Legal assistant

Salam

S. A. Al-Khafaji

Senior legal assistant

Sofie

Aurora Braut Bache

Senior associate

Søren

Hessellund Klausen

Partner