EN
HR Legal Technology

Remembering data protection when receiving employees’ test results

logo
Legal news
calendar 25 February 2020
globus Denmark, Sweden, Norway


The Danish Data Protection Authority is currently investigating a company that allegedly had used a WhatsApp group to exchange test results. With the many new rules which either allows companies to require that employees get tested or require companies to ensure that foreign employees are tested, it is important that companies pay special attention to how this sensitive data is processed.

Employees at a test provider were allegedly instructed to use a WhatsApp group to handle information on individuals who were tested positive for coronavirus. Consequently, the Danish Data Protection Agency has initiated an investigation to, among other things, determine who the data controller was, if information was disclosed to others and if the appropriate safeguards had been taken.

In Denmark, companies have since the last part of 2020 had access to require that employees get tested for coronavirus and to receive the rest result when certain conditions are met. In the beginning of 2021, new statutory requirements also introduced an obligation upon companies to ensure that foreign employees get tested for coronavirus after entry in Denmark. We have described the requirements in more detail here and here.

In Sweden, the main rule is that companies cannot require that employees get tested for coronavirus. Whether companies should have the possibility to introduce such a requirement must be determined on a case-by-case basis, by balancing the interests of the company to have all or certain employees tested against the employees’ interests and personal integrity. Also, if the company is subject to a collective bargaining agreement, consultations should always be initiated here first.

In Norway, companies have access to require that employees are tested for coronavirus and to receive the test results when necessary to safeguard safety and health. Companies can also have access to require to receive and process information on whether an employee is or has been infected with coronavirus in connection with the obligation to pay sick pay.

Test results contain health information

Companies that receive employees’ test results or otherwise receive information on whether or not an employee is or has been infected with coronavirus, must be attentive to the fact that such information is health information. Because health information qualifies as a special category of personal data, stricter requirements are triggered under applicable the data protection rules.

Besides for national requirements which apply depending on how the health information is obtained, companies must also – as data controllers - be aware:

  • That there must be a so-called “double lawful basis” under both article 6 and 9 in the Regulation

  • That there is a separate duty to inform employees on the processing activities under the Regulation

  • That stricter safeguards must be introduced when processing such special categories of data

  • That companies must comply with the requirements on data minimisation, as far as possible, in accordance with the data processing principles

  • That these, for many, new processing activities will trigger requirements to update internal records

IUNO’s opinion

Companies must be aware that the more sensitive the data which is being processed is, the stricter the requirements under the applicable data protection rules are. Consequently, that also means that it is an aggravating circumstance in the assessment of the Danish, Swedish or Norwegian Data Protection Authorities’ assessments if a breach of the rules concerns special categories of data.

IUNO recommends that companies which in the course of attempting to ensure a healthy and safety work environment or seeks to comply with national obligations receives information on employees’ test results or in other ways gets information on whether or not employees have been infected with coronavirus, carefully examines national requirements, including potential duties to inform or consult, in connection with ensuring compliance with applicable data protection rules.

Employees at a test provider were allegedly instructed to use a WhatsApp group to handle information on individuals who were tested positive for coronavirus. Consequently, the Danish Data Protection Agency has initiated an investigation to, among other things, determine who the data controller was, if information was disclosed to others and if the appropriate safeguards had been taken.

In Denmark, companies have since the last part of 2020 had access to require that employees get tested for coronavirus and to receive the rest result when certain conditions are met. In the beginning of 2021, new statutory requirements also introduced an obligation upon companies to ensure that foreign employees get tested for coronavirus after entry in Denmark. We have described the requirements in more detail here and here.

In Sweden, the main rule is that companies cannot require that employees get tested for coronavirus. Whether companies should have the possibility to introduce such a requirement must be determined on a case-by-case basis, by balancing the interests of the company to have all or certain employees tested against the employees’ interests and personal integrity. Also, if the company is subject to a collective bargaining agreement, consultations should always be initiated here first.

In Norway, companies have access to require that employees are tested for coronavirus and to receive the test results when necessary to safeguard safety and health. Companies can also have access to require to receive and process information on whether an employee is or has been infected with coronavirus in connection with the obligation to pay sick pay.

Test results contain health information

Companies that receive employees’ test results or otherwise receive information on whether or not an employee is or has been infected with coronavirus, must be attentive to the fact that such information is health information. Because health information qualifies as a special category of personal data, stricter requirements are triggered under applicable the data protection rules.

Besides for national requirements which apply depending on how the health information is obtained, companies must also – as data controllers - be aware:

  • That there must be a so-called “double lawful basis” under both article 6 and 9 in the Regulation

  • That there is a separate duty to inform employees on the processing activities under the Regulation

  • That stricter safeguards must be introduced when processing such special categories of data

  • That companies must comply with the requirements on data minimisation, as far as possible, in accordance with the data processing principles

  • That these, for many, new processing activities will trigger requirements to update internal records

IUNO’s opinion

Companies must be aware that the more sensitive the data which is being processed is, the stricter the requirements under the applicable data protection rules are. Consequently, that also means that it is an aggravating circumstance in the assessment of the Danish, Swedish or Norwegian Data Protection Authorities’ assessments if a breach of the rules concerns special categories of data.

IUNO recommends that companies which in the course of attempting to ensure a healthy and safety work environment or seeks to comply with national obligations receives information on employees’ test results or in other ways gets information on whether or not employees have been infected with coronavirus, carefully examines national requirements, including potential duties to inform or consult, in connection with ensuring compliance with applicable data protection rules.

Receive our newsletter

Anders

Etgen Reitz

Partner

Kirsten

Astrup

Managing associate (on leave)

Similar

logo
HR Legal

27 March 2024

Rules on pay transparency on the way

logo
HR Legal

27 March 2024

Internal information was not trade secrets

logo
HR Legal

10 March 2024

Every beard you take

logo
HR Legal

25 February 2024

A salary freeze is not always a breeze in the Nordics

logo
HR Legal

25 February 2024

Next stop, neutrality town!

logo
HR Legal

25 February 2024

Money speaks louder than words

The team

Alexandra

Jensen

Legal advisor

Anaïs

Kjærgaard Crouzet

Associate

Anders

Etgen Reitz

Partner

Caroline

Thorsen

Junior legal assistant

Cecillie

Groth Henriksen

Senior associate

Johan

Gustav Dein

Associate

Julie

Meyer

Senior legal assistant

Kirsten

Astrup

Managing associate (on leave)

Maria

Kjærsgaard Juhl

Legal advisor

Sofie

Aurora Braut Bache

Managing associate

Søren

Hessellund Klausen

Partner