EN
HR Legal Data protection

Remembering data protection when receiving employees’ test results

logo
Legal news
calendar 25 February 2020
globus Denmark, Sweden, Norway


The Danish Data Protection Authority is currently investigating a company that allegedly had used a WhatsApp group to exchange test results. With the many new rules which either allows companies to require that employees get tested or require companies to ensure that foreign employees are tested, it is important that companies pay special attention to how this sensitive data is processed.

Employees at a test provider were allegedly instructed to use a WhatsApp group to handle information on individuals who were tested positive for coronavirus. Consequently, the Danish Data Protection Agency has initiated an investigation to, among other things, determine who the data controller was, if information was disclosed to others and if the appropriate safeguards had been taken.

In Denmark, companies have since the last part of 2020 had access to require that employees get tested for coronavirus and to receive the rest result when certain conditions are met. In the beginning of 2021, new statutory requirements also introduced an obligation upon companies to ensure that foreign employees get tested for coronavirus after entry in Denmark. We have described the requirements in more detail here and here.

In Sweden, the main rule is that companies cannot require that employees get tested for coronavirus. Whether companies should have the possibility to introduce such a requirement must be determined on a case-by-case basis, by balancing the interests of the company to have all or certain employees tested against the employees’ interests and personal integrity. Also, if the company is subject to a collective bargaining agreement, consultations should always be initiated here first.

In Norway, companies have access to require that employees are tested for coronavirus and to receive the test results when necessary to safeguard safety and health. Companies can also have access to require to receive and process information on whether an employee is or has been infected with coronavirus in connection with the obligation to pay sick pay.

Test results contain health information

Companies that receive employees’ test results or otherwise receive information on whether or not an employee is or has been infected with coronavirus, must be attentive to the fact that such information is health information. Because health information qualifies as a special category of personal data, stricter requirements are triggered under applicable the data protection rules.

Besides for national requirements which apply depending on how the health information is obtained, companies must also – as data controllers - be aware:

  • That there must be a so-called “double lawful basis” under both article 6 and 9 in the Regulation

  • That there is a separate duty to inform employees on the processing activities under the Regulation

  • That stricter safeguards must be introduced when processing such special categories of data

  • That companies must comply with the requirements on data minimisation, as far as possible, in accordance with the data processing principles

  • That these, for many, new processing activities will trigger requirements to update internal records

IUNO’s opinion

Companies must be aware that the more sensitive the data which is being processed is, the stricter the requirements under the applicable data protection rules are. Consequently, that also means that it is an aggravating circumstance in the assessment of the Danish, Swedish or Norwegian Data Protection Authorities’ assessments if a breach of the rules concerns special categories of data.

IUNO recommends that companies which in the course of attempting to ensure a healthy and safety work environment or seeks to comply with national obligations receives information on employees’ test results or in other ways gets information on whether or not employees have been infected with coronavirus, carefully examines national requirements, including potential duties to inform or consult, in connection with ensuring compliance with applicable data protection rules.

Employees at a test provider were allegedly instructed to use a WhatsApp group to handle information on individuals who were tested positive for coronavirus. Consequently, the Danish Data Protection Agency has initiated an investigation to, among other things, determine who the data controller was, if information was disclosed to others and if the appropriate safeguards had been taken.

In Denmark, companies have since the last part of 2020 had access to require that employees get tested for coronavirus and to receive the rest result when certain conditions are met. In the beginning of 2021, new statutory requirements also introduced an obligation upon companies to ensure that foreign employees get tested for coronavirus after entry in Denmark. We have described the requirements in more detail here and here.

In Sweden, the main rule is that companies cannot require that employees get tested for coronavirus. Whether companies should have the possibility to introduce such a requirement must be determined on a case-by-case basis, by balancing the interests of the company to have all or certain employees tested against the employees’ interests and personal integrity. Also, if the company is subject to a collective bargaining agreement, consultations should always be initiated here first.

In Norway, companies have access to require that employees are tested for coronavirus and to receive the test results when necessary to safeguard safety and health. Companies can also have access to require to receive and process information on whether an employee is or has been infected with coronavirus in connection with the obligation to pay sick pay.

Test results contain health information

Companies that receive employees’ test results or otherwise receive information on whether or not an employee is or has been infected with coronavirus, must be attentive to the fact that such information is health information. Because health information qualifies as a special category of personal data, stricter requirements are triggered under applicable the data protection rules.

Besides for national requirements which apply depending on how the health information is obtained, companies must also – as data controllers - be aware:

  • That there must be a so-called “double lawful basis” under both article 6 and 9 in the Regulation

  • That there is a separate duty to inform employees on the processing activities under the Regulation

  • That stricter safeguards must be introduced when processing such special categories of data

  • That companies must comply with the requirements on data minimisation, as far as possible, in accordance with the data processing principles

  • That these, for many, new processing activities will trigger requirements to update internal records

IUNO’s opinion

Companies must be aware that the more sensitive the data which is being processed is, the stricter the requirements under the applicable data protection rules are. Consequently, that also means that it is an aggravating circumstance in the assessment of the Danish, Swedish or Norwegian Data Protection Authorities’ assessments if a breach of the rules concerns special categories of data.

IUNO recommends that companies which in the course of attempting to ensure a healthy and safety work environment or seeks to comply with national obligations receives information on employees’ test results or in other ways gets information on whether or not employees have been infected with coronavirus, carefully examines national requirements, including potential duties to inform or consult, in connection with ensuring compliance with applicable data protection rules.

Receive our newsletter

Anders

Etgen Reitz

Partner

Kirsten

Astrup

Associate

Similar news

logo
HR Legal

28 February 2021

Fine to terminate by registered mail when employee had symptoms of coronavirus

logo
HR Legal

28 February 2021

Unpaid accrued pension entitlements were also transferred in a transfer of undertakings

logo
Data protection

25 February 2021

Company faces 100 million NOK fine for unlawful disclosure of data

logo
HR Legal Data protection

25 February 2021

How to lawfully prevent the spread of coronavirus at the workplace

logo
HR Legal

23 February 2021

Non-disclosure clauses in sexism and sexual harassment cases

logo
HR Legal

21 February 2021

Introducing permanent remote working – What must companies do?

Learning

logo
HR Legal
2 September 2019

Livestream on restructuring in the Nordic Region

logo
HR Legal
2 September 2019

Seminar on restructuring in the Nordic Region (Copenhagen)

logo
HR Legal
3 December 2018

International HR Legal Day 2018

logo
HR Legal
3 December 2018

Seminar on development and employment forms (english)

logo
HR Legal
21 November 2018

Seminar on Employee Influence in the Nordics (Helsinki)

logo
HR Legal
20 November 2018

Seminar on Employee Influence in the Nordics (Copenhagen)

// COOKIE INFORMATION POPUP SCRIPT