In the Slovak Republic, on October 24, 2020, Slovak Government Resolution No. 678 of October 22, 2020, entered into force, introducing a curfew valid until November 1, 2020. The restriction on movement is extended until November 8, 2020, by the new Slovak Government Resolution No. 693 of October 28, 2020. However, the curfew does not apply to certain exceptions. Among these exceptions until November 1 are travel to and from work and travel for the purpose of conducting business or other similar activities. As of November 2, 2020, this exception no longer applies; however, for the purpose of performing work or business activities, an exception is introduced for a person who presents a confirmation of a negative RT-PCR test result performed between October 29, 2020, and November 1, November 2020, or a certificate issued by the Ministry of Health of the Slovak Republic with a negative result of an antigen test certified within the European Union for COVID-19 performed between October 29, 2020, and November 1, 2020, by an entity participating in the nationwide testing “Shared Responsibility”.
This means that as of November 2, 2020, only individuals with a negative COVID-19 test result will be allowed to leave their homes. This also applies to going to work outside the employee’s home.
Based on this, employers (data controllers) have decided that starting Monday, November 2, 2020, they will require employees and other individuals entering their premises to present proof of a negative COVID-19 test result.
Is such verification appropriate from a personal data protection perspective?
The scope of personal data that individuals provide upon entering the premises by allowing a designated person to view the relevant document includes first name, last name, date of birth (personal data), and test result (special category of personal data). From the perspective of the GDPR and Act No. 18/2018 Coll. on the Protection of Personal Data, this therefore constitutes the processing of this personal data. However, employers should not perform any further operations with this personal data, i.e., no recording, disclosure to third parties, etc. Defining the legal basis for performing such processing operations could currently be contentious given the differing opinions of state institutions, including the situation where the Public Health Authority of the Slovak Republic issued a Decree on September 30, 2020, ordering measures in the event of a public health threat regarding the regime for persons entering the premises of businesses and employers, available here: https://www.uvzsr.sk/docs/info/ut/vestnik_ciastka_12_2020.pdf (hereinafter referred to as the “Decree”).
The Decree, issued pursuant to Section 59b of Act No. 355/2007 Coll. on the protection, promotion, and development of public health and on amendments to certain acts (hereinafter referred to as “Act No. 355/2007 Coll.”), prescribes measures in the event of a threat to public health pursuant to Section 48(4)(e), (s), (x), and (z) of Act No. 355/2007 Coll. A significant measure is the imposition of a ban on entry by persons into the outdoor and indoor premises of facilities by facility operators. Similarly, the obligation to prohibit entry into the premises is also imposed on employers with respect to their employees. This entry ban does not apply to the exhaustively listed exceptions, which individuals must prove to the operator/employer by presenting the relevant document, which the operator/employer is authorized to only inspect. This means that the operator/employer will act legitimately if they merely inspect the test result confirmation and, based on that, allow or deny the employee or other person entry to their premises.
However, in the opinion of the authors of this article, given the wording and phrasing used in the Decree, it may be debatable whether this Decree is capable of serving as a relevant legal basis for the processing of data subjects’ personal data under Article 6(1)(c) of the GDPR (i.e., compliance with the controller’s legal obligation). The Decree does not explicitly impose an obligation on controllers/employers to request the relevant document, but only regulates the authority of controllers/employers. However, this does not affect the legitimacy of the controllers’ and employers’ authority to request the provision of the document. It may, however, affect the identification of the legal basis for processing this personal data.
The authors of the article are of the opinion that controllers/employers may rely on a different legal basis for processing this personal data.
Following widespread testing, any individual who tests positive or who refuses to be tested must undergo mandatory quarantine and is subject to a curfew (except for other exceptions).
Based on the wording of the Decree, it can be concluded that if an employee fails to present a document proving an exception to the ban on entry to the premises, it is presumed that this person does not meet the occupational safety and health requirements under Section 5 of Act No. 124/2006 Coll. on Occupational Safety and Health and on Amendments to Certain Acts, as amended.
What legal basis for the processing of personal data would be used in such a case?
Controllers could thus rely on the legal basis under Article 6(1)(d) of the GDPR, according to which processing is necessary to protect the vital interests of the data subject or another natural person. Since, according to Recital 46 of the GDPR, the processing of personal data should also be considered lawful if it is necessary for the purposes of protecting an interest vital to the life of the data subject or of another natural person. The processing of personal data based on the vital interests of another natural person should, in principle, only take place when such processing clearly cannot be based on another legal basis. Certain types of processing may serve both important public interest purposes and the vital interests of the data subject, for example, where processing is necessary for humanitarian purposes, including the monitoring of epidemics and their spread or in humanitarian emergency situations, particularly in the event of natural disasters and man-made disasters.
Since the test result, together with the person’s identifying data such as first name, last name, and date of birth, constitutes a special category of personal data, it is necessary to apply an exception to the prohibition on processing; in this case, the exception under Article 9(i) of the GDPR , where processing is necessary for reasons of public interest in the area of public health, such as protection against serious cross-border threats to health or ensuring a high level of quality and safety of healthcare and medicines or medical devices, based on Union or Member State law establishing appropriate and specific measures to protect the rights and freedoms of the data subject, in particular professional secrecy. The application of the relevant exception is also justified with reference to Recitals 52 to 54 of the GDPR.
For the aforementioned exception to apply, the condition of necessity for reasons of public health protection must be met, including protection against serious cross-border health threats, which can be inferred, for example, from Part Seven of Act No. 355/2007 Coll. In this case, the condition of the cross-border nature of the health threat is also met, which can be understood as a threat of a global nature, where, as a result of a single impact, the health of people in at least two Member States is threatened.
We also base this on the World Health Organization’s (WHO) declaration of March 11, 2020, declaring the spread of COVID-19 a global pandemic. European bodies and institutions subsequently draw on these conclusions, promoting efforts to guide Member States toward a coordinated approach.
At the same time, it is required that appropriate and specific measures to protect the rights and freedoms of the data subject be established in Union law or the law of the Slovak Republic, which may also include legal provisions in the area of personal data protection under the GDPR and Act No. 18/2018 Coll. on the Protection of Personal Data; specifically, we refer to Section 79 of this Act, which governs the duty of confidentiality regarding personal data (note: the relevant provision of the Act applies to the relationships in accordance with Section 3 of Act No. 18/2018 Coll.). We note that there may also be other specific legal regulations that establish a duty of confidentiality regarding obtained personal data and the like for the given case.
For the sake of completeness, regarding the condition of necessity for this processing, we refer to the obligation of natural persons-entrepreneurs and legal entities under Section 52(1)(a) of Act No. 355/2007 Coll. on the protection, support, and development of public health and on amendments to certain acts, to implement disease prevention measures pursuant to Section 12(2)(a) through (c), (e) and (g) through (n) of this Act, whereby, pursuant to Section 12(2)(h), one of these measures is also the prohibition or restriction of the practice of a profession by persons suffering from a communicable disease or suspected of having such a disease.
To support the view presented above, we would also like to refer to the Statement of the European Data Protection Board (EDPB) on the processing of personal data in the context of the spread of COVID-19, adopted on March 19, 2020, which is available in English here: https://edpb.europa.eu/news/news/2020/statement-processing-personal-data-context-covid-19-outbreak_sk.
The EDPB expressed the fundamental view that data protection rules (such as the GDPR) do not preclude measures taken to combat the coronavirus pandemic, and that an emergency situation is a legitimate ground that may justify restrictions on freedoms, provided that such restrictions are proportionate and limited to the exceptional period. The EDPB, of course, emphasizes ensuring the lawfulness of personal data processing and safeguarding such data.
The EDPB explicitly addresses the processing of personal data related to the COVID-19 pandemic in the context of employers, noting that in the employment context, the processing of personal data may be necessary for employers to fulfill their legal obligations regarding the safety and health of the workplace or in the public interest, such as in the control of diseases and other health risks. The EDPB notes that the GDPR provides for exceptions to the prohibition on processing special categories of personal data, such as health data, where necessary for reasons of substantial public interest in the area of public health (referring to Article 9(2)(i) of the GDPR), as Recital 46 of the GDPR explicitly refers to the control of epidemics.
Based on the foregoing, it can be concluded that the employer’s request for an employee to provide proof of a negative test result is merely a means of fulfilling its legal obligation under Act No. 355/2007 Coll., and the personal data obtained in this manner must be used exclusively for this purpose. Once the purpose has been fulfilled, the employer may not further process the personal data.
At the same time, however, it is very important that the employer take all necessary technical and organizational measures to ensure the protection of personal data obtained in this manner and process it in accordance with the GDPR and Act No. 18/2018 Coll. in cases where this Act applies.
In its statement, the EDPB also emphasizes several fundamental principles that must be taken into account in connection with the outbreak of the COVID-19 pandemic and the processing of personal data to prevent its spread. Personal data necessary to achieve these objectives should be processed only for specific and explicit purposes, and the data subject must receive transparent information about the processing activities and their main characteristics. It is also particularly important to apply the principles of proportionality and data minimization, meaning that employers should request health information only to the extent permitted by national legislation (author’s note: the laws and Decree mentioned above may be applied here).
Based on the EDPB’s statement, the competent authorities of several Member States have issued their own statements, taking into account their national regulations. Of particular interest is, for example, the approach of the Irish Data Protection Commission, which, on the one hand, emphasized employers’ obligations to protect their employees and their privacy, but noted that Article 9(2)(i) of the GDPR allows employers to process employees’ personal data regarding their health status in connection with COVID-19, in conjunction with the obligations imposed by national law on employers to ensure the protection and safety of health and good working conditions in the workplace. Other Member States apply a similar approach, and we therefore consider it reasonable that these legal bases and exceptions arising from the GDPR in conjunction with Slovak national legal norms be similarly applied in Slovakia.
Is it necessary for the person presenting proof to consent to providing such proof?
Since the legal basis for such an action—presenting proof of a negative COVID-19 test result—is the protection of life and health pursuant to Article 6(1)(d) of the GDPR and not consent to the processing of personal data pursuant to Article 6(1)(a) of the GDPR, it is not necessary to obtain such consent from the data subjects.
What should the technical and organizational measures for personal data protection be?
- Transparency should be ensured through the duty to inform, whereby you will provide data subjects with detailed information in accordance with Article 13 of the GDPR regarding how you handle personal data.
- After an authorized person verifies the certificate of non-infection, no further processing of personal data may take place, whether automated or non-automated.
- Personal data obtained in this manner must not be stored or recorded in any way.
- As part of the personal data protection management system, the controller must have a detailed procedure in place for such processing of personal data.
- Persons who perform specific tasks on behalf of the controller in verifying the data subject’s negative test results, i.e., authorized persons, must be properly instructed within the personal data protection management system, and such instruction should be documented.
- An authorized person must be bound by a duty of confidentiality regarding the personal data obtained.
- The principle of data minimization must be observed, not only in the scope of processing but also in the number of authorized persons; this means that such data collection and verification should be carried out only with respect to persons whose entry into the employer’s premises is necessary.
Finally, we draw your attention to the preliminary opinion issued by the Slovak Data Protection Authority regarding the presentation of a negative test result or certificate from mass testing, available here: https://dataprotection.gov.sk/uoou/sk/content/predbezne-stanovisko-uradu-k-preukazovaniu-sa-negativnym-vysledkom-testu-certifikatom-z. We do not fully agree with the Office’s opinion on this matter and maintain the position presented above. We continuously monitor and consult on the Authority’s opinions.
Based on the above facts, our partner consulting firms Top privacy s.r.o. and Hronček & Partners, s. r. o. law firm are ready to provide you with detailed advice and draft the necessary documents required under applicable laws.
If you have any questions regarding this matter, please do not hesitate to contact us via email at: info@topprivacy.sk/info@legalfirm.sk or call us at +421 908 230 438/ +421 908 602 103.
Note: This article reflects the author’s opinion. This opinion is subject to change and is not binding. In preparing this article, the author relied on information he considered reliable.*
*This article is for informational purposes only, and neither the author nor the company publishing the article is responsible for the accuracy, completeness, or timeliness of the opinions expressed herein. Both the author and the company publishing the article disclaim any liability for any harm or damage incurred by any person as a result of relying on the information provided in the article and the procedures described therein. Please note that government authorities and courts, which are authorized to apply legal norms, may take a different position on the matter. The information in the article also does not reflect the situation of any specific person.
