Italian Data Protection Authority Issues Guidelines on Data Processing Relating to Employees' COVID-19 Vaccinations at the Workplace

Laura Baldisserra, Carla Calcagnile
Jones Day
Contact
LinkedIn
Facebook
X
Send
Embed

Jones Day

The Italian Data Protection Authority ("DPA") has issued guidelines on data protection rules applying to COVID-19 vaccinations at the workplace.

On May 13, 2021, the Italian DPA issued guidelines on data protection rules applying to COVID-19 vaccinations at the workplace that can be organized by employers in accordance with a national protocol on workplace vaccinations adopted on April 6, 2021.

The DPA confirmed that employers may not collect, either directly or indirectly (including through healthcare professionals), any personal data of employees participating in the workplace vaccination campaign, including their participation in such campaign, vaccination status and any other information about employees' health conditions. Unless otherwise provided by law (e.g., healthcare professionals subject to mandatory vaccination requirements), employees can freely decide whether or not to participate in the vaccination campaign without incurring any positive or negative consequences as a result of their choice.

Moreover, according to the DPA guidelines:

  • Under the current legal framework, the processing of vaccination data is permitted as being necessary for the purposes of preventive or occupational medicine (as per Article 9 (2) (h) of GDPR);
  • Data relating to the participation in the vaccination campaign of identified or identifiable employees must be processed only by healthcare professionals, while employers can process only certain aggregated anonymous data (e.g., number of vaccines to be administered);
  • Adequate technical and organizational measures must be implemented to ensure that employers do not have access to employees' vaccination data while organizing the vaccination campaign;
  • Workplace vaccinations must be organized in such a way to guarantee the confidentiality and dignity of employees (as well as with regard to the organization of the vaccination space); and
  • Employees who choose to be vaccinated can justify their absence from work through a certificate issued by the healthcare professional, which should only mention the provision of a generic healthcare treatment without specifying that the employee has been vaccinated. Should the certificate mention the specific healthcare treatment (i.e., that the employee has been vaccinated), employers are prevented from processing such additional information for any purpose other than retaining the certificate as proof of a justified absence for the employee.

In addition to the COVID-19 vaccination guidelines described above, the Italian DPA issued specific guidelines on data protection rules applying to company doctors with respect to the processing of employees' healthcare data. These guidelines need to be considered as well, as the company doctor is the healthcare professional entitled to process employees' healthcare data, including those in relation to COVID-19 vaccinations.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Jones Day | Attorney Advertising

Written by:

Jones Day
Jones Day
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Jones Day on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide