GDPR compliant processing of employee health data

Employee health data is among the most sensitive personal data and its incorrect processing poses significant legal risks for companies. The GDPR places health information in a special category of personal data that is subject to stricter protection. This means that employers face heavy penalties if they handle employee health data in breach of the rules. Regulators can impose fines of up to 4% of a company's annual worldwide turnover for violating the GDPR. In practice, fines of tens of millions of euros have already been handed down - for example, German authorities fined H&M €35.3 million. H&M has been fined €35 million (approx. CZK 900 million) for illegally "spying" on employees and collecting intimate details about their health and privacy.

Author of the article: JUDr. Jakub Dohnal, Ph.D., LL.M., ARROWS advokátní kancelář (office@arws.cz, +420 245 007 740)

In addition to financial penalties, companies can also face incalculable loss of trust and reputational damage if it turns out that they have mishandled sensitive employee data. It is not uncommon for employees themselves to lodge complaints or take legal action - in a recent case in Berlin, an employee's complaint about the maintenance of an unauthorised database of health information led to the intervention of a supervisory authority, which found such conduct to be in breach of Article 9 of the GDPR. Clearly, the protection of employee health data cannot be underestimated.

Main legal requirements

The General Data Protection Regulation (GDPR) prohibits the processing of special categories of personal data, including data relating to an individual's health, unless one of the exceptions directly listed in the Regulation is met. In other words, an employer may not collect or record information about an employee's illness, diagnosis or disability unless it has a clear legal basis and corresponding legal authority to do so. Therefore, in addition to the general principles of processing (such as lawfulness, fairness, data minimisation, etc.), the employer must comply with two levels of conditions for any processing of health data:

1. "Ordinary" legal basis under Article 6 GDPR:

There must be one of the grounds for processing recognised by the GDPR for personal data in general (e.g. performance of a legal obligation, legitimate interest, exceptionally data subject consent, etc.).

2. Exemption for sensitive data under Article 9 GDPR:

Beyond the normal legal basis, a special condition must also be met that allows the processing of health data. In fact, the GDPR protects such data more strictly - they are a priori prohibited unless the controller can prove that they fall under one of the exhaustively listed exceptions (e.g. the processing is necessary for the purposes of healthcare, employment law obligations, etc.).

Typical exemptions that allow an employer to legally process an employee's health information include:

Compliance with employment law and OSH obligations

If the processing of health data is required by a specific law or is necessary to fulfil the employer's obligations under the Labour Code or social security regulations. This includes, for example, records of temporary incapacity for work for the purposes of payment of sick pay, keeping records of work accidents or occupational diseases, etc.

Preventive and occupational health care

Medical examination data, fitness for work reports or test results, if necessary to assess the employee's fitness for work. These data may generally be processed by an occupational health service provider or other health professional bound by confidentiality. The employer should only receive a fitness conclusion ('fit/unfit for work'), not detailed diagnoses.

Protection of vital interests

For example, the provision of medical information in a situation where the life or health of an employee or other person is at stake and the employee is unable to give consent (typically an acute medical emergency at the workplace).

Public interest in health care

Emergencies such as epidemics may justify certain processing - e.g. temperature measurement, recording of test results for infectious diseases, etc., if this is in the interest of protecting public health and at the same time based on legal provisions or the employer's legitimate interest to fulfil the obligation to provide a safe working environment.

Explicit consent of the employee

Only exceptionally, if no other title applies, may the employee voluntarily give explicit consent to the processing of specific health data for a given purpose. Consent must be free and informed, it cannot be merely "assumed" or coerced, and the employee may withdraw it at any time. However, caution is appropriate in the employment setting - given the relationship of superiority and dependence, it is considered that employee consent may often not be given entirely voluntarily, and **regulators have questioned the validity of such consents. Therefore, consent is to be used more rarely, e.g. for wholly voluntary benefits or above-standard services that the employee may not use.

In addition to choosing the correct legal title, it is essential to comply with the principles of data minimisation and purpose limitation. In practice, this means collecting only the health information about an employee that is necessary to fulfil a legitimate purpose and not using it further in a way that is incompatible with the original purpose. As the Data Protection Authority aptly stated in the Berlin case mentioned above - if an employer cannot demonstrate that it actually needs certain health data for a legitimate purpose or legal obligation, it violates the necessity and minimization principle under Article 5 of the GDPR. A company should therefore always be able to justify why it requires and processes the specific health information in question.

Practical steps for companies

From the perspective of everyday HR and HR management practice, there are many situations where working with employee health data may be necessary. Below are common scenarios, best practices and recommendations to ensure GDPR compliance:

Typical situations requiring the processing of health data:

Sick leave (temporary disability)

When an employee falls ill, they usually have to provide a doctor's note. The standard 'sick note' given to the employer only states that the employee is temporarily unable to work and for how long, but does not give the diagnosis or details of the illness.

Such an acknowledgement does not contain sensitive health data within the meaning of the GDPR, so its receipt and recording is fine. The employer should insist on just such a form.

On the other hand, it does not have the right to require the employee to provide a detailed medical report with a diagnosis (e.g. a description of an occupational injury report or test results outside the scope of a work capability assessment). If the employer collects such detailed medical documents without a legal obligation, it would violate the prohibition on processing particularly sensitive data.

Recent opinions suggest that employers may be advised to only ever accept a standard incapacity for work certificate that does not contain a diagnosis as evidence of sickness - accepting documents with specific medical details (e.g. cause of illness) may be considered an administrative data protection offence. (The exception is where another piece of legislation directly requires the transmission of details - see below for records of work-related accidents.)

Occupational accidents and diseases

In the event of a workplace accident or occupational disease, the employer has a legal obligation to record and report these events (e.g. to the labour inspectorate, insurance company). The record of work accidents usually includes a description of the injury or illness, the circumstances of the incident and other medical information necessary to assess the employee's claims. Here, there is therefore a legal basis for processing even more detailed health data - this is the fulfilment of the employer's legal obligation in the field of occupational safety.

However, these records must be protected as carefully as other sensitive data and should only be accessed by authorised persons (see below). It is also important to bear in mind that the law sets specific time limits for the retention of accident records: under employment law, records of occupational accidents and diseases are kept for 30 years (for pension insurance purposes). The company must therefore ensure that this data is securely stored for this period and then securely disposed of.

Initial and periodic medical examinations

The Labour Code and related regulations require employers to ensure that employees perform work appropriate to their medical fitness. Employees are therefore required to undergo occupational health examinations before starting work and at certain intervals during their employment. A medical fitness assessment is issued by a contracted doctor and the employer usually receives only the result: fit/unfit for work (with restrictions, if any). The details of the examination or diagnosis remain confidential between the employee and the doctor.

The recommendation for the HR department is therefore to keep only the medical reports themselves (or the certificate of result), not the complete medical records. The processing of this data is based on a legal obligation (compliance with OSH requirements) and an exception under Article 9(2)(h) GDPR (preventive medicine, work capability assessment). Again, the obligation to secure these documents against unauthorised access applies.

Testing for COVID-19 and other health screenings

The emergency situation during the pandemic has left many employers wondering whether they can collect health information such as COVID-19 test results, vaccinations or take temperatures when entering the workplace. During the pandemic, the Privacy Office confirmed that taking a temperature or recording a negative test may be warranted under strict conditions - particularly if justified by the employer's obligation to provide a safe and healthful workplace environment.

The legal basis here may be legitimate interest and the fulfilment of a legal obligation (OHS), while at the same time the exception for processing health data for reasons of public interest in the field of public health or the protection of life and health (Article 9(2)(i) or (b) GDPR) must be met.

In practice, this means taking only the necessary steps (e.g. not measuring across the board unless the situation requires it, not storing data for more than the necessary period of time) and taking care to ensure maximum security of the data thus obtained. For example, if a company records that an employee has tested positive on a certain day, it must treat this record as strictly confidential and delete it once the purpose has passed.

Which legal titles to choose

In each of the situations described above, the employer should clarify on what basis (reason) it is processing the health data. As a general rule, this will either be to comply with a legal obligation (legal title under Article 6(1)(c) GDPR - e.g. the obligation to keep accident records, to enable sickness benefit checks, to provide medical examinations, etc.), or the employer's legitimate interest (Article 6(1)(f) - typically to ensure safety in the workplace, to protect the health of other employees, to control the abuse of sick-days, etc.).

Less often, it may be the employee's consent (Art. 6(1)(a)), but only use this where it is not really an obligation or a necessary step (e.g. the employee volunteers information about his/her health limitation so that the employer can accommodate him/her - again, it is often more likely to be a basis for fulfilling an obligation not to discriminate against him/her). It is important not to combine multiple titles at once in a cluttered way - choose the most appropriate one for each processing purpose and include this reason in the processing records and information for employees.

Remember also the requirement of Article 9 of the GDPR, so you must also have a corresponding sensitive data exemption for the chosen Article 6 title (see above). For example: if you are storing sickness absence certificates, the legal title is the performance of a legal obligation (records for the CSSA) and the specific exception is Article 9(2)(b) GDPR (necessary for the performance of employment duties).

Correctly obtaining and storing

If there is a situation where you are actually relying on an employee's consent to process health data, be careful about the form and content. Consent must be explicit, preferably in writing or electronically signed, and certainly not implied. Be specific as to what data and for what purpose the employee consents (e.g., one-time biometric testing for a voluntary health program). Consent must not be hidden in the employment contract or GTC - it must be a separate document or clearly separate clause. Also, advise the employee that they can withdraw consent at any time and provide them with a simple method (e.g., contacting HR or the DPO). Never make routine employment actions conditional on consent - e.g. do not make it compulsory to sign a consent form on joining. This would make consent less voluntary and not legally valid. Records of consents given should be kept carefully; ideally keep a register of consents with details of who gave consent, when and for what purpose so that you can document this in the event of an inspection.

Setting up internal processes to ensure data protection

A key practical measure is to establish clear rules within the company about who is allowed to handle employee health data and how. Health documents and information should only be accessible to a limited number of people - typically HR, payroll (due to sick leave) or management, but only to the extent necessary. Sensitive medical reports or reports should be stored separately from the employee's normal personnel file, for example in a sealed envelope or in an electronic HR system with restricted access rights. Technical security must be appropriate to the nature of the data: electronic health data should be encrypted or at least protected by a strong password, access to files logged and subject to authorisation. Keep paper documents in locked cabinets with controls on who can access them. Any digital record of health data must be part of internal security measures - inadequate technical and organisational security (e.g. storing data in unencrypted form, lack of controlled procedures for user access and authentication) is a serious breach of the GDPR. Therefore, train employees who come into contact with sensitive data on their duty of confidentiality and the correct procedures. An internal directive should define how health data is recorded, who authorises access, how to handle requests for sensitive data (e.g. who is allowed to see a diagnosis from an accident report) and what to do in the event of a potential incident (loss of a document, unauthorised access, etc.). Remember also the duty of confidentiality - for example, if a company has its own in-house doctor or medical professional, it must contractually bind that person to keep the information confidential. Finally, it is advisable to anonymise or pseudonymise data wherever detailed identification is not necessary - e.g. aggregated data without names is sufficient for morbidity statistics.

Retention period of health data

The GDPR requires that personal data be kept only for the time necessary for the purpose. This is doubly true for health data - a company should not keep it for longer than necessary. Therefore, set shredding periods for different types of documents:

• A normal sickness absence certificate or absence record can be shredded after the statutory period for any review or limitation of claims has expired (usually several years). To be on the safe side, it is often advisable to retain it for 3-4 years after termination of employment, due to potential litigation, but then destroy the data.
• Keep medical reports of fitness for the duration of the employment (or the validity of the report) and for the statutory period thereafter. Some regulations may require archiving for several years after the employee leaves (e.g. for possible occupational disease claims).
• Documentation of occupational accidents and diseases, as mentioned above, has a particularly long time limit - 30 years from the occurrence of the event. Therefore, keep these records separately and securely for this period before shredding.
• If you have obtained the employee's consent for a one-off action (e.g. screening) and the action has taken place, there is no reason to keep the data - delete the data immediately after the purpose has been evaluated. Remember, if the employee withdraws their consent, you must stop processing and delete the data (unless you have another lawful reason).

To facilitate this, a list of document types containing personal data of employees can be included in the internal directive or the filing and shredding rules and assigned retention periods according to legal regulations or internal needs. Once the time period has expired, dispose of the data securely (shredding of papers, erasure and anonymisation of electronic records). This will prevent unnecessary accumulation of sensitive data and reduce the risk of unauthorised access in the future.

Typical mistakes and how to avoid them

Even with the best of intentions, companies sometimes make mistakes when processing employee health data.

Here are four common missteps, complete with real-world examples and tips on how to eliminate them:

Gathering unnecessarily detailed information

Sometimes employers record more medical information than they actually need - for example, requiring an employee to provide a detailed medical report with a diagnosis instead of a sufficient certificate of incapacity. In doing so, they violate the principle of minimisation and may commit unlawful processing of sensitive data. How to avoid it: always ask if you really need to know the information. Take only what is necessary to fulfil the obligation (e.g. date from-to date of incapacity for work). Leave medical details (diagnoses, descriptions of illnesses) to the doctors and do not ask employees for them.

Unclear or invalid employee consent

A common mistake is to try to "insure" with a universal consent from the employee, but this covers very broad processing (all possible data) or is obtained formally without any real choice. Such blanket consent is contrary to the GDPR - it is neither specific nor free. Moreover, the employee can withdraw consent at any time, which will put the company in difficulty if it has based necessary processes on it.

How to avoid: Don't rely on consent where you can support the processing with other legal authority (legal obligation, legitimate interest). If you already need consent, word it narrowly for the purpose and really give the employee a choice (no penalties or disadvantages if they don't consent). An example of good practice is a voluntary health scheme - offer employees to participate but don't force them. Keep the consent on file and check regularly to make sure it is still valid and needed.

Lack of security and confidentiality

The best legal title will not help if a company neglects to take organisational and technical measures to protect data. In practice, there have been cases where sensitive employee data files have been made freely accessible to a wider range of people due to a system misconfiguration - this happened, for example, in the H&M case, where internal employee health and privacy records were temporarily made available to the entire company, which subsequently led to a record fine.

How to avoid: Establish strict access rights - only authorized people can access health data. Encrypt files and use secure storage. Consistently communicate internally that health information is confidential. Anyone who handles it should be bound by confidentiality. Conduct regular audits for unauthorized access. For IT systems, ensure updates and security features (encryption, two-factor authentication, access logging). This will prevent data leakage and misuse.

Misuse of health data for improper purposes

The most serious situation is when an employer uses the sensitive data obtained against employees or to make discriminatory decisions. For example, the aforementioned Berlin case revealed that the company kept a list of "critical" employees based on mental illness and other personal information, and used it to dismiss them. This is a gross violation of the law and ethics - the GDPR clearly states that health data cannot be processed for the purpose of making unjustified judgments or discriminating against employees.

How to avoid: Set a zero tolerance in your organizational culture for any misuse of personal data. Health data is only used for lawful purposes (e.g., health protection, compliance) and never to decide who gets a raise, promotion, or is fired unless it is directly related to the information. Decisions on work-related matters must be based on performance, qualifications and objective criteria - never on the basis that someone has a health problem or is caring for a sick family member, for example. Review internal processes (recruitment, appraisal, termination) and ensure that they do not include any health-related issues or criteria that are not supported by the employer's obligations.

How ARROWS can help? 

The legal framework for the protection of personal data in an employment context is complex and constantly evolving. ARROWS has a team of specialists in both GDPR and employment law who can help you set up the processing of employee health data in a way that is both compliant and practical for your HR processes. For example, we offer:

• Audit and review internal procedures: we will check what health data you collect and how you handle it. We will identify risk areas and suggest measures for improvement (reduce redundant data collection, strengthen security, modify consent forms, etc.).
• Preparation of the necessary documentation: we will prepare or update all legal documents related to the processing of employee data for you - internal guidelines on personal data protection, information memoranda for employees, consents to the processing of sensitive data, contracts with providers of occupational health services (DPA), etc. All tailored to your company and in compliance with the GDPR.
• Training and consultation: we will train your HR and management to understand the GDPR rules on health data. We will teach them practical procedures on how to deal with specific situations (e.g. an employee refuses to give consent, how to record vaccinations, etc.). We are available for consultation when implementing new processes - we prefer to prevent problems rather than extinguish them later.
• Incident and dispute resolution: if a security incident (data leak, unauthorized access) or dispute with an employee regarding the handling of their data occurs, we will help you resolve the situation quickly and correctly. We will represent you in proceedings before the Data Protection Authority or in defending against employee claims. We minimize the impact on your business.

Do not hesitate to contact us for a no-obligation consultation. Together, we will review your needs and find solutions to protect your sensitive health data while meeting all legal obligations. With our help, you'll not only get peace of mind from a GDPR perspective, but also happier employees who will have confidence that their personal data is safe with you. Contact ARROWS today - we'd love to help you take your company's data protection to the next level.