Health surveillance and GDPR: what can my employer know about my health status?
Workplace health surveillance involves collecting and analyzing data about employees’ health to ensure a safe and healthy working environment. These practices often include medical examinations, sickness records, and other health-related data of employees.
However, the General Data Protection Regulation (GDPR) establishes regulatory obligations that employers must adhere to when collecting and using employees’ health data.
In this blog post, we will clarify what data employers can access and what they cannot.
Key aspects of GDPR regarding health surveillance
As mentioned earlier, the Occupational Risk Prevention Law and its implementing regulations impose on companies the obligation to carry out a set of activities to prevent or reduce work-related risks. To fulfill this duty, it is necessary to process personal data of employees.
In this specific case, the processing of personal data concerning risk prevention is justified by the existence of a contractual relationship that requires data processing. The employment contract, along with compliance with legal obligations established in the Employment Act and the Occupational Risk Prevention Law, forms the legal basis for data processing.
However, this obligation of the employer in health surveillance does not mean that employees have to undergo medical examinations, as they are generally voluntary. The employee must give consent, except in the following scenarios:
- When the examination is essential to assess the effects of working conditions on employees’ health.
- To verify whether the employee’s health condition could pose a danger to themselves, other employees, or individuals related to the company.
- When there is a legal obligation related to the protection of a specific risk or activities of special danger.
Whether the examination is voluntary or mandatory, it is crucial to fulfill the duty to inform the worker about the collected data, always adhering to the principle of proportionality. The gathered information should never exceed what is strictly necessary, and the employee should be aware at all times of the information being collected.
It is essential to note that the medical examination focuses on the employee’s fitness for the job and should not be considered a general health check. Therefore, only the medical data relevant to the employee’s job functions should be processed.
Furthermore, the employer is not authorized to access the specific medical diagnosis. They can only access the examination’s conclusions, indicating whether the employee is “Fit” for the job or a breakdown of tasks they can perform, including recommendations to adapt the job for the employee or consider a job change.
In fact, it is important to recognize that the company does not have the right to know more specific health data concerning an employee who is particularly vulnerable to work-related risks, such as pregnant individuals or people with disabilities.
In conclusion, employers must exercise special care with the data collected in medical reports, always adhering to proportionality and the duty to inform the employees.
At Letslaw by RSM, our team of data protection lawyers can advise you on everything you need.
Letslaw es una firma de abogados internacionales especializada en el derecho de los negocios.
More from my site
Beyond fingerprints: Iris scan as biometric identification in an AI-dominated world
Sanction of 10,000 euros to Gymoogymnasios by the AEPD for forcing its clients to transfer their health data
AEPD and COP sign a protocol to encourage measures to promote mental health on the Internet
Can teleworkers have an accident at work outside the “workplace”?
Teleworking and the digital breach
The RGPD and the possible conflict with ePrivacy that will occur