COVID-19
The Italian Data Protection Authority's guidelines for the workplace vaccination campaign
The Italian Data Protection Authority published the new guidelines for the workplace vaccination campaign
On 14 May 2021, the Italian Data Protection Authority published the new guidelines for the workplace vaccination campaign and related privacy issues.
We summarize below the main guidance provided by the Authority for those companies which have decided to put in place the in-company vaccination process.
First of all, the Authority pointed out once again the principles at the basis of the organization of the campaign, in light of the legislation issued on the matter:
➢ The protection of workers’ privacy is a key condition in the organization and implementation of the company’s vaccination plan;
➢ The traditional allocation of responsibilities between Occupational Health and Safety doctor and employer must always be ensured.
Secondly, based on the above principles, the Authority provided key information to organize the vaccination campaign at best:
1. Data controller:
The data controller for the workers’ personal data is the occupational health and safety doctor.
2. Legal basis of processing:
The legal basis of processing is article 9(2)(h) and (3) of the GDPR: the processing of vaccination-related data is necessary for the purposes of preventive or occupational medicine and is expressly entrusted to a health professional only.
3. Consent to join the campaign and ordering the doses of the vaccine:
The employer cannot gather – either directly from the data subjects, or through the occupational health and safety doctor or other healthcare professionals or facilities – information on vaccination-related issues, including the worker’s intention to join the campaign, whether or not the vaccine has been administered and other healthcare information on the worker. Upon submission of the vaccination plan to the public health authority (ASL), the employer will simply ask for the required number of doses of the vaccine based on the indications provided by the health professional. Furthermore, if employer’s tools are used to gather information on the employees’ consent, the necessary technical and organizational measures will have to be put into place to ensure that processing is compliant with industry legislation.
4. Planning the vaccinations:
The employer may provide the healthcare professional in charge with indications and criteria for planning the vaccination sessions, without processing the personal data concerning the consent of identified or identifiable workers.
5. Administering the vaccine:
The vaccine will have to be administered at the premises identified by the employer, which must be such to prevent, insofar as possible, co-workers or any third parties from becoming aware of the identity of the employees being vaccinated and to ensure their dignity.
6. Accounting for absence from work:
The time required to be vaccinated will be treated as working time. Absence from work will be accounted for, if required, in the ordinary manner as required by the applicable national collective bargaining agreement or by a generally-worded note issued by the vaccinator.
We recommend that companies who wish to implement the vaccination campaign strictly abide by the Authority’s guidelines, to ensure the best possible management of the campaign and the protection of the workers’ privacy.
Please do not hesitate to contact us if you require additional information and clarifications.