Our Services

  • A catch-all for everything Data Governance, Strategy, Quality, MDM, Architecture and more.

  • All the support you need for compliance with the latest Data regulations (including GDPR).

  • Training on data for everyone from Data Stewards to the Business Department and Senior Management.

04. AI Governance
  • From understanding how AI fits into your existing landscape to using its power to
    get the mundane work done in a compliant manner.

Lets Talk Data

Don’t worry. We won’t waste your time. Nor will we convince you to hand over the controls.

Schedule Discovery Call


3 Things every Privacy Professional should know before executing retention policies

By: Christoph Balduck

March 29, 2021

Just recently, the Belgium government boasted of its 10 millionth jab in its COVID-19 vaccination campaign. This campaign is in full swing with over 60% of the adult population marked as having received at least one of their two shots. While getting vaccinated is highly encouraged, there is no legal obligation to take the vaccine, so it is entirely a choice. As an employer, you might be anxious about the return of the workforce to the office and might find it useful to register the vaccination status of your employees. The important question is, ‘Can we track the vaccination status of our employees to determine who can have access to the workspace?’

Before you go ahead and process the vaccination details of your employees, here are 5 things you must consider:
1. The Vaccination status of a person is considered personal ‘sensitive’ data.

Under the GDPR (General Data Protection Regulation), any person or organization operating within the EU or with the EU must respect individuals’ data collection and privacy. Any information that relates to an ‘identifiable living individual’ (or can be used to identify an individual), is considered personal data. Apart from simple personal data (name, address, etc.), there is another subcategory of data called ‘special’ or ‘sensitive’ data: According to Article 9 (1) of the GDPR, information is deemed to be special or sensitive if it indicates race or ethnicity, political, religious, and philosophical beliefs, membership in trade unions, genetic data, identifying biometric data, sexual orientation, and health data. As a person’s vaccination status clearly belongs in the category of ‘health data’, it is protected under GDPR as ‘sensitive’ data. The difference between both categories is most noticeable in the way GDPR treats the processing of such data. Processing includes collecting, using, storing, transmission recording, and adaptation of personal data.

2. Processing ‘sensitive’ or ‘special’ data is considered off-limits in most situations.

As we mentioned before, GDPR has a special category preserved for the most sensitive kind of data. In most situations, processing ‘sensitive’ or ‘special’ data is prohibited. As an employer, this entails that you are not allowed to process the vaccination status of your employees in the same way you can process their simple personal data.
As with any rule, there are a few exceptions that allow for the processing of
‘special’ or ‘sensitive data’:

  • Explicit consent is given by the data subject
  • It is required in employment and social security context
  • It necessary to keep safe those who are unable to do so themselves
  • It is carried out by non-profit organizations for persons who are currently or were previously members or affiliates
  • The data is clearly made public by the data subject
  • It is necessary to determine the work capacity of the individual
  • Special category data is necessary to protect cross-border threats in the interest of public health
  • Statistical data is necessary for national archives and research under Article 89 (1)

From reading these exceptions, it should also be noted that there are limitations to who can access or process such data. In the case of vaccination data, medical professionals (including company physicians) may access this data if it is necessary to keep the public safe, to organize the vaccination campaign, or to determine the individual’s ability to work.

3. Consent is not automatic grounds for processing (special) personal data.

As we mentioned before, employee consent is one of the ways that an employer can process personal data.

However, as the employer and authority figure, there is a thin line between determining what is a say-so from a superior and what is just a
request. This makes it tricky to prove free consent in an employer-employee situation as employees might feel pressured to give consent.

If you as an employer want to make employees’ access to the workplace dependent on the disclosure of their vaccination status, consent to disclosing such data by your employees can never be considered legitimate.

In summary, consent must be freely given without fear of consequences or negative repercussions in order to be valid. The
employer may not punish or hold non-consent against the employee.

4. There must be transparency in (special) personal data collection.

The law requires that individuals are informed by the controller if their data is being recorded, stored, used, and viewed. Under Article 13 of the GDPR, which deals with transparency obligations, it is expected that the way data will be treated will be outlined to the individual in plain language that is not overly legalistic. In most situations, this is done through an easily accessible and regularly updated privacy statement.

5. There is no law or collective labour agreement in Belgium which allows for the processing of vaccination status by an employer.

There is also no sign that such a law is in the making. While the ban on the processing of vaccination status of employees can be lifted by the law of an EU Member State or by a collective labour agreement, there is no such law in Belgium.

In the event there was such a law or collective agreement, it would need to be proportionate to the objective. It should also provide appropriate safeguards for the right to data protection and other fundamental rights of the individual. The Belgian data protection authority (GBA) has indicated that they are not aware of the existence of such legislation.

What can you do?

After telling you what you can’t do, you’re probably wondering: ‘How am I ever supposed to collect data from employees without infringing GDPR rules?
Well, not to worry. If you follow the steps below, you’ll be 100%
compliant at all times:

  • Identify & categorize which (sensitive) personal data you want to collect.
  • Decide on the purpose & check if any legal ground or exception applies.
  • Document the data collection.
  • Inform the individual about the data collection.

If you still have questions about processing COVID-19 vaccination data, feel free to contact our subject-matter expert: Sonja Pijnenburg: Sonja has an academic background in both Internation Business Law and IT law, as well as years of experience in advising on Data Protection and Privacy legislation.
We look forward to answering your questions.
Contact Sonja