The Italian Data Protection Authority (Garante) has issued detailed guidelines on data processing activities in the context of workplace vaccination campaigns and on the role of the so-called “competent doctor” (medico competente).

The new guidelines confirm the general principle already outlined in the Garante’s FAQs: The employer is not entitled to collect any vaccine-related information (including the employee’s willingness to get vaccinated or whether the employee has been vaccinated), either directly from the data subject, or indirectly through the competent doctor or other health professionals.

In particular, the Garante has further clarified that:

  • The employer is not entitled to process vaccine-related information, not even if the employee has granted his/her consent (pursuant to article 6 GDPR). Employees’ consent cannot be a suitable legal basis since, due to the imbalance inherent in the employer-employee relationship, consent will most likely never be actually free (as it should be, to be validly granted and collected);
  • Processing of data related to COVID-19 vaccinations, being health-related data and, as such, special categories of personal data, shall be legitimate when “necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional” and “when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies” (according to article 9, par. 2, lett. h and par. 3 GDPR). In brief, such data shall be processed by health professionals only, such as the competent doctor;
  • While processing health-related data, the competent doctor acts as independent data controller (and, as such, the competent doctor shall not follow any employer’s instructions);
  • The employer shall cooperate with the competent doctor (e.g. by raising awareness among the employees on COVID-19 vaccinations), without such cooperation resulting in unlawful collection of employees’ health-related data in breach of both labor laws and privacy laws;
  • The only information that the employer may collect to implement a workplace vaccination campaign is the number of employees willing to be vaccinated;
  • The employer shall not be able to identify the employees adhering to the vaccination campaign, and shall implement (also according to the accountability principle) technical and organization measures suitable to reduce the risk of collecting non-necessary data and of spreading information also to other employees (e.g the employer shall allow employees to communicate their willingness to be vaccinated directly to the health facilities involved in the vaccination campaign; workplaces where vaccinations will take place shall be set in a way as to ensure confidentiality of the employees that are being vaccinated);
  • Although the time period necessary to get vaccination during working hours is considered as working hours, the employer shall not ask the employee any confirmation of vaccination and shall not request the exhibition of the vaccination certificate.