A MoFo Privacy Minute Q&A (21 September 2021)

This is A MoFo Privacy Minute, where we will answer the questions our clients are asking us in sixty seconds or less.

Question: Can a company require proof of a COVID-19 vaccination to visit work sites and/or venues in the EU or the UK?

Answer: Requiring that an individual shows proof of vaccination, recovery from a COVID-19 infection, or a recent negative test appears to be gaining traction in the EU and the UK as more and more court decisions, guidelines, and laws are published. Here are the latest three developments:

• Spain: On September 14, 2021, the Spanish Supreme Court ruled that it does not violate the data protection rights of individuals if they are required to provide proof of vaccination/recovery/test in order to gain access to venues, such as restaurants and bars, since no health data are stored or processed. According to the court, it does not constitute “processing” of health data, if the so called “COVID Pass” is merely presented upon request, without any information actually being recorded, stored, or incorporated into a database. The court considered the measure suitable, necessary, and proportionate to reduce infections.
• UK: Like Spain, the UK’s Data Protection Authority (the Information Commissioner’s Office) has published guidance stating that a visual check of an individual’s “NHS COVID Pass” (in either hard-copy form or using the UK NHS App) will not constitute “processing” under UK data protection law, provided that no records are retained. Use of the NHS COVID Pass as a condition of entry to a venue (including a workplace) is currently voluntary for individual organizations, but the UK Government has advised that it should not be used by essential services and retailers.
• Italy: On September 16, 2021, the Italian Government approved new rules requiring all workers to either present proof of vaccination, a negative test, or recent recovery from infection before accessing their workspace. These measures will come into force on October 15, 2021. Any employee who fails to present a valid health certificate will be suspended from work without being entitled to wages. Additionally, a fine of between €600 to €1,500 could be imposed on employees and between €400 to €1,000 on employers if they violate the new rules.

However, please note that the deciding factor seems to be whether proof of vaccination/recovery/test is merely presented for a visual check (without data actually being stored) or whether the proof is checked for its validity (e.g., by scanning QR codes). The latter may indeed entail the processing of personal data, and data protection laws would apply.

Visit our Privacy + Data Security page for additional information from our privacy library and resource centers on cybersecurity, state privacy laws, and the General Data Protection Regulation (GDPR).