We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
08 May 2020
On 3 April 2020 Parliament enacted the Third, Fourth and Fifth COVID-19 Acts.(1) Although these laws have significantly changed the Austrian legal framework, none of them include data protection provisions. Thus, the legislature appears to have overlooked a significant data protection issue arising from the new laws, perhaps because data protection discussions in the context of COVID-19 have predominantly concerned mobile phone tracking.
The Third COVID-19 Act has revised several laws, including the Social Insurance Act (ASVG). Specifically, a new Section 735 has been introduced to the ASVG, reflecting a measure which the minister of health has repeatedly discussed.
Section 735 sets out a multistep process which prevents employees who are at risk of contracting COVID-19 from having to show up at work. The process is as follows:
In its explanatory notes, the legislature explains that the social insurance agency will use the available data to identify potentially eligible individuals and inform them that they may fall into a risk group (step two above). The legislature also explains that COVID-19 risk medical certificates will not include a concrete medical diagnosis.
Under Article 4(15) of the EU General Data Protection Regulation (GDPR), 'health data' means any data concerning an individual's physical or mental health status. The processing of such data must satisfy the strict requirements set out in Article 9 of the GDPR. Of particular relevance to the Third COVID-19 Act is Article 9(2)(b) of the GDPR, which allows the processing of health data in order to, among other things, allow an individual to exercise their rights under the applicable labour or social security laws, provided that the data processing is supported by a national law that appropriately safeguards the individual's interests.
The new Section 735 of the ASVG can be seen as the relevant national law within the GDPR's meaning. It will protect the interests of employees whose health is at risk and help to secure their salaries. However, it requires the social insurance agency, employees, doctors and employers to share information about an individual's affiliation with a COVID-19 risk group. Since COVID-19 risk groups are determined through medical parameters (see step one above), any information about an individual belonging to a risk group is personal health data. This is not changed by the fact that doctors will not include a concrete medical diagnosis on a COVID-19 risk medical certificate.
However, Section 735 of the ASVG neither includes data protection safeguards nor defines the circumstances in which the social insurance agency can identify an individual's potential eligibility for a risk group (step two above). Section 735 also fails to specify the circumstances in which employers can process an individual's health data (step four above). Notwithstanding its fragmentary character, Section 735 of the ASVG must still be considered the legal basis for data processing. The alternative would be employee consent (Article 9(2) of the GDPR). However, this would be nothing more than a hypothetical option. In a scenario where refusal or withdrawal of consent would lead to a health risk or loss of income, an employer could not reasonably assume that the individual's consent was sufficiently voluntary.
Section 735 of the ASVG creates a conflict of interests as it permits data disclosures which have traditionally been deemed unlawful. That said, employers are prohibited from discovering details of an employee's health status. However, if an employer learns that an employee is part of a COVID-19 risk group, it will have discovered details of the employee's health status. This conflict of interests is intensified by the law's rudimentary character. As such, it is predominantly up to employers to mitigate these conflicting interests by implementing appropriate safeguards, such as the following:
Section 735 of the ASVG was doubtlessly established to preserve employee interests. However, the provision lacks data protection safeguarding measures. Although it is principally not up to employers to mitigate legislative deficits, they are nonetheless well advised to adhere to the above safety measures to not only comply with the GDPR's accountability principle, but also ensure that they treat their employees fairly.
For further information on this topic please contact Günther Leissler at Schoenherr Attorneys at Law by telephone (+43 1 5343 70) or email (firstname.lastname@example.org). The Schoenherr Attorneys at Law website can be accessed at www.schoenherr.eu.
(1) Further information on COVID-19 is available here.
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.