Skip to main content

When a data protection officer locates health-related data in a company, the focus is not only on the human resources department, which coordinates sickness notifications and occupational integration management measures, but also on occupational health and safety and occupational health management. This also includes the employer’s offer of voluntary vaccinations by the company doctor. The employer’s interest is clearly defined, because by closing vaccination gaps and the associated effect of containing infectious diseases, the workforce’s ability to work is maintained.

Since the Corona pandemic at the latest, vaccinations by the company doctor have been a tried and tested means of relieving the vaccination centres and taking up the fight against the pandemic in the company as well. Many companies contributed to increasing the vaccination rate and thus reducing the number of cases. Since then, the topic of vaccinations has become more present again.

Many employers are offering flu vaccinations more and more frequently as the winter season approaches. Here, as in the Corona era, it is important to identify the vaccination interests of employees sensitively and carefully – i.e. who would like the offered vaccination.

The offer should be implemented in accordance with data protection. From the point of view of data protection, and not only because of employees who are critical of vaccinations (for whatever reason). It should be emphasised once again that there is already a certain criticality when the so-called “interest in vaccination” is obtained by the employer. While posted lists for independent registration by employees were “previously” normal, employers should now act with caution. Because an expressed interest in a certain vaccination can also lead to conclusions about the vaccination status of the person in question, and the vaccination status is considered to be a personal data.

Therefore, it is important to avoid uncontrolled circulation of data regarding the interest in vaccination within the company, but to make it available to those areas that really need the data. In other words, the organisers, the company doctors involved and ultimately the people affected themselves. One of the organs of co-determination in the company must not be left out of the list, namely the works council. Although the works council is only a limited recipient of the lists of participants, it has a right of co-determination under section 80, paragraph 2, sentence 1 of the Works Council Constitution Act (BetrVG). The works council must be involved in a company agreement and informed appropriately about the type and technical implementation of the appointment booking.

By making the vaccination offer transparent but also confidential, you can ensure that you process your employees’ data lawfully. Employees should receive all important information about the vaccination offer; the duty to inform pursuant to Art. 13 of the GDPR applies here. The voluntary nature should also always be emphasised.

The names of your employees can be recorded in written or electronic form, e.g. in a separate notification form on your intranet. The data must be used exclusively for the purpose of the vaccination campaign and deleted after the end of the campaign.

Involve your data protection officer at an early stage when planning vaccination programmes within your company. He or she can show you ways to address employees in a way that complies with data protection regulations. Data protection remains exciting, even when it comes to vaccination in the workplace.