With the new 3G rule, employees have a duty to provide information to their employer. But data protection sets strict limits. Read here what companies and employees have to consider:
Since recently, employees are only allowed to come to work if they are vaccinated, recovered or tested. This requirement is checked daily by the employer. If he fails to do so, he is liable to heavy fines. In addition, the employer is given the right to request information on the 3G certificates.
What data is collected?
To be recorded are: (1) first name and surname, (2) date of birth, (3) home address, (4) telephone number (landline and/or mobile), (5) e-mail address. In addition, the following categories of sensitive data are processed for the above-mentioned purpose: (6) vaccination status, (7) recovery status (serostatus), (8) test status.
Currently, the vaccination certificate is valid indefinitely, the recovery status expires after 6 months, so that the expiration date must also be recorded here. A PCR test is valid for 48 hours whereas a rapid test is only valid for 24 hours.
Who is allowed to document the data?
Here, only suitable employees or contracted service providers are allowed to collect the data. All data must be processed with absolute confidentiality.
How long the data may be stored
Data must be deleted again after 6 months at the latest. In case the 3G obligation applies beyond March, a new collection must be carried out.
What is the employer’s duty to inform?
We recommend that you draw up an “Employee information on the processing of special categories of personal data”.
This document applies in addition to the applicable data protection notices of your company and provides sufficient information on the “purpose and legal basis of data collection”, the “data categories”, “recipients” and “retention period”.
We would be happy to assist you with the creation of an appropriate template. Please contact us via our website or – as a customer – contact your consultant directly.
Your contact to ePrivacy: