Home

Some companies that have chosen us

Privacy Officer and Privacy Consultant
CDP Scheme according to ISO/IEC 17024:2012
European Privacy Auditor
ISDP©10003 Certification Scheme according to ISO/IEC 17065:2012
Auditor
According to standard UNI 11697:2017
Lead Auditor ISO/IEC 27001:2022
According to standard ISO/IEC 17024:2012
Data Protection Officer
According to standard ISO/IEC 17024:2012
Anti-Bribery Lead Auditor Expert
According to standard ISO/IEC 17024:2012
ICT Security Manager
According to standard UNI 11506:2017
IT Service Management (ITSM)
According to the ITIL Foundation
Ethical Hacker (CEH)
According to the EC-Council
Network Defender (CND)
According to the EC-Council
Computer Hacking Forensics Investigator (CHFI)
According to the EC-Council
Penetration Testing Professional (CPENT)
According to the EC-Council

Professional qualifications

Stay up-to-date with world news!

Select your topics of interest:

News

Home / News
/
LATVIA SUPERVISORY AUTHORITY: proof of compliance of workers with criteria for the application of facilitation of epidemiological requirements

LATVIA SUPERVISORY AUTHORITY: proof of compliance of workers with criteria for the application of facilitation of epidemiological requirements

The Cabinet Regulation n. 360 of the 9th of June 2020, epidemiological security measures in order to limit the diffusion of the COVID-19 infection (hereinafter Regulation), requires that in a working place may reunited without using any mouth and nose coverages and without observing social distancing of two meters if all the people have been vaccinated or have been infected by COVID-19.

In addition, in order to guarantee the sustainability of company’s activities or the provision of public services, the employer has the right to ask and process information obtained by the employee on the respect of a status of vaccination or infection of a person, which is underlined by a interoperable certificate of illness or vaccination.

The Regulation requires conditions for facilitated staff gathering for those people who have the interoperable illness certificate which is proving the fact that the person has been infected by COVID-19 or interoperable vaccination certificate which is proving that the person has been vaccinated against the COVID-19 infection according to article 38.27 of the criteria mentioned in the introduction. [1]

Information on the health status of a person, for example if an employee has been infected or not by COVID-19 and if the employee has been vaccinated against COVID-19, made up a specific category of personal data according to the General Data Protection Regulation and so in the storage system or the storage of those information in the electronic system is the personal data processing. Health data shall be processed only if there are the assumptions pursuant to article 6 and 9 of the Regulation.

The legal basis in order to obtain information on the health status or information on the impact of the COVID-19 in this case is the Article 6(1)(e) of the Regulation –  processing is necessary for the performance of a task carried out in the public interest – and article 9(2)(i) – processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety. [2]

As long as relevant legislation is in force, employers have the right to ask employees to present an interoperable certificate which proofs that the employee complies with the following criteria: he/she has been vaccinated or has been infected by COVID-19 in the last 180 days.

If the employee does not provide this information, the employer considers him/her as incompliance, and he/she can not enjoy from the exoneration of criteria.

Is part of each employer assess if the he/she is able to comply with the requirements, the contribution of resources of the implementation of control and decide if introducing or not the facilitation of epidemiological requirements in working places.

The implemented legislation concerning the epidemiological situation in the country provides to employers a clear legal basis for the processing of personal data, but anyway, in addition to the legal basis they have to comply also with the disposals of the Regulation.

In this particular case, the Authority recalls back the attention on the personal data protection principle pursuant to the article 5 of the Regulation, which underlines in particular that the processing of data shall be minimized, concrete, lawful, accurate and secure for data subjects.

This means that a employer can process only the quantity of personal data which is necessary in order to reach a purpose, which means, it is necessary to detect the fact that the person is complying with the article 38.27 of the Regulation. In order to establish if a person has been vaccinated or has been infected by COVID-19 it is not necessary to copy a interoperable certificate, but it is enough to update the system by indicating the name of the person, title and information that the person is complying with the article 38.27 of the Regulation, by minimizing the processing of personal data and at the same time, by reaching the purpose.

It is important to mention that, even if there is a clear framework for the personal data processing for a specific purpose, it seems to be possible to ensure the timely and correct distribution within the date required and that data are not stored longer than necessary.

Employers, by ensuring them that employees are complying with criteria of the Regulation can:

  • Carry out an exam of the vaccination or illness certification.

This inspection shall take place every day when the employee arrives on the working place and after the presentation of the Certificate. If the Certificate is valid, the employee shall work without respecting the epidemiological requirements. Anyway, if the certificate is not valid, the staff member shall work by respecting the social distancing, except specific epidemiological situations.

The Regulation does not require mandatory written registrations of the respect of criteria (in a journal or in an informatic system).

So, it is possible to carry out an investigation for verifying the compliance with the criteria, by presenting each time a certificate without any written personal data processing (by the employer). In those cases, the personal data processing will not be submitted to the prescriptions of the Regulation, because the registration will not be stored in the database or in the e-format.

In cases where the collectives are not numerous and it is possible to identify specific 20 people, the Inspectorate does not see the need to create written details, as the verification of the criteria of the Regulation can be ensured by the verification of the Certificate, minimizing personal data processing. For example, if the team has 10 employees and the employer has made sure once all employees have been vaccinated, it would not be necessary to require the presentation of the certificate every day, since in this case compliance with the criterion cannot change.

  • Create an inventory (list) of employees who meet the criteria in the introductory part of Article 38. 27 of the Regulation

The employer may keep a general register of suitable employees. The accounts may be carried out by drawing up a list or using another electronic tool. The inventory/list should reflect compliance with the criteria as such, rather than separating each criterion separately (whether the worker has been vaccinated or sick).

The inventory/list should include information that identifies the employee – name and location. The list should not include and separate information on vaccinated workers and information on workers who have contracted COVID-19.

These two criteria are the same and there is no legal basis for employers to divide employees into groups on the basis of the criterion which satisfies the employee. The employer may ask the worker to inform the employer when the worker no longer meets the criteria, if the eligibility period specified in the Regulation expires (for example, 180 days after the end of the disease or 99 days after the first vaccination but the second did not take place).

In order to ascertain the specified period during which the employee would meet the requirements, the employer may compile records for a certain period of time in the future. The list can be drawn up for the following month (or for two or other periods) and will include all employees who meet the criteria of the Regulations for the entire month (or two or other periods).

When drawing up the list, the employer shall have the right to require the employee to submit documents attesting to the employee’s compliance with the criteria.

If the employer wishes to indicate the deadline / specific date by which the employee fulfils the criteria when compiling the inventory / list, it should indicate the deadline / date for all employees. This would be 180 days after receiving Covid-19, 99 days after receiving the first Vaxzevria vaccine. As the duration of exposure to vaccination is not currently known, it can legally be assumed to be at least 180 days from the day fourteen days after the completion of the complete vaccination cycle.

In this way, all deadlines will be listed for the employer and the employee should be removed from the list at the expiry of the deadline.

IN A NUTSHELL:

The employer may:

  1. Keep a record only of those employees who work in person. If the employee works at a distance, there is no reason to force him to comply with the criteria of the Regulation.
  2. Require staff to submit an interoperable vaccination or disease certificate.
  3. Keep a record of persons who have been vaccinated or have contracted the Covid-19, indicating first name, last name, qualification and a note that the person meets the criteria mentioned in the Regulations.
  4. Instruct employees who work in person to inform the responsible persons if the employee’s status changes and no longer meets the criteria of the Regulation.

The employer may not:

  1. Copy the Covid-19 vaccination or disease document;
  2. Rewrite all information contained in the vaccination or vaccination certificate for Covid-19. For example, an organization does not need to collect information on the date of vaccination, the particular vaccine or whether a person has been vaccinated or has been ill;
  3. Keep information about a particular person longer than necessary to achieve the purpose (objective). For example, since the information changes, an organization may update the information on a monthly basis by deleting the previous list and deleting the last list when those rules no longer exist;
  4. Obtain and transfer information to third parties. For example, there is no legal basis for an employer to ask the vaccination center to provide information on vaccinated workers, nor is there a legal basis for transmitting this information to its partners;
  5. Make the list available to employees of the organization for whom access to information on vaccination against Covid-19 or disease from Covid-19 is not related to direct work responsibilities. The result that the employer wants to achieve through the publication must be something that cannot be achieved otherwise without processing personal data.

Please note that if actual circumstances change, the explanation prepared by the State Data Inspectorate may change.

  1. Persons holding an interoperable vaccination certificate attesting to a person who has contracted a Covid-19 infection or an interoperable vaccination certificate attesting that a person has been vaccinated against a Covid-infection19 and completed 14 days after completing a complete vaccination cycle with vaccines of the European Medicines Agency registered by the Agency or an equivalent regulatory body or recognized by the World Health Organization in compliance with the vaccine instructions or between 22 and 90 days after the first dose of Vaxzevria and immediately after the second dose of Vaxzevria, or persons with SARS-Cov-2 infection confirmed in the laboratory by detection of SARS-virus RNACov-2, no more than 180 days have elapsed and fourteen days have elapsed since the receipt of a single dose of vaccine registered by the European Medicines Agency or equivalent regulatory bodies or recognized by the World Health Organization.

2. processing is necessary in the public interest, such as protection against serious cross-border threats to health or high standards of quality and safety, inter alia for medicinal products or medical devices, on the basis of Union or national legislation providing for appropriate and specific measures to protect the rights and freedoms of the data subject, in particular professional secrecy.

SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI DELLA LETTONIA

Recommended to you

Advanced Research