The State Data Protection Inspectorate receives a number of enquiries on the implementation of the Resolution of the Government of the Republic of Lithuania of 14 July 2021 nº 559 which:

1. The list of activities for which employees have to be regularly inspected for the presence of a contagious disease for which the state emergency and/or quarantine has been declared has been compiled (the following – periodic inspection);
2. The periodic inspection procedure has been established (more detailed information on this procedure is provided in the notification of the Ministry of Health of the Republic of Lithuania).

Still, the obligation of periodic inspection does not apply to all employees working on the Resolution of the Government of the Republic of Lithuania n. 559 and are those who have not been vaccinated or have not been affected since COVID-19.

This exception in the Health Control Procedures for workers authorised to work for regular examinations, approved on 26 March 2021 with deliberation n. 178, point 7. In other words, an employer, whose activities are part of the scope of Decision No. 559, in order to assess which employees are not subject to periodic inspections, is obliged to process certain data on the health of employees.

The Data Inspectorate stresses that, in the specific case of the applicable legal obligation on the part of the employer, it is important to guarantee the requirements for the processing of personal data set out in the General Data Protection Regulation (GPDR).

It is mentioned that information on the fact that the worker does not have (has not been affected) any infection of COVID-19 or vaccination (comprehensive, where applicable, date, type of vaccination, etc.) are health data which are part of particular categories of personal data and that is why the employer has to ensure a high level of data protection, that is to say:

1. Scope of personal data: the employer has to process only the health data necessary for current decisions of the government of the Republic of Lithuania, for example, to process only the confirmation of conformity to one of the requirements and, if applicable, the period of conformity (that is to 01/2021). We stress that according to the GDPR, the employer is responsible and has to justify the method chosen to assess the compliance of the employee with one of the established criteria and the scope of personal data to be processed;
2. Supporting documents: The Data Inspectorate takes note of the intention of employers to draw up documents to check compliance with one of the criteria, therefore underlines that these documents contain more information than is necessary to achieve the specific purpose of the processing of personal data, for this reason, employers would have to abstain from these actions. Within the scope of the resolutions of the Government of the Republic of Lithuania, the same purpose can be achieved with less restrictive means of privacy, that is only to show these documents to the employer without providing (sending) copies;
3. Responsible person: it is important to remember that one of the principles related to the processing of personal data is the principle of confidentiality and integrity, which calls for adequate security of personal data. One of the components of this principle is the principle of the “need to know”, that is to say the employer has to ensure that information on employee respect is provided only for the designated responsible person with access to this personal data, such as the head of the department (of the unit) or the person responsible for the processing of personal data of staff, etc.;
4. Retention of personal data: in the event that the term of retention of data is not established from a legal act establishing the legal obligation to process personal data, the controller (entrepreneur) has to establish a proportionate and reasonable term for the retention of personal data. For example, this limit could be linked to the validity of a legal act imposing an obligation to process personal data or an emergency, regardless of its short duration, and a reasonable period after its expiry;
5. Information on employees: it is recalled that before starting to process additional personal data of employees (i.e., the employer was not obliged to process before the entry into force of Resolution No. 559 of the Government of the Republic of Lithuania), it is necessary to inform employees about how these personal data are processed.

SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI DELLA LITUANIA