Dutch DPA: CP&A receives fine for violating privacy of sick employees

9 June 2021

The Dutch Data Protection Authority (DPA) has imposed a fine of €15,000 on maintenance company CP&A for violations committed when processing the health data of sick employees. CP&A maintained a register of the causes of sick leave. In doing so, the company processed more health data than legally permitted. Furthermore, the registration of sick leave was not adequately secured. CP&A has now ended this practice.

Sensitive information
CP&A’s sick leave registry contained highly sensitive information about the physical and/or mental health of employees. This included the names of illnesses, specific health complaints and indications of pain. It is not necessary for employers to process this kind of information for the reintegration of their employees.

Sensitive personal data
Health data constitutes sensitive personal data, which must be given special protection. Everyone has the right to keep such information to themselves wherever possible, and this includes employees. However, an employee can feel obliged to share such information with their employer. 

If an employer has knowledge of an employee’s physical or emotional state of health, it may form an opinion or take decisions that have a major impact on the employee concerned.

Nature and cause of illness
Under privacy law employers are not allowed to register information about the nature or cause of an individual’s sickness absence notification. Nor can the employer ask questions about such things. That is for the in-house medical officer or the safety, health and welfare services to address. 

In exceptional situations an employer may register information about the nature or cause of an employee’s illness. One example is when a staff member has epilepsy, and co-workers need to be aware of this so that they know what to do if the individual suffers an episode.

Sick leave register was held online
CP&A’s sick leave register was accessible online, without any form of authentication system. Information about someone’s sick leave can say something about their health, so especially strict requirements apply to the security of health data. Only authorised employees may access such data.

If a sick leave system is accessible via the internet, access to the system is permitted only via multi-factor authentication. Besides a regular login procedure, authorised individuals must confirm their identity in another manner, such as by using a security token, in order to gain access.  So a login system requiring only a user name and password is not sufficient.

Asking necessary questions is acceptable
According to DPA board member Katja Mur, ‘Of course, it’s completely understandable that an employer wants to know whether someone’s sickness absence is going to be short or long term in nature. But to establish this it isn’t necessary for employers themselves to process health data or start playing doctor. The in-house medical officer or safety, health and welfare service can provide information about the expected duration of the leave and the workload an employee can take on when they return to work.’

Naturally, an employer may ask a sick employee a number of questions to determine whether, and if so how, their tasks should be reassigned.

For more information about what is and is not permitted, see: My sick employee (in Dutch).

You can read about this fine on the Dutch DPA website here.

For further information, please contact the Dutch DPA: https://autoriteitpersoonsgegevens.nl/nl

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.