UOOU – statement on employers’ conducting COVID-19 tests

COVID-19 testing

Czech Republic: UOOU publishes statement on employers’ obligation to be conducting COVID-19 tests on employees.

The Office for Personal Data Protection (‘UOOU’) published, on 5 March 2021, a statement on the obligation of employers to be testing employees for COVID-19 infections, following the recent measure by the Ministry of Health. In particular, the UOOU noted that, employers will be processing the employees’ personal data in order to fulfil a legal obligation, and further states that if personal data is collected directly from the employer, then the employer will be acting as a data controller. In addition, the UOOU highlighted that the employee’s own records of tests may contain only the basic identification data of the same, such as name, surname, insurance number, data on the employee’s health insurance company, data on the exact time of the test, and the result of the COVID-19 test. Furthermore, the UOOU provided that, whilst the measure does not specify a retention period of the employee’s records of performed tests, the statement clarifies that such records must be retained at least until the termination of the measure to perform the mandatory testing and until the necessary processing of payments and claims that may arise as a result of the testing.

Moreover, the UOOU detailed that employers must ensure that personal data is processed in a secure manner and take into account its organisational and technical arrangements in order to properly store the records of the tests performed against possible loss or disclosure to unauthorised persons. Lastly, the UOOU emphasised that employers must provide employees with information on the type, nature, and chosen method of testing, as well as specific information, including the legal basis of such processing, possible transfer of data to public health authorities, and states that records of the processing of employees’ personal data for testing purposes must be kept as part of the records of processing activities pursuant to Article 30 of the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’).

You can read the statement, available in Czech, here.