The Information Commissioner (Slovenian National Supervisory Body for Personal Data Protection) received your question regarding employer’s right to inform other employees about the situation that a particular employee has been infected by SARS-COV-2:
Is it allowed, on the basis of the GDPR, for the employer to inform other employees that one of them has been infected with SARS-COV-2 virus and if so, under what conditions would you allowed to provide such information?
As requested, please find below answers to your questions:
Slovenian national legislation does not explicitly prescribe when specifically and from whom, an individual could or should obtain personal data on identifiable individuals, e.g. about who the infected individuals are, as the cases and circumstances can be extremely varied.
EDPB has already stated that in the employment context, the processing of personal data may be necessary for compliance with a legal obligation to which the employer is subject, such as obligations relating to health and safety at the workplace, or to the public interest, such as the control of diseases and other threats to health. The GDPR also foresees derogations to the prohibition of processing of certain special categories of personal data, such as health data, where it is necessary for reasons of substantial public interest in the area of public health (Art. 9.2.i), on the basis of Union or national law, or where there is the need to protect the vital interests of the data subject (Art.9.2.c), as recital 46 explicitly refers to the control of an epidemic (Statement on the processing of personal data in the context of the COVID-19 outbreak, adopted on 19 March 2020).
This means that the competent authorities, in cooperation with the health profession (National institute of public health), must assess on a case-by-case basis and determine what information is needed to protect people's vital interests or in relation to ensuring health and safety at work or on other legal grounds. For concrete instructions on how the employer is obliged to act in the event of an infection by SARS-COV-2 among employees, we suggest that employers contact National institute of public health, which can give precise and clear instructions on further procedures and planned measures.
We also emphasise that outside the inspection procedure and in advance, the Information Commissioner cannot judge which specific data may, can or even must be processed in connection with the current situation, only the competent institutions can.
Information Commissioner of the Republic of Slovenia