Skip to main content

View more from News & Articles or Primerus Weekly

By Jan Dop, LL.M.
Russell Advocaten B.V.
Amsterdam, Netherlands

When your employee is sick you, as an employer, are interested in what is going on and how long you will have to miss your employee. But what about the employee’s privacy? What are you allowed to ask - and what not?

Under the Personal Data Protection Act the processing of personal data regarding a person’s health is prohibited. With the introduction of the General Data Protection Regulation (Algemene Verordering Gegevensbescherming; AVG) in May 2018, these rules will be strengthened even more. As a consequence, there will be more administration, stricter supervision by the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), and higher fines amounting to 20 million euro or – if this amount is higher - 4% of the global annual turnover. 

What information are you, as an employer, allowed to register about sick employees?

As an employer, you are allowed to process data regarding the health of sick employees that are necessary to establish their right to continued payment of wages during illness. In addition, you may collect data significant for drawing up the rehabilitation file. In order to establish the right to continued payment during illness the employer does not need to know the nature and cause of the illness. Therefore, the employee does not have to report these.

The following information should be registered:

  • Telephone number and (nursing) address of the employee during sickness
  • Probable duration of absence
  • Ongoing appointments and work
  • Whether the employee falls under a catch-all clause of the Sickness Benefits Act
  • Whether the illness is linked to a work-related accident
  • Whether it regards an accident in which a potentially liable third party is involved, as the right of recourse may apply (recovering labour costs on this third party).

In the event the employee is ill for a longer period, he or she will have to be guided by an occupational health and safety service and/or company doctor. Regarding the monitoring of absenteeism and the re-integration of the employee, the company doctor is allowed to share, inter alia, the following data with the employer which the employer is allowed to process:

  • Degree of disability of the employee
  • Expected duration of absence
  • Tasks the employee is still able to perform
  • Potential advice on adjustments, work facilities the employer has to provide for the re-integration.

What are you, as an employer, not allowed to register?

The data the employer has legally obtained from the company doctor may be registered. All other data regarding employees’ health are not necessary for the employer for the continued payment of wages and re-integration/monitoring of absenteeism. Therefore, they must not be registered. This involves:

  • Diagnoses, name of the disease, specific complaints or pains
  • Subjective observations by the company doctor, both mentally and physically
  • Data about therapies, appointments with specialists
  • Former or current other problems of the employee.

Employee consent

The General Data Protection Regulation contains the exemption that data may be processed with the consent of the employee. Employers should be reluctant regarding this exemption however. Employees must give their consent to the processing of specific data. In addition, the employer has a serious requirement concerning the administration and the consent can be withdrawn at all times.

Employees will also be entitled to receive their personal data from the organisation in a standard format. This is referred to as the right to data portability, for instance the identity of the employee and the data necessary for the payroll administration.

What does it mean for you?

The Dutch Data Protection Authority checks if organisations, in practice, comply with the new privacy legislation. You will have to be able to prove by means of documents that you have implemented the correct organisational and technical measures to comply with the new General Data Protection Regulation. We will gladly help you by examining the set-up of your administration in the light of the new rules. Please contact us.