Am I not allowed to note that an employee has reported sick!?

13 June 2018

According to article 9.1 in the GDPR it is forbidden to process personal data about a data subjects health. Now you might think “oh, so we cannot write down that an employee is sick!?”. This is not the case. The fact that you are not allowed to process personal data about health is a general principle, but there are many exceptions.

Many legal provisions are built this way, first something is forbidden, but then there are many exceptions when it is not forbidden. The prohibition together with the exceptions make it clear that the processing only is permitted when it falls under one of the exceptions. Every processing about a data subjects heath must fall under one of the exceptions in article 9.2 of the GDPR. Let us look at an example.

In the morning, an employee sends a text to you, the manager:

                      “Hi! Seems like I have the flu! I have to stay home today. /Adam”.

Personal data regarding an employee’s health

It does not require much for a personal record to be about health, it is enough that the personal record states that a person is sick.
There are multiple purposes with processing these type of personal data, e.g. to adjust the staffing in the workplace, to pay the sick employee and to notify the proper administrative authority, in Sweden; Försäkringskassan.

Regarding these examples there is an exception in article 9.2.b in the GDPR regarding fulfillment of obligations and rights in the workplace, which allows this processing. An example of such an obligation in Sweden is that the employer must report to the health insurance office if an employee has been on sick leave for more than 14 days.

You still need a legal basis

Bear in mind that every processing of special categories of personal data in article 9 of the GDPR still have to be based on a legal basis in article 6.1* of the GDPR. It is generally necessary for the fulfillment of the employment contract to process personal data about sick leave, which corresponds to the legal basis contract (article 6.1.b). There is also a legal obligation to notify the proper administrative authority after 14 days (in Sweden), which is a legal basis for the processing of personal data. This processing is based on the legal basis legal obligation (article 6.1.c).

A principle that is a central part of the GDPR is that personal data is not to be saved for a longer period than what is necessary. This principle means that when the purpose of the processing is fulfilled, you have to erase the personal data that you no longer need. In this situation it is good to separate the different types of personal data that is being processed. If we go back to the text above, where Adam send information about his sickness, there is most likely no reason to save the information about what sickness he was infected by. However, the information that he called in sick has to be kept for a longer period, e.g. until the salary has been payed. There is an obligation for the employee to hand in a medical certificate after being on sick leave for eight days according to the Swedish law about sick leave.

Secure processing is important

Another aspect of protecting the special categories of personal data is that they have to be kept in a safe way. The inbox of your e-mail or your text inbox is generally not considered to be safe places for saving personal data. This is because in most cases, the technical security is not high enough, but also because it is difficult to keep track of what personal data that should be erased. When Adam sends a text that he is sick, the recipient should delete the text and, if necessary, take a note about the sick leave in a file on his or her computer or in a ledger for this purpose.

You do not have worry about not being allowed to take notes about an employee being sick, but you should ask yourself: what information is necessary to keep? How long is it necessary to keep it?

In the text, references to the regulation is made. You can find the GDPR here!

*The legal bases for processing personal data are consent, contract, legal obligation, vital interests, public interest or the exercise of official authority or legitimate interest.


Erik Jonzén


The content presented in this blog contains general information and is not to be considered as legal advice.
The content presented in this blog contains general information and is not to be considered as legal advice. Please reach out to us if you have any questions.

Related articles

Data processing agreements

Data processing agreements

Data processing agreements (DPA) are an essential part for organisations which transfers or collects personal data...