The employer’s GDPR obligations with regard to the health pass

Publié le 14 March 2023

Since the entry into force of Law No. 2021-1040 of August 5, 2021 on the management of the health crisis, it is your employer’s obligation to control the validity of the health pass which now has the status of a real golden ticket.

From now on, “employers are responsible for monitoring compliance with the obligation provided for in point I of Article 12 by the persons under their responsibility”.Not all employers are concerned. Indeed, this highly preventive obligation applies only in certain places and events for which there is a “risk of high epidemic spread“.

Within this category are the following: events including cultural, musical, artistic, sporting ones, the leisure sector and even professional seminars of more than 50 people when they take place in a site outside the company, libraries (except unversity libraries and specialized ones such as the Bibliothèque Nationale de France), fairs with more than 30 stands or attractions, ships and cruise ships with catering or accommodation.

It can also apply to convivial places such as discotheques, clubs and dance bars; bars, cafes and restaurants, with the exception of canteens, company restaurants, takeaways and truck stops, as well as during room service and breakfast in hotels.

In addition, large shopping centers larger than 20,000 m2, according to a list defined by the prefect of the department concerned, and when there is a high circulation of the virus. While ensuring that access to transport sometimes included in these centers, or access to essential goods by setting up alternative solutions.

The detail and precision of this list could almost prevent us from categorizing the events and/or persons concerned by this new obligation making its exemption confusing since it is applicable to any cultural, sporting, recreational or festive event, organized in the public space or in a place open to the public likely to give rise to a control of access of persons.

The result for the employers concerned is the obligation to control the validity of the health passes of their employees, customers, patients, etc. A real decision-making and disciplinary power since not obtaining a valid health pass can lead to the suspension of a contract of employment, in particular.

For employees, this verification applies to all workers, whether or not they are employees of the establishment. It will also include a check in advance of the check whether the employee is engaged in any of the activities, services or events covered by the law. An exception is provided by the decree of August 7 the decree of June 1, 2021 prescribing the general measures necessary for the management of the exit of the health crisis and concerns people with a medical contraindication certificate (reasons listed in the same decree).

Note that persons charged with the execution of an ad hoc task within the premises are not affected by this obligation. This will be “a very brief and non-recurring intervention”. The latter is not related to the company’s activity and the workers performing it are not integrated into the work collective. It can also be a delivery or an urgent repair. Short interventions would therefore not require the presentation of a valid health pass.

1. Health pass: Golden ticket, white coat or back to square one?

Here are the rules of the game

The decree actually provides for two means of control: the main application “TousAntiCovid Vérif” but also: “any other reading device that meets the conditions set by an order of the ministers in charge of health and digital”.

The CNIL invited the Government, through its opinion of August 9, 2021, to review the draft decree on several aspects, including the one concerning alternative devices to the “TousAntiCovidVerif” application. To be deemed an “Alternative means of control”, the devices must respect “the conditions set by order of the minister in charge of health, before being able to be used by the actors having to control the health pass”.The security measures must comply with in Article 32 of the General Data Protection Regulation and provide for “robust encryption algorithms deemed to be state of the art”. The Ministry of Health has been encouraged to be transparent by publishing on its website the list of alternatives, i.e. the official list of authorized reading devices and their source code.

For the moment the use of other alternatives has not been implemented. Only “TousAntiCovidVérif” can be used to check the validity of a pass. Moreover in its opinion, the CNIL recalls that “the use of a single instrument for reading health passes, developed under the control of the public authority and easily identifiable for citizens, constituted an important guarantee for the misuse of data.” It is understood here that the CNIL has strong reservations about admitting other alternatives to “TousAntiCovidVérif”.

To help it in this quest, one and only one tool is available: the “TousAntiCovidVerif” application.

This application presented as “flawless and/or ultra-secure” allows the single flash of a unique and unattackable QR Code to circulate in the aforementioned places. The scan of the QR code shows valid pass (in green) or invalid (in red). It is therefore a visual and instantaneous control.

The processing of personal data must be able to respect the 5 main principles derived from GDPR and regularly recalled by the CNIL: the collection of consent from data subjects, the principle of minimization, compliance with retention periods, management of requests to exercise data subjects’ rights and compliance with the principles of privacy by design and privacy by default.

As regards the “TousAntiCovidVérif” application, the minimization and purpose principles are reinforced: the objective pursued being only the control of the validity of the health pass. As well as the principle of data conservation, which even imposes non-retention of data. Indeed, the duration must coincide with the flash of the QR Code during the control stage.

The data is processed only once, when the credential is read, and is not retained” and “cannot be retained and reused for other purposes.”

A simple color code: green (valid) or red (invalid) will allow or deny entry to a workplace. Three types of documents can attest to the validity of the health pass, whether or not you are vaccinated. First, a negative PCR test within the last 72 hours, which will have to be paid for (unless prescribed by a physician) around midOctober 2021. Following the Council of Ministers of August 11, 2021, Gabriel Attal confirmed the end of free tests estimating a rate of €50 for a PCR test and €30 for an antigen test. Then, the result of a positive test attesting to proper recovery from COVID19 at least 11 days ago and at most 6 months ago. Finally, the proof of vaccination status attesting to a complete vaccination schedule, i.e. 7 days after the last dose.

These proofs can integrate in digital format the “Notebook” of the “TousAntiCovid” application to store them and present them easily. It is also possible to store the evidence for loved ones. For the paper format, simply present the QR code directly on the document proving a valid health pass.

Following the recommendations of the CNIL, the type of evidence (PCR Test less than 72 hours ago, certificate of recovery, full vaccination schedule) is not accessible to the employer in order to meet the requirements of the principle of minimization and not to infringe on medical confidentiality. It is a minimum reading level including only “valid / invalid pass”.

This QR Code can be presented in two forms, one from the “TousAntiCovid” application installed on your phone and the other from the QR code issued in paper format with a complete vaccination schedule or a negative PCR test or a certificate of recovery.

The SI-DEP platform allows a person to generate a QR Code from a negative PCR test or vaccination certificate. Indeed, French people performing a COVID test receive an email or SMS to connect to the SI-DEP platform. This platform has one advantage: it prevents falsifications. Indeed, the QR Code generated has a unique format for authenticating the test.

The employer is able to keep the result of the health pass validity check. This means that they cannot keep the receipt but only the result of the verification operation: either a valid or invalid pass. This method of minimization associated with non-retention must “allow only the persons or services authorized to carry out the control to know the data strictly necessary for the exercise of their control.”

2. Data control and retention

The employer is responsible for checking the validity of the health pass. This check can also be carried out by other named and authorized persons such as the person in charge of the premises, the event organizer, a clearly identified delegate or an employee or a service provider.

It is possible that the person in charge of the establishment is not the employer. In this case, it is up to the person in charge of the establishment to proceed with the control of the required documents by informing the employer if his employee has not been able to enter the premises. This type of situation is encountered in particular when the employee works in premises other than his or her place of work, for example an employee carrying out long-term renovation or work assignments.

Similarly, the data should not be kept by the controller.

There is some inconsistency in the steps of the vaccination schedule for employees. The obligation for professionals applies since August 30, 2021 creating a disparity between the categories of people: clients / employees of the same place. Indeed, a restaurant owner must strictly submit his clients to the respect of the sanitary pass but this obligation is less stubborn for employees creating quite strange situations: clients who have been “validated” on the terrace and in the open environment / a server who has not been “validated” in the kitchen and closed places.

The Government indicates and recalls that “the verification of the identity of the holder of the health pass is not the responsibility of the persons in charge of putting the pass (…) except with regard to discotheques, the latter already having to carry out an identity check of persons due to the prohibition of access of minors.”

The check is on the validity of the health pass and not on the identity to see if it matches the pass presented. Only law enforcement agencies are authorized to perform this check: ” Any person on national territory must agree to submit to an identity check carried out under the conditions and by the police authorities” (Article 78-1 of the French Penal Code).

The penalties for not presenting a pass or using it fraudulently are numerous. Thus, a non-presented or fraudulent pass leads to a €135 fine that can go up to 6 months of imprisonment and a €3,750 fine if it happens more than 3 times in 30 days.

In addition, there are penalties for not checking the health pass. Non-diligent professionals are exposed to a fine of €1,000, a formal notice and a possible temporary closure of the establishment. In the event of a repeat offence the fine can rise to €9,000 and be accompanied by a year in prison.

What about data retention?

This is prohibited no more and no less. The retention and or use of such data for other purposes is punishable by one year’s imprisonment and a fine of €45,000. This offense appears in Law No. 2021-1040 of August 5, 2021 on health crisis management: “The act of keeping the documents (…) in the context of a verification process outside the case provided (see a form that only allows the identification of its nature and the information that the person’s vaccination schedule is complete) or reusing them for other purposes is punishable by one year of imprisonment and a fine of €45,000.”

However, an exemption exists when the chosen form “does not make it possible [to] identify its nature and check that the information that the person’s vaccination schedule is complete”. Then in this case ONLY, it is possible to keep the result of the verification made and issue a specific title giving the possibility of a simplified verification. This information will have to be kept in compliance with the provisions of the General Data Protection Regulation (GDPR).

The CNIL in its opinion of August 9, 2021 on the developments brought about by the law relating to the management of the health crisis invites the Government to limit temporary retention to the sole result of the verification carried out in accordance with the principle of data minimization “Temporary data retention should be limited to the result of the pass reading”.

In theory, all this seems feasible, in practice, a problem seems to appear: the recurrence of the check. The latter must respect the non-retention of data on the health pass after the control, unless it adopts a “format that does not identify the nature of it and the information that the person’s immunization schedule is complete.” In practice, either the employer proceeds daily to the control of the health pass of its employees; or it adopts an alternative form that does not allow the harvesting of data and that respect the recommendations of the CNIL; although the latter invited the Government to “limit the temporary conservation to the sole result of the verification operated in accordance with the principle of data minimization”.

The internal regulations will have to integrate the instructions to be respected and the control measures of the sanitary pass and a treatment will have to be specified in the register.

Note that the law specifies “the application of this regulation does not dispense with the implementation of measures of a nature to prevent the risks of propagation of the virus if the nature of the activities carried out allows it”.

The use of the health pass is authorized under the law until November 15, 2021.

– Talya Dostes