Netherlands - Decision on employee health data obtained via wearables - DAC Beachcroft

Netherlands - Decision on employee health data obtained via wearables's Tags

Tags related to this article

Netherlands - Decision on employee health data obtained via wearables

Published 17 May 2016

The Dutch DPA (the "PDA") recently looked into two companies' processing of their employees' health data obtained through wearable technology ("wearables") and on 8 March issued a press release detailing their findings.

The PDA found the two companies to be in breach of the Dutch Data Protection Act 2000, as the employees had been provided wearables by the companies in order for the companies to gain insight into their exercise and sleep patterns. The data collected, being health data, was sensitive personal data and as such, was subject to a requirement to gain consent. The PDA found that in an employment relationship, where the employee is financially dependent on the employer, consent could not be freely given by the employee.

The position is much the same under UK data protection law. To be able to process personal data of employees collected from wearables, employers would be required to obtain consent because such processing would not satisfy the processing condition of being "necessary for fulfilling a legal obligation". However, it is generally not possible for employees to give genuine consent to their employers, and as such processing of the type in this case would also have been in breach of the UK DPA. However, as observed by the PDA, employers would be able to "gift" wearables to their employees where no conditions were attached to the employee's use of the wearable.

This decision follows the increasing growth of wearables in the health data industry and is in line with the PDA's stated agenda for 2016, being: i) data security; ii) big data and profiling; iii) health data; iv) digital government; and v) employment data.

As with all new projects that involve the processing of personal data (and particularly ahead of the implementation of the GDPR) organisations should undertake a privacy impact assessment in advance of any roll out to ensure the adequate permissions and data protection measures are in place. The decision in this case does not prevent businesses taking steps towards work-force optimisation, but businesses should ensure the necessary legal considerations are taken into account.

The press release on the decision can be accessed here (Dutch).

Submitted by Charlotte Halford, Solicitor

Return to main page >>>

< Back to articles