Can an Employer Disclose an Employee’s Sick Leave?

Can an Employer Disclose an Employee’s Sick Leave to a Client?

Imagine a situation where you are an employer, and suddenly an agitated client calls you. It turns out that the client has an urgent matter to attend to and cannot reach your employee who was handling the case—no response to emails, no answer to the phone. The client, of course, expresses their dissatisfaction. The situation is due to your employee falling seriously ill and currently being on sick leave – but the client is unaware of this. To explain to the client, you inform them that the employee is absent due to illness, apologize politely, and promise to arrange for another employee to handle the matter. Everything seems fine – the conflict with the client is resolved, a replacement is assured, and the business relationship is maintained. But can the employer be sure there’s nothing to worry about?

Is Information about Sick Leave a Personal Data?

According to Article 4(1) of the General Data Protection Regulation (GDPR), personal data means any information relating to an identified or identifiable natural person. Data concerning a person’s health is undoubtedly linked to the person’s identity, and, according to the definition, it includes information about the use of health services if this is how data about a person’s health status is revealed. Additionally, it is important to note that data about a person’s health falls under the special category of personal data, and processing such data is generally prohibited unless specific conditions are met.

The conditions that allow for the processing of special categories of data are set out in Article 9(2) of the GDPR. It’s a closed list, meaning that if an employer cannot find a legal basis for their action within this list, they cannot process this data. In the context of the situation described, where an employee is on sick leave, the most important legal bases include:

1. Consent: Processing special category data, such as health data, will be allowed if the employee has given explicit consent for the processing of that data for a specific purpose. The purpose must always be specific; general consent is not valid. For example, the consent should relate to the specific use, like taking out insurance.
2. Obligation or Right: Employers are allowed to process health data if there’s a legal obligation, like reporting to the National Health Fund (ZUS), or when processing is necessary for the establishment, exercise, or defense of legal claims or whenever courts are acting in their judicial capacity.
3. Vital Interests: If the processing is necessary to protect someone’s life and the individual is physically or legally incapable of giving consent, it may be allowed.
4. Health or Occupational Medicine: This is allowed for reasons of public interest in the area of public health, such as ensuring high standards of quality and safety of health care and of medicinal products or medical devices.

Now, let’s address the employer’s situation. The consent scenario would generally be difficult to implement, as it’s highly unlikely that the employee would consent to their employer disclosing their health data to clients. Reporting for vital interests is not relevant here. Occupational medicine could be applicable if there are regulations that require such reporting. However, the most practical solution, if disclosure is required, is using the legal obligation/right clause.

Can you inform a client that an employee is on sick leave?

Analyzing the criteria set out in Article 9(2) of the GDPR, the answer to this question is: NO. This stance is also confirmed by the President of the Personal Data Protection Office (PUODO). In a previous case, where an employer provided information about an employee’s sick leave to third parties, the PUODO imposed a reprimand on the employer. The company as the employer justified the disclosure due to the need to explain to the company’s clients the reasons for the employee’s lack of contact and the need to reorganize the duties of the remaining staff due to the absence of the employee on sick leave. According to the PUODO, these reasons do not constitute any of the legal grounds for justifying the data processing.

Can an autoresponder inform that an employee is on sick leave?

In the case of an employee’s absence from work, an autoresponder is often activated on the employee’s professional email, which informs the message sender that the employee is unavailable. This information often includes the name of the person replacing the absent employee and the expected duration of the absence. This prevents situations like the one described at the beginning of this article. However, the autoresponder often indicates that the employee is unavailable because they are on sick leave during a specified period. How does this relate to the considerations above? Such information will be permissible if it is the employee themselves who authors the feedback sent as part of the autoresponder. However, if the autoresponder message is created by the employer or another employee, this information cannot be included.