Employee Health Data in European Law: Privacy is (not) an Option?

While there are many feasible reasons for employers to process employee health data, the protection of such data is a fundamental issue for ensuring employee rights to privacy in the workplace. The sharing of health data within workplaces can lead to various consequences, such as losing a sense of privacy, stigmatisation, job insecurity and social dumping. At the European level, the Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR) and EU General Data Protection Regulation (GDPR)–two interconnected instruments–offer the most enforceable protection of employee health data. The article analyses the limits of employees’ right to privacy regarding health data, as delineated by the ECHR and GDPR. Using three fictive examples, we illustrate how the level of protection differs in these two instruments. In particular, we show that the protection of health data offered by the GDPR is seen as an objective act of processing at the time it is carried out, where the actual impact caused by the processing on private life is not considered. On the contrary, the ECHR’s applicability and offered level of protection in the employment context depend on subjective factors, such as the consequences of sharing the data.