Work and rights

Interview with employees after an illness

Privacy watchdog says no - with 50,000 euro penalty - to company practice assessing reintegration difficulties

3' min read

3' min read

It is forbidden to interview the employee returning from illness to find out if there are any difficulties in his or her reintegration into work.

With measure 390/2025 of 10 July, the Security Authority for the protection of personal data sanctioned an engineering company for having implemented, since 2020, a management practice that provided for an interview between the worker and his supervisor when he returned from illness, injury or hospitalisation, accompanied by the completion of a paper form - called a 'return to work interview' - which was then forwarded to the human resources department.

Loading...

According to the company, the procedure served to facilitate the reinstatement of the employee by identifying any organisational or relational difficulties. The Garante, however, found numerous critical aspects in terms of the protection of personal data, recognising the unlawfulness of the processing and imposing an administrative sanction of 50,000 euro, in addition to an order to delete the data collected and a ban on their use, for violation of certain key principles of the Gdpr (EU regulation 2016/679).

The four critical issues

.

The first critical profile, according to the Garante, concerns the absence of transparent and adequate information, in breach of Article 13 of the GDPR and of the principle of transparency contained in Article 5(1)(a). The meagre indications in the form and the generic references to internal company policies did not guarantee workers a clear and immediate understanding of the purpose, modalities and recipients of the processing. Moreover, the expression 'persons present' within the form, without further specification, implied the possible presence at the interview of third parties not explicitly indicated.

The second finding concerns theabsence of a legitimate legal basis for the processing, in violation of Articles 6 and 9 of the GDPR. The processing in question - which included data potentially capable of revealing the state of health, such as requests for interviews with the doctor, references to medical prescriptions or free comments by the employee - could not be based either on the obligation to protect the employee's health, laid down as a general rule by Article 2087 of the Civil Code, or on consent, which, in the context of an employment relationship, is not normally considered free according to Article 7 and recital 43 of the GDPR. Moreover, the activity carried out by the company did not fall within the hypothesis of health surveillance provided for by Article 41 of Legislative Decree 81/2008, which is the exclusive responsibility of the competent doctor. The employer's legitimate interest could not be invoked either, as it was unsuitable to justify the processing of data belonging to special categories.

The third element under censure consists in violation of the principle of minimisation, enshrined in Article 5(1)(c) of the GDPR. The Garante noted that much of the information collected through the questionnaire was redundant and duplicated data already held by the human resources department (reason for absence and duration of absence, any prescriptions received from the competent doctor, etc.). The additional collection, through an individual interview managed by the direct supervisor, was not justified by real organisational needs and risked resulting in forms of processing unrelated to the assessment of fitness for work.

The fourth and last point of complaint concerns the excessive retention of data, which was considered to be in breach of Article 5(1)(e) of the GDPR. The maximum term of ten years, provided for by the internal policy for the archiving of forms, was considered disproportionate to the stated purposes and unsuitable for guaranteeing effective protection of the rights of the persons concerned. Indeed, the documentation remained in the company's possession well beyond what was necessary, without objective criteria for deletion.

Serves a balance

.

This case confirms, once again, how delicate the balancing act between organisational needs of the employer and obligations in the field ofprotection of personal data is, even when there is - as in the case just described - a good faith on the part of the company in pursuing protective purposes (in the case recounted, health protection).

In the constant practice of the Garante, the privacy rules do not allow for exceptions: any processing must be designed in advance with criteria of lawfulness, transparency, and proportionality, especially when dealing with special data such as those relating to health. If these criteria are violated, the misuse of sensitive personnel data can turn into a violation of fundamental rights. Those who continue to underestimate the practical fallout of this admittedly very strict but now constant guideline risk unpleasant surprises in terms of financial penalties and organisational fallout.

Copyright reserved ©
Loading...

Brand connect

Loading...

Newsletter

Notizie e approfondimenti sugli avvenimenti politici, economici e finanziari.

Iscriviti