The processing and disclosure of employees’ personal data by the employer in an effort to prevent the spread of COVID-19 in the workplace

16. 02. 2026

Labour law, or rather employment law as a whole, must often reconcile conflicting interests and needs of the employer on the one hand and the employee on the other. This tension has not spared the area regulating the employer’s handling of sensitive information concerning employees. On the one hand stands the employer’s interest in the proper performance of dependent work by the employee, reflected in the employer’s proprietary and economic interests; on the other hand stands the interest in protecting the employee’s privacy.

The protection of employee privacy is a manifestation of every natural person’s fundamental right to the protection of dignity and privacy, private and family life, and, more specifically, the right to the protection of personal data, i.e. constitutionally guaranteed human rights. These rights are envisaged in particular by Articles 7, 10, 12, and 13 of the Charter of Fundamental Rights and Freedoms, to which Article 112 of the Constitution grants constitutional status.

At the level of secondary EU law, the key instrument is the directly applicable GDPR, together with the replacement of Act No. 101/2000 Coll., on the Protection of Personal Data and on Amendments to Certain Acts, which had implemented the relevant directive into the legal order of the Czech Republic.

At the level of domestic law, the main regulation is the Labour Code, which contains the legal regulation of the employee’s personal rights, in particular in Section 316 introduced under the heading: “protection of the employer’s proprietary interests and protection of the employee’s personal rights.” The title of this heading predicts the focus of the provisions that follow. For the purposes of this article, paragraph 4 of this section is particularly significant, from which it is apparent at first sight that it constitutes a general provision of the statute, to be applied in cooperation with other provisions of the legal order, and in its application relies primarily on the Civil Code, which forms the subsidiary foundation for the Labour Code. The Civil Code, in its position as lex generalis,[1] is to be applied subsidiarily where all statutory conditions for the legal framework are satisfied, above all consistency with the principles of labour law. The Civil Code establishes a comprehensive concept of protection of personality rights, on the basis of which, in accordance with Sections 81 to 117 of that Act, one may seek cessation of further unlawful interference and possible reparation of consequences already caused by such interference.[2] Protection of these personality rights is also provided through criminal law (cf. Section 178 of the Criminal Code) and administrative offence law (cf. Section 7(1)(a) of the Act on Certain Offences).

It is clear that the protection of personality rights in the form of the right to privacy and the right to the protection of personal data is not governed by a single legal regulation, i.e. not solely by the Labour Code or the Civil Code, as might appear at first glance, but rather by the mutual interplay of legal regulations and individual legal norms of both public and private law.

In the event of an interference with an employee’s personality rights, one therefore cannot exclude, for example, the concurrence of criminal-law consequences together with proceedings for damages, unless such damages are awarded within criminal proceedings in so-called adhesion proceedings.[3] Hůrka[4] mentions, in this regard, for example, the possibility of concurrent proceedings consisting of an action for the protection of personality rights together with the right to request publication of a reply and a supplementary statement under the Press Act or the Act on the Operation of Radio and Television Broadcasting. In the field of labour law, it would be more appropriate, instead of the example of a request for publication of a reply and supplementary statement, to mention the imposition of a sanction under the GDPR, which is more closely related to the topic of this article.

Janečková[5] divides personal data into those whose processing is explicitly envisaged by special legislation, those whose processing is not directly envisaged by legislation but whose necessity follows from the purpose assumed in individual statutory provisions, and those which the employer processes on its own initiative. This distinction should be taken into account especially when assessing whether the processing of personal data is lawful, since the existence of a statutory basis for such processing is crucial in deciding whether the employer’s processing is lawful at all.

Collection and handling of personal data without subsequent disclosure to third parties

Basic terminology and principles of personal data processing

Under Article 4(1) GDPR, personal data means any information relating to an identified or identifiable natural person (the data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. Wherever this section of the article refers to an employee, this also means the data subject, and vice versa.

The issue of personal data processing under the GDPR should also be introduced by the principles on which such processing is based and which are set out in Article 5 GDPR. The first of these principles, which symbolically introduces all the others, is the principle of lawfulness, fairness, and transparency, which emphasizes that the processing of personal data constitutes an interference with the fundamental rights of data subjects and that it is therefore necessary strictly to comply with legal rules and eliminate any unlawful situation, although the GDPR itself may, in some respects, take such situations into account.[6] The principles of purpose limitation and data minimization require that personal data be processed only to the extent necessary for the purpose of such processing and the objectives of the GDPR. Information that is excessive and does not directly serve the purpose for which personal data are processed may not be processed. For this reason, the first sentence of Section 316(4) of the Labour Code, according to which the employer may not request information from the employee that is not directly related to work performance and to the basic employment relationship referred to in Section 3, appears redundant, since this already follows from the directly applicable GDPR. This conclusion regarding redundancy may also be inferred from the fact that the GDPR provides employees with a higher level of protection. Section 316(4) of the Labour Code speaks only of requesting information, whereas the GDPR provides protection not only with respect to requesting information under the Labour Code, but with respect to all handling of such data in accordance with the definition of personal data processing in the GDPR. The data controller is also obliged, pursuant to the principle of accuracy, to process accurate data and, where necessary, to keep personal data up to date. The principle of storage limitation is linked to the principle of purpose limitation, but the limitation here is temporal rather than purpose-related. In accordance with this principle, personal data allowing personal identification are processed only for as long as is necessary for the purposes of such processing. Personal data may be processed contrary to the foregoing sentence only where they are processed exclusively for archiving purposes in the public interest, for scientific or historical research purposes, or for statistical purposes under Article 89(1), subject to the implementation of appropriate technical and organizational measures required by the Regulation to safeguard the rights and freedoms of the data subject. Finally, there is the principle of integrity and confidentiality, which imposes the highest demands on the manner of processing so as to minimize the risk of unauthorized access to, or misuse of, the processed data.

Another principle under Article 5(2) GDPR is the principle of accountability. In reality, however, this is less a principle than an emphasis on the subject responsible in the event of error or conduct contrary to the GDPR. This conclusion is also supported by its systematic placement in paragraph 2 of that article.

It should be noted that this list is not exhaustive, and therefore not final. Additional principles may also be derived from the GDPR, even though they are not explicitly stated in Article 5. One may also infer from the GDPR the principle of proportionality, consisting in the necessity of weighing every interference with the fundamental right of the data subject against other values that typically represent conflicting interests. This is also expressed in the judgment of the Court of Justice of the European Union of 12 July 2012, C-59/11, Graines Baumaux SAS. The principle of subsidiarity of processing likewise reflects the nature of limiting a data subject’s fundamental right, in that such rights may be interfered with only where the purpose cannot be achieved by another, less invasive means. The principle limiting transfers of information to third countries is explicitly expressed in Article 44 et seq. GDPR; it allows processing of personal data outside countries bound by the GDPR only where such countries ensure adequate protection of the processed personal data comparable to that provided by the GDPR, i.e. protection at least of the same standard as the GDPR, or where suitable safeguards are provided that are capable of ensuring such protection.[7] Finally, there is the principle of enhanced protection of children’s personal data, already expressed in Recital 38 GDPR, which refers in particular to the increased protection of children on account of their inexperience and unawareness of the risks associated with providing personal data, thereby justifying a stricter approach to the processing of such data and the need for greater protection.

Monitoring health status and COVID-19 infection as personal data

This part of the article aims primarily to discuss the collection of personal data and the subsequent handling of such data without their subsequent disclosure. Disclosure of personal data itself is dealt with in the following section, which focuses on certain specific aspects associated with that activity. Where this section refers to the processing of personal data, this means processing in a narrower sense as defined in this sentence, irrespective of the legal definition under the GDPR.

“Data concerning employees’ health belong to special categories of personal data (sensitive personal data), and stricter rules apply to their processing.”[8]

In Bodil Lindqvist v. Sweden, the Court of Justice of the European Union interpreted the term used in the previous legal framework, “data concerning health,” very broadly, stating that it “covers information concerning all aspects, both physical and mental, of the health of a person,” and therefore constitutes personal data concerning health within the meaning of Article 8(1) of Directive 95/46 (now sensitive personal data concerning health under Article 9(1) GDPR).

The concept of sensitive personal data is mentioned already in Recital 10 GDPR, where such data are privileged by being systematically placed among the so-called special categories of sensitive data, while it is also expressly stated that “this Regulation does not preclude Member States from maintaining or introducing provisions specifying the circumstances of specific processing situations, including more precisely determining the conditions under which the processing of personal data is lawful,” thereby leaving Member States discretion as to whether they preserve only the minimum standard required by the GDPR or, on their own initiative, further tighten that protection.

Article 9(1) GDPR then defines special categories of sensitive data as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, or data concerning health or a natural person’s sex life or sexual orientation. Processing of such sensitive personal data is, as a rule, prohibited a priori.

In the following paragraph of that article, however, the effect of paragraph 1 is limited for certain situations, since it sets out the circumstances in which the prohibition on processing such personal data does not apply. From this extensive exhaustive list, it is sufficient, for the purposes of the issue examined here, to mention in particular points (a), (b), (h), and possibly (i), which are discussed in more detail below.

The Court of Justice also anticipates limitations on personality rights. In its judgment of 17 October 2013, C-291/12, Michael Schwarz v. Stadt Bochum, it held that the rights under Articles 7 and 8 of the Charter of Fundamental Rights of the European Union are not unlimited and that the authority applying the law may and must take into account the purpose of those rights and their function in society. In doing so, it refers to Article 52(1) of the Charter, which expressly permits limitations on rights and freedoms recognized by the Charter, while at the same time emphasizing that the same article lays down the conditions under which such limitations may occur. Such limitation must be provided for by law and must respect the essence of those rights and freedoms. Subject to the principle of proportionality, limitations may be imposed only where they are necessary and genuinely meet objectives of general interest recognized by the Union or the need to protect the rights and freedoms of others.

As the primary legal basis for the processing of all personal data, the GDPR envisages consent as the first exception to the general prohibition described above. Under point (a), the relevant data may be processed where the employee has given consent, and special requirements apply to such consent. Above all, the consent must be explicit, which is the first condition of its validity. “This quality constitutes a significant difference from consent under Article 6(1)(a), which may also be given implicitly (...), whereas in the case of sensitive personal data this simplified form of granting consent (or inferring it from other indisputable and clear facts) is excluded.”[9] Written form is not mandatory, but it is in the employer’s interest to choose that form in order to strengthen its evidentiary position. The same applies to textual form, although it will be more difficult to prove that the legal act contained in the text can be attributed to the person acting because of the absence of their signature, which substantially undermines the evidentiary function of the document in textual form. The European Data Protection Board has previously warned, with regard to the quality of consent, that this exception allowing the processing of sensitive personal data is in fact limited by the relationship of dependency between employee and employer, which undermines the credibility of any manifestation of free will. The employer may therefore rely on this ground only where it is able to prove that the consent was freely given.[10] This rule, however, certainly cannot be understood absolutely, since that would ad absurdum imply the duty to prove all necessary elements of the acting person’s will. One may therefore speak of a rationalized burden of proof on the employer, who must demonstrate that the employee had the opportunity to express their free will and that the employer did not interfere with that will, after which it would then potentially be for the employee to prove that this was not the case.

A second condition for consent to produce legal effects is that the employee may not, by means of consent, remove the prohibition under Article 9(1) GDPR. In simplified terms, this means that the granting of consent must be in conformity with domestic or EU law,[11] whereby the GDPR also leaves room for regulation by special statutes in particular cases. In labour law, this may be represented, for example, by Section 316(4) of the Labour Code, which prohibits the employer from requiring employees to provide certain data listed in that paragraph, some in all cases, and some only where there is no factual reason arising from the nature of the work.

Under Article 9(2)(b) GDPR, the processing of personal data referred to in Article 9(1) GDPR is permissible where it is necessary for carrying out obligations and exercising specific rights of the controller or of the data subject in the field of employment law.

The purpose of this provision is to maintain consistency between the legal regulations of Member States and EU law, since it would not be possible for EU law to prohibit the processing of personal data in situations where such processing is required by the domestic legal framework of a Member State, or where that obligation is founded on a decision of a public authority.[12] It is therefore a special rule ensuring the inapplicability of the principle of the precedence of EU law over domestic law.[13] An example would be the situation under Section 105 of the Labour Code, which presupposes the clarification by the employer of the circumstances of an employee’s workplace accident. Without the above exception, the employer would simultaneously be obliged properly to clarify the workplace accident—which often requires knowledge of personal data—and yet exposed to the risk of breaching obligations under the GDPR. However, the special domestic regulation that is applied by virtue of Article 9(2)(b) GDPR does not affect the other directly applicable provisions of the GDPR, and the requirements laid down in the GDPR must therefore be respected even in such cases.

The GDPR defines data concerning health as a special term in Article 4(15), namely as personal data related to the physical or mental health of a natural person, including the provision of health-care services, which reveal information about that person’s health status.

As already noted above, personal data concerning an employee’s health may fall within an exception to the prohibition on processing such data, particularly where the employer is obliged by applicable law to collect such information.

This also includes the need to protect employees in the workplace and the performance of the employer’s obligations in the field of occupational health and safety, since the employer is obliged to ensure a safe and health-protective working environment and working conditions by organizing occupational safety and health properly and by adopting measures to prevent risks.[14]

This conclusion, however, cannot be generalized, since the fulfilment of the conditions legitimizing the processing of information concerning employees’ health, in accordance with the exceptions discussed above, must always be assessed in light of the individual circumstances of the case.

If the prohibition on processing personal data cannot be legitimized by the employee’s consent, it is necessary to examine whether another exception to the prohibition applies which would legitimize such processing. In this regard, the supervisory authority, the Czech Office for Personal Data Protection, which under Section 50 of Act No. 110/2019 Coll., on Personal Data Processing, as amended, exercises supervision in this area, stated that: “in specific situations, the employer is obliged to proceed in such a way as to prevent risks, eliminate them, or minimize them; this is referred to as the duty of prevention. In a situation of danger, the employer is therefore obliged to adopt the necessary protective measures corresponding to the circumstances. It is naturally advisable to proceed in cooperation with the public health protection authorities, to whom the employer is also obliged in certain situations to report facts laid down by legal regulation.”[15] From this, the employer’s right to process personal data concerning the employee’s health was inferred in accordance with the exception under Article 9(2)(b) GDPR. Otevřel[16] likewise regards an employee’s health status as a typical example appropriate for the application of Article 9(2)(b) GDPR where the additional conditions are satisfied.

At first glance, it is apparent that the employer is thereby placed in a difficult situation, in which it must assess whether the collection of information about employees—whether by thermal cameras measuring body temperature, by manual temperature checks, by testing in the workplace, by information concerning the employee’s infection itself, or by many other means—is necessary in order to ensure a safe and health-protective working environment.[17] This requires the employer to make a demanding legal assessment of the admissibility of personal data processing, while the conditions for such processing are not fixed but variable, requiring the employer to react without delay, and exposing it, in case of error, to the consequences envisaged in the GDPR or in other laws.

In her article, Ourodová identifies criteria for assessing the necessity of processing such sensitive personal data in order to maintain a safe and health-protective working environment. Among these criteria she includes “the nature of the workplace, the number and placement of workers, the current development of the epidemiological situation, and whether the measure cannot be replaced by another, less invasive measure.”[18] To this one may add that the list is certainly not absolute, and that it is also possible to take into account the nature of the work performed, interpersonal contact, the use of protective equipment by employees in the workplace, the alternation of employees assigned to individual shifts, and other factors affecting the possibility of mutual infection among employees, which will depend above all on the nature of the employer’s activity.

The situation connected with an epidemic is expressly anticipated by the GDPR itself. Recital 46 explicitly addresses epidemics, stating that: “the processing of personal data should also be regarded as lawful where it is necessary in order to protect an interest which is essential for the life of the data subject or that of another natural person. Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis. Some types of processing may serve both important grounds of public interest and the vital interests of the data subject, for instance where processing is necessary for humanitarian purposes, including monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters.” This clearly suggests how one should approach the processing of personal data during a pandemic.

The view that interference with personality rights may be justified on account of the COVID-19 pandemic is also endorsed, for example, by Mašek[19] in his article, while at the same time emphasizing the duty to respect, in the processing of such data, the principles and rules of personal data processing under the GDPR. Similarly Horecký[20] regards the performance of a public interest in the field of public health as a legitimate ground for personal data processing in an epidemiological situation. He does not, however, specify what that public interest consists in. Nor does Act No. 94/2021 Coll., on Extraordinary Measures during the COVID-19 Epidemic and on Amendments to Certain Related Acts, provide an interpretative key to that indeterminate legal concept, so that it must be inferred by interpretation in response to the concrete circumstances of the case. Determining what constitutes a public interest may often be difficult. In simple terms, it may be defined as a value serving the benefit of the public. This does not, however, mean merely the interest of the majority, since even the interest of an individual may prevail where, by reason of the wider significance of that individual interest as compared with another interest representing a greater number of persons, it carries sufficient weight. The case law of the Supreme Administrative Court adheres to the thesis that public interest is not determined in the legislative process, but only through the actual application of law by the bodies competent to do so. In a democratic state governed by the rule of law, it is undesirable, in view of the separation of powers, that this be decided by the legislative branch. “Public interest (…) must be expressly formulated in relation to the конкретely assessed matter and must be convincingly distinguished from a private or collective interest.”[21]

The possibility of processing sensitive personal data relating to employees’ health in connection with an epidemic was also addressed by the European Data Protection Board in its statement Statement on the processing of personal data in the context of the COVID-19 outbreak of 19 March 2020, in which it inferred the lawfulness of processing sensitive personal data by reference to Article 9(2)(i) GDPR, subsuming the epidemiological situation under that exception. The wording of that exception shows that a condition for its application is the existence of a public interest, which the GDPR here connects with threats to health and the protection of health. At first sight, it is clear that this exception is formulated much more broadly than the others discussed above. It is therefore necessary to interpret it restrictively, especially the concept of public interest, with regard to the purpose of the provision, and in interpreting and applying this norm to keep in mind the principles of the GDPR, which here serve an equally important interpretative and applicative function as with the other exceptions, especially given the abstract nature of the notion of public interest. Purely private interest is irrelevant in this context.

Possibility of communicating personal data concerning health status and COVID-19 infection by the employer to employees

Since the article has already dealt with the conditions for processing sensitive personal data, with a focus on employees’ health during a pandemic, it is appropriate to examine whether, after processing such data, it is possible subsequently to distribute them to other employees at the workplace in an effort to prevent further spread of infection.

The GDPR principles discussed above also apply in such cases. It follows from them that, as a rule, the employer is not entitled to provide information about health status, or indeed other information relevant to health status, outside the employer’s workplace, given that it will be difficult for the employer to justify the necessity of such disclosure to external subjects. For that reason, this article focuses only on information concerning health status provided by the employer to employees regarding other employees sharing the same workplace, where the issue is more complex.

This section therefore concerns the possibility of making sensitive personal data accessible to other employees in the employer’s workplace. I regard this as a more serious interference with the rights of the data subject than the mere collection and handling of such data by the employer itself, even though, formally, the GDPR does not distinguish between collection, recording, organization, structuring, and distribution of personal data or making them accessible, since, in accordance with the above definition, all such activity constitutes personal data processing.

For this reason, one may in this connection refer to everything stated in the previous part, because the previous analysis was likewise based on the legal framework of the GDPR, which regards even making such data concerning health accessible to other subjects as personal data processing, in accordance with the definition provided in the Regulation.

It is, however, necessary, when making sensitive personal data accessible, to place greater emphasis on justifying the handling of such personal data, because the employer’s conduct thereby amounts to a disclosure, albeit to a limited group of persons connected with the employer’s workplace, which will typically constitute a more serious interference with the employee’s personality rights and therefore presupposes a higher degree of necessity than the mere processing of such data by the employer.

Horecký[22] considers disclosure of personal data, in this regard, such a serious interference with the personality rights of the data subject that he unequivocally rejects the conclusion that such a procedure could be lawful for the employer. He follows this rather radical conclusion with the claim that the only permissible subject matter of disclosure would be information about the number of infected persons, or, for example, the identification of workplace clusters without naming specific persons. He justifies the sufficiency of such a measure by stating that “sufficient information to employees about the number of infected colleagues may lead to due caution on the part of uninfected employees, thus fulfilling one of the objectives laid down by the Labour Code—safe and health-protective conditions in the workplace.” In his view, this is sufficient.

I cannot agree with these conclusions, although I appreciate the effort to ensure the highest possible degree of protection of sensitive personal data in the workplace, as required by the principles of the GDPR, because the conclusion is too rigid and does not take into account possible workplace situations requiring a flexible and immediate response to prevent the spread of COVID-19 in the workplace, which is undoubtedly a public interest also recognized by the GDPR. Information about individual employees’ vaccination status may likewise be highly relevant to the protection of employees’ life and health. Such information, however, need not always be as decisive as information about infection in a particular employee. It is therefore the employer’s duty carefully, and in accordance with the principle of proportionality, to assess whether disclosure of such information is also necessary to ensure a safe workplace. The issue of vaccination may, in light of the social situation in society, be regarded as a kind of opinion that polarizes society. In the extreme case, it may therefore amount to an interference with the right freely to express one’s views under Article 11(2) of the Charter of Fundamental Rights and Freedoms. It may certainly also give rise to differential treatment in the workplace, which is unacceptable, particularly with regard to the Charter and Act No. 198/2009 Coll., on Equal Treatment and Legal Means of Protection against Discrimination and on Amendments to Certain Acts.

A dissenting view from Horecký is also held by the Czech Office for Personal Data Protection, which assumes that in certain circumstances it is possible to inform employees about another employee in the workplace infected with COVID-19. Even in such cases, however, the employer is obliged to respect the dignity and integrity of the person to whom the sensitive personal data relate.[23]

Partial conclusion

Sensitive personal data include any information concerning a person’s health status relating to all aspects of that person’s health, whether physical or mental.[24] For this reason, not only information about an employee’s infection with COVID-19 or any other illness, but also any other information concerning health status that the employer processes for the purposes of preventing the occurrence of disease in the workplace and thereby ensuring a safe environment for the performance of dependent work, is regarded as health data. The processing of personal data concerning health status, as sensitive personal data, is unproblematic where the employee’s consent is given. If such consent is absent, it is necessary to find a statutory basis on which the employee’s consent may be replaced. Several exceptions have been mentioned above on which the employer may rely in processing sensitive personal data without the employee’s consent; I am most inclined toward the exception under Article 9(2)(b) GDPR, which presupposes compliance with a legal obligation. In this context, I see that obligation in the need to ensure a healthy working environment, which in my view is a need that, during a pandemic and possibly also during other highly infectious diseases, outweighs the need to protect sensitive personal data concerning health status, especially at a time when COVID-19 is regarded as a part of life that may occur in any individual.

In every case, however, the specific requirements attached to the relevant exception under the individual provision must be satisfied, and, when weighing conflicting interests, the GDPR principles must also be taken into account. It will be for the controller to prove that the processing of such sensitive personal data is necessary, with regard to the individual circumstances discussed above. On the other hand, in situations where this is not so—for example because the epidemiological situation is subsiding, most employees are vaccinated, employees do not come into personal contact, or for other reasons calling into question the need to process sensitive personal data concerning employees’ health—it will be very difficult to prove the legality and legitimacy of such processing, and the burden of proof will rest on the controller.

This article is written according to the legal framework as of 1 January 2022.

Citace:

^[1]Zákoník práce opustil metodu vztah delegace mezi občanským zákoníkem a zákoníkem práce novelou č. 365/2011 Sb., která reaguje na nález ÚS č. 116/1998 Sb.

^[2] HŮRKA, Petr a kol. Pracovní právo. 3. vydání. Plzeň: Vydavatelství a nakladatelství Aleš Čeněk, 2020, s. 357.

^[3] Ustanovení § 228 odst. 1 TŘ.

^[4] HŮRKA, Petr a kol. Pracovní právo. 3. vydání. Plzeň: Vydavatelství a nakladatelství Aleš Čeněk, 2020, s. 360.

^[5] JANEČKOVÁ, Eva, BARTÍK, Václav. Ochrana osobních údajů v pracovním právu (Otázky a odpovědi). Praha: Wolters Kluwer Česká republika, 2016, s. 62.

^[6] Např. článek 33 a 34 GDPR.

^[7] European Data Protection Board. Guidelines 2/2018 on derogations of Article 49 under

Regulation 2016/679. Lucemburk: Publication Office of European Union, 2018. Dostupné z: https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-22018-derogations-article-49-under-regulation_cs.

^[8] SELUCKÁ, Markéta a kol. Covid-19 a soukromé právo. Otázky a odpovědi 1. vydání. Praha: C. H. Beck, 2020, s. 47.

^[9] OTEVŘEL, Richard. Zpracování zvláštních kategorií osobních údajů. In. UŘIČAŘ, Miroslav, RÁMIŠ, Vladan a kol. Obecné nařízení o ochraně osobních údajů. 1. vydání. Praha: C. H. Beck, 2021, s. 372.

^[10]  European Data Protection Board. Guidelines 3/2019 on processing of personal data through video devices. Lucemburk: Publication Office of European Union, 2019. Dostupné z: https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_201903_videosurveillance.pdf.

^[11] OTEVŘEL, Richard. Zpracování zvláštních kategorií osobních údajů. In. UŘIČAŘ, Miroslav, RÁMIŠ, Vladan a kol. Obecné nařízení o ochraně osobních údajů. 1. vydání. Praha: C. H. Beck, 2021, s. 372.

^[12] MORÁVEK, Jakub. Ochrana osobních údajů v pracovněprávních vztazích. 1. vydání. Praha: Wolters Kluwer, 2013, s. 264.

^[13] Rozsudek ze dne 15. července 1964, Costa v. E.N.E.L, 6-64.

^[14] Ustanovení § 102 odst. 1 ZP.

^[15] Úřad pro ochranu osobních údajů. Ke zpracování osobních údajů v rámci opatření proti šíření koronaviru. Praha: Poradna, 2020. Dostupné z: https://www.uoou.cz/ke-zpracovani-osobnich-udaju-v-ramci-opatreni-proti-sireni-koronaviru/ds-6134/p1=6134.

^[16] OTEVŘEL, Richard. Článek 9 [Zpracování zvláštních kategorií osobních údajů]. In: UŘIČAŘ, Miroslav, RÁMIŠ, Vladan a kol. Obecné nařízení o ochraně osobních údajů. 1. vydání. Praha: C. H. Beck, 2021, s. 372 .

^[17] Ustanovení § 206 odst. 3 ZP.

^[18] OURODOVÁ, Nikola. Citlivé údaje zaměstnanců nejen v době covidové. Právní rádce 2021, č. 4, s. 40-42.

^[19] MÁLEK, Jakub. Dopady šíření koronaviru (COVID-19) na zaměstnavatele. pravniprostor.cz, 2. března 2020. Dostupné z: https://www.pravniprostor.cz/clanky/pracovni-pravo/dopady-sireni-koronaviru-covid-19-na-zamestnavatele.

^[20] HORECKÝ, Jan, BLAŽEK, Michal. Ochrana osobních údajů. In: SELUCKÁ, Markéta a kol. Covid-19 a soukromé právo. Otázky a odpovědi. 1. vydání. Praha: C. H. Beck, 2020, s. 47.

^[21] Rozsudek Nejvyššího správního soudu ze dne 10. 5. 2013, sp. zn.  6 As 65/2012 (č. 2879/2013 Sb.)

^[22] HORECKÝ, Jan, BLAŽEK, Michal. Ochrana osobních údajů. In: SELUCKÁ, Markéta a kol. Covid-19 a soukromé právo. Otázky a odpovědi. 1. vydání. Praha: C. H. Beck, 2020, s. 47.

^[23] Úřad pro ochranu osobních údajů. Ke zpracování osobních údajů v rámci opatření proti šíření koronaviru. Praha: Poradna, 2020. Dostupné z: https://www.uoou.cz/ke-zpracovani-osobnich-udaju-v-ramci-opatreni-proti-sireni-koronaviru/ds-6134/p1=6134.

^[24] Rozsudek ze dne 6. listopadu 2003, Bodil Lindqvist v. Švédsko, C-101/01.

All articles