The DPA distinguishes between testing provided for employers by an external health service provider and testing performed directly by the employer. In the case of the use of health care providers, from the point of view of the GDPR, it will be a relationship between two separate data controllers. However, even in this case, it will be necessary to conclude an appropriate contract, even if it is not a data processing agreement within the meaning of Article 28 of the GDPR.

For both methods of testing, the DPA emphasizes the need to process only the necessary data, the obligation to inform employees about the processing, to keep records of processing and to take appropriate data protection measures. However, in the vast majority of cases, it won’t be necessary to carry out a specific data protection impact assessment (DPIA). The DPA also indicates 3 years as the period for the retention of personal data, when it is possible to impose a fine for non-testing.

Finally, from the point of view of the employer and the immediate benefit for the practice, it is necessary to appreciate that the DPA has published model wording (available for download here) of the following documentation:

• Information on the processing of personal data for employees

• Records of processing activities

• Analysis of whether it is necessary to perform DPIA (DPIA does not need to be performed).

• Radek Matouš
• Principal Associate
• +420 255 706 554

• Petra Kratochvílová
• Principal Associate
• +420 255 706 561