Vaccinations in the workplace: Balancing public health and data protection

13 Luglio 2021
Thanks to Giulia Conforto for collaborating on this article

On April 6, 2021, the Italian government, trade unions, and various employers’ associations agreed upon and adopted a national protocol permitting employers to facilitate vaccinations by organizing vaccination clinics in the workplace.

All companies that meet a set of requirements can participate in the vaccination campaign in the workplace, and all workers can voluntarily participate. The campaign launched on June 3, 2021.

Companies’ commitment to the vaccination of workers constitutes a public health activity that achieves the dual aim of “contributing, accelerating, and implementing vaccination at the territorial level and, at the same time, making the continuation of commercial and productive activities safer,” and thus increasing workplace safety.

However, this initiative involves processing personal data, including workers’ health data. Therefore, while it provides an opportunity to support vaccination and make it easier for employees to access vaccination, it also must be implemented in compliance with data protection regulations (Regulation (EU) 679/2016 and the Privacy Code), as well as emergency regulations, ensuring the “protection of privacy” and avoiding any form of discrimination against workers.


Any company that intends to join the vaccination campaign must meet the following requirements:

  • sufficiently large workforce;
  • located in the territory covered by the healthcare authority (Azienda Sanitaria Locale, or ASL) that supplies the vaccines;
  • organizational structure and instrumental and personnel resources appropriate to the volume of activity expected to ensure the activity runs smoothly and avoid crowding;
  • IT equipment suitable to ensure correct and timely recording of vaccinations;
  • suitable environments, proportionate to the volume of vaccinations to be performed, for the preliminary stages (intake), proper vaccination process (clinic/infirmary), and subsequent phases (post-vaccination observation).


The employer is required to inform its employees of the opportunity to get vaccinated. Signups must be collected by the assigned doctor, who is required to inform workers about all aspects of vaccine administration (including any risks). To protect workers’ information, when submitting the company’s vaccination plan to the appropriate local healthcare authority, the employer must limit itself to providing only the total number of vaccines necessary for implementation of the initiative without providing any elements that might reveal the identities of workers participating in the initiative.

Once the signup phase is complete and it has been confirmed that vaccines are available and all requirements have been met, the relevant healthcare authority will proceed to planning vaccination sessions and agree on how the assigned doctor or health personnel identified by the employer will receive the vaccines.

Actual administration of the vaccine “is reserved for health professionals able to guarantee full compliance with the health requirements adopted for this purpose and in possession of adequate training for Covid-19 vaccination” and must be carried out inside the premises indicated by the employer under the supervision of the relevant healthcare authority.

In any case, the premises designated for administration of the vaccine must be arranged so that to the greatest degree possible the identities of those who have chosen to participate shall not be made known to colleagues or third parties.

Finally, the employer shall bear the costs for management of any business planning and administration, while it is up to the local Regional Health System to supply vaccines and tools for their administration, such as syringes and needles, as well as staff training and tools for keeping records of the vaccines administered.


As noted above, protection of employees’ personal data is a particularly important element in this process. The Italian Data Protection Authority (Garante) provided important guidelines for the processing of personal data in a document dated May 13, 2021.

More specifically, the Garante emphasized that respect for the traditional allocation of duties to the doctor and the employer must always be ensured. Therefore, the employer is not allowed to collect information on any aspects relating to vaccination directly from the interested parties, through the doctor, or through other healthcare professionals or healthcare structures. This information includes employees’ intention of joining the campaign or not, the administration (or not) of the vaccine, and other data relating to employees’ health conditions, even if such information is provided with the formal consent of the employees themselves; employees are considered unable to express “freely given consent,” as they are the weaker parties in the relationship.

The only information that the employer is entitled to seek from the appointed doctor is an “assessment of the employee’s suitability” with respect to specific tasks assigned to the employee.

Indeed, only the assigned doctor can process employee health data, including, when appropriate, information relating to vaccination, in the context of health oversight, and when assessing suitability for a specific job.

Should an employer use tools (i.e., software applications) to collect information on employee participation in the vaccination service available at the company, office staff or personnel in similar roles who perform duties for the employer should never, even incidentally, be afforded access to personal data relating to employees’ participation and histories.

Finally, to the greatest extent possible measures should be taken to ensure the confidentiality and dignity of the worker, including during the period immediately following vaccination, preventing the unnecessary circulation of information in the workplace and behavior inspired by mere curiosity.


As mentioned, vaccination in the workplace is a public health initiative, aimed at protecting the health of the community and not related solely to prevention in the workplace. However, it is necessary to strike the proper balance between the two fundamental rights at stake: public health and the protection of privacy—rectius the protection of workers’ personal data—especially given the sensitive nature of the data in question, i.e., health data.

Seguici su