Requesting Health Information for Job Candidate Evaluation

Question

Can I request information about a job candidate's health condition to assess their suitability for the team?

Executive Summary

In assessing the legality of requesting health information from job candidates under GDPR, there are several crucial points to consider:

  • GDPR’s Protection of Health Data: Health data is a special category under GDPR, carrying enhanced protections and generally prohibiting processing unless specific conditions are met.
  • Lawful Bases and Consent: Processing such data is only lawful if it meets criteria under Article 6, and consent is problematic in employment due to power imbalances. Consent must be freely given, informed, and unambiguous—as mandated by Article 7.
  • Candidate’s Data Protection Rights: Job candidates have robust rights regarding their data, including the right to access, rectify, or object to data processing under Articles 15-22.
  • Data Protection Impact Assessment: Employers must conduct a DPIA for high-risk processing, like handling health data for employment suitability, to ensure mitigation of risks and compliance with Article 35.
  • Consultation with Supervisory Authorities: Employers uncertain about data processing legality should consult authorities per Article 36, especially for health data associated with high risks.

Considering GDPR’s stringent requirements, employers should explore alternatives to health information processing when assessing candidates or strictly follow legal advice to navigate the complexities of GDPR compliance.

PDF Repository

We have searched through the PDF repository of ECJ rulings, European Data Protection Board guidelines, and other documents to provide this supplemental answer.

Details

The following supplemental answer delves into the intricacies of the GDPR as it pertains to an employer's ability to request information about a job candidate's health condition. It provides legislative context and clarifications from official guidelines and court rulings.

Legal trace

The GDPR provides specific protection for personal data that are particularly sensitive in relation to individuals’ fundamental rights and freedoms. Such data are defined in Article 9 GDPR as special categories of personal data and include data about an individual’s health, racial or ethnic origin, biometry, religious or philosophical belief, political opinion, trade union membership, sex life or sexual orientation. Controllers may only process special categories of data if they can meet one of the conditions set out in Article 9(2) GDPR, such as having obtained the data subject’s explicit consent or the data have been manifestly made public by the data subject. In addition to the conditions in Article 9 GDPR, processing of special categories of data must rely on a legal basis laid down in Article 6 GDPR and be carried out in accordance with the fundamental principles set out in Article 5 GDPR. Furthermore, the processing of special categories of personal data is relevant when assessing appropriate measures according to Articles 24, 25, 28 and 32 GDPR, but also to determine whether a DPIA must be carried out according to Article 35 GDPR, and whether a data protection officer must be appointed under Article 37 GDPR. Guidelines 8/2020 on the targeting of social media users, page 31

The above excerpt illustrates the strict conditions applied to the processing of special categories of data, such as health information, under the GDPR. A prospective employer must ensure that they have a legitimate reason and appropriate legal basis in accordance with Article 6 GDPR when processing a job candidate’s health data. Additionally, the considerations within Article 5 GDPR principles and various measures in other articles emphasize the need for proportionality and data protection throughout the process.

Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

Judgment of the Court (Grand Chamber) of 4 July 2023, page 6

This quote addresses one of the six legal grounds for lawful processing under Article 6 — processing necessary for the performance of a contract. It implies that an employer may argue that health information is necessary to evaluate a job candidate’s suitability for the team if such considerations are deemed essential for the contract performance. However, this must be balanced against whether obtaining health information is truly essential for the contract in question.

The basis for the processing referred to in point (c) and (e) of paragraph 1 shall be laid down by: (a) Union law; or (b) Member State law to which the controller is subject. … The Union or the Member State law shall meet an objective of public interest and be proportionate to the legitimate aim pursued.’

Judgment of the Court (Grand Chamber) of 4 July 2023, page 7

The necessity for a legal basis as described here underlines the fact that for an employer to process health data, there must be a solid grounding in either Union or Member State law. This requires the law to serve a public interest objective and be proportional in the context of processing special categories of data.