Requesting Health Information for Job Candidate Evaluation

Question

Can I request information about a job candidate's health condition to assess their suitability for the team?

Executive Summary

In assessing the legality of requesting health information from job candidates under GDPR, there are several crucial points to consider:

  • GDPR’s Protection of Health Data: Health data is a special category under GDPR, carrying enhanced protections and generally prohibiting processing unless specific conditions are met.
  • Lawful Bases and Consent: Processing such data is only lawful if it meets criteria under Article 6, and consent is problematic in employment due to power imbalances. Consent must be freely given, informed, and unambiguous—as mandated by Article 7.
  • Candidate’s Data Protection Rights: Job candidates have robust rights regarding their data, including the right to access, rectify, or object to data processing under Articles 15-22.
  • Data Protection Impact Assessment: Employers must conduct a DPIA for high-risk processing, like handling health data for employment suitability, to ensure mitigation of risks and compliance with Article 35.
  • Consultation with Supervisory Authorities: Employers uncertain about data processing legality should consult authorities per Article 36, especially for health data associated with high risks.

Considering GDPR’s stringent requirements, employers should explore alternatives to health information processing when assessing candidates or strictly follow legal advice to navigate the complexities of GDPR compliance.

Legal trace

Understanding the GDPR Landscape for Health Data Processing

Processing of personal data revealing… data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited. Article 9(1)

Health data is deemed a special category of personal data under GDPR, which is accorded a higher level of protection. Article 9(1) establishes that processing health data is generally prohibited, indicating that collecting health data from job candidates inherently encounters strict regulatory scrutiny.

Member States may, by law or by collective agreements, provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context… Article 88(1)

While GDPR sets the framework for processing health data, Article 88(1) allows Member States to enact specific laws or collective agreements that might offer certain flexibilities or impose additional restrictions for processing employee data. Consequently, a complete answer necessitates a review of pertinent national regulations.

Lawfulness and The Conditions for Processing Health Data

Processing shall be lawful only if and to the extent that at least one of the following applies: Article 6(1)

The legality of processing health data depends on whether it fulfills one of the lawful bases outlined in Article 6(1). For instance, the consent of job candidates could serve as a basis; however, the nuances of consent in an employment context must be thoroughly assessed against the standards set out in Article 7 to determine its validity.

Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. Article 7(1)

Article 7 emphasizes the stringent conditions that define valid consent. In the employment context, consent must be freely given, specific, informed, and unambiguous, which raises questions about whether an employer can rely on consent when collecting health data from job candidates, considering the intrinsic power imbalance in such relationships.

Balancing Employer’s Interests with Candidates’ Data Protection Rights

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information… Article 15(1)

The rights afforded to data subjects, including access to and control over their data, as articulated in Articles 15-22, would need to be honored should health data be processed. Job candidates can access, rectify, erase, or object to the processing of their health data, which affects how an employer manages such information during the evaluation process.

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her… Article 21(1)

Article 21 provides job candidates with a right to object to processing, which, regarding their health data, may challenge the justifications an employer has for such screening practices.

Considering Mitigation of Risks and Authority Guidance

Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. Article 35(1)

For processing that is likely to pose a high risk to individuals’ rights, such as health data processing for employment suitability, Article 35(1) mandates a Data Protection Impact Assessment (DPIA). This requirement enhances the accountability of the employer in mitigating risks associated with health data processing.

The controller shall consult the supervisory authority prior to processing where a data protection impact assessment under Article 35 indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk. Article 36(1)

Where there is uncertainty about the legality of processing health data, Article 36(1) provides a process for consulting with supervisory authorities to verify compliance or seek guidance.


In summary, the GDPR places significant checks on the processing of health data, categorizing it as sensitive and thereby invoking stringent prohibitions, with narrow exceptions. An employer’s interest in such data for evaluating job candidate suitability is hedged with legal challenges and risks. Any decision must not only rely on finding a lawful basis under Articles 6 and 9, particularly in light of Articles 7 and 88, but also respect the comprehensive rights of job candidates related to their personal data.

Considering these facets of GDPR, it is doubtful that requesting health data for team suitability assessment purposes would be broadly permissible without detailed legal justification, possible reliance on national legal provisions, and stringent adherence to data protection principles. Hence, it would be advisable for employers to seek alternative means for evaluating candidates that do not involve the processing of health data, or if this is not possible, to work closely with legal experts and the relevant supervisory authorities to ensure full compliance with GDPR requirements.

PDF Repository

We have searched through the PDF repository of ECJ rulings, European Data Protection Board guidelines, and other documents to provide this supplemental answer.

Details

The following supplemental answer delves into the intricacies of the GDPR as it pertains to an employer's ability to request information about a job candidate's health condition. It provides legislative context and clarifications from official guidelines and court rulings.

Legal trace

The GDPR provides specific protection for personal data that are particularly sensitive in relation to individuals’ fundamental rights and freedoms. Such data are defined in Article 9 GDPR as special categories of personal data and include data about an individual’s health, racial or ethnic origin, biometry, religious or philosophical belief, political opinion, trade union membership, sex life or sexual orientation. Controllers may only process special categories of data if they can meet one of the conditions set out in Article 9(2) GDPR, such as having obtained the data subject’s explicit consent or the data have been manifestly made public by the data subject. In addition to the conditions in Article 9 GDPR, processing of special categories of data must rely on a legal basis laid down in Article 6 GDPR and be carried out in accordance with the fundamental principles set out in Article 5 GDPR. Furthermore, the processing of special categories of personal data is relevant when assessing appropriate measures according to Articles 24, 25, 28 and 32 GDPR, but also to determine whether a DPIA must be carried out according to Article 35 GDPR, and whether a data protection officer must be appointed under Article 37 GDPR. Guidelines 8/2020 on the targeting of social media users, page 31

The above excerpt illustrates the strict conditions applied to the processing of special categories of data, such as health information, under the GDPR. A prospective employer must ensure that they have a legitimate reason and appropriate legal basis in accordance with Article 6 GDPR when processing a job candidate’s health data. Additionally, the considerations within Article 5 GDPR principles and various measures in other articles emphasize the need for proportionality and data protection throughout the process.

Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

Judgment of the Court (Grand Chamber) of 4 July 2023, page 6

This quote addresses one of the six legal grounds for lawful processing under Article 6 — processing necessary for the performance of a contract. It implies that an employer may argue that health information is necessary to evaluate a job candidate’s suitability for the team if such considerations are deemed essential for the contract performance. However, this must be balanced against whether obtaining health information is truly essential for the contract in question.

The basis for the processing referred to in point (c) and (e) of paragraph 1 shall be laid down by: (a) Union law; or (b) Member State law to which the controller is subject. … The Union or the Member State law shall meet an objective of public interest and be proportionate to the legitimate aim pursued.’

Judgment of the Court (Grand Chamber) of 4 July 2023, page 7

The necessity for a legal basis as described here underlines the fact that for an employer to process health data, there must be a solid grounding in either Union or Member State law. This requires the law to serve a public interest objective and be proportional in the context of processing special categories of data.