Client Alert

A MoFo Privacy Minute Q&A (21 September 2021)

21 Sep 2021

This is A MoFo Privacy Minute, where we will answer the questions our clients are asking us in sixty seconds or less.

Question: Can a company require proof of a COVID-19 vaccination to visit work sites and/or venues in the EU or the UK?

Answer: Requiring that an individual shows proof of vaccination, recovery from a COVID-19 infection, or a recent negative test appears to be gaining traction in the EU and the UK as more and more court decisions, guidelines, and laws are published. Here are the latest three developments:

  • Spain: On September 14, 2021, the Spanish Supreme Court ruled that it does not violate the data protection rights of individuals if they are required to provide proof of vaccination/recovery/test in order to gain access to venues, such as restaurants and bars, since no health data are stored or processed. According to the court, it does not constitute “processing” of health data, if the so called “COVID Pass” is merely presented upon request, without any information actually being recorded, stored, or incorporated into a database. The court considered the measure suitable, necessary, and proportionate to reduce infections.
  • UK: Like Spain, the UK’s Data Protection Authority (the Information Commissioner’s Office) has published guidance stating that a visual check of an individual’s “NHS COVID Pass” (in either hard-copy form or using the UK NHS App) will not constitute “processing” under UK data protection law, provided that no records are retained. Use of the NHS COVID Pass as a condition of entry to a venue (including a workplace) is currently voluntary for individual organizations, but the UK Government has advised that it should not be used by essential services and retailers.
  • Italy: On September 16, 2021, the Italian Government approved new rules requiring all workers to either present proof of vaccination, a negative test, or recent recovery from infection before accessing their workspace. These measures will come into force on October 15, 2021. Any employee who fails to present a valid health certificate will be suspended from work without being entitled to wages. Additionally, a fine of between €600 to €1,500 could be imposed on employees and between €400 to €1,000 on employers if they violate the new rules.

However, please note that the deciding factor seems to be whether proof of vaccination/recovery/test is merely presented for a visual check (without data actually being stored) or whether the proof is checked for its validity (e.g., by scanning QR codes). The latter may indeed entail the processing of personal data, and data protection laws would apply.

Visit our Privacy + Data Security page for additional information from our privacy library and resource centers on cybersecurity, state privacy laws, and the General Data Protection Regulation (GDPR).



Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.