In the context of the employment relationship, the employer is likely to collect a certain amount of personal data, sometimes sensitive, from the employee. This may be the case of the employee's state of health, his personal evaluations or his family situation.
The processing and protection of such data is regulated by the Swiss Code of Obligations and the Federal Law on Data Protection (DPA). In principle, the employer may only process personal data of the employee if it relates to his ability to perform his job or if it is necessary for the performance of the employment contract.
He is also required to protect the data of the company's customers and suppliers. He must take measures to prevent access by unauthorized third parties.
In order to ensure that the candidate has the aptitudes to fill the position, the employer asks questions that sometimes concern sensitive data about the candidate, such as his or her state of health, possible pregnancy or criminal record. Such questions about the employee's private life are only lawful if they are directly related to the job in question. When they are illegal, the question of the right to lie arises.
Taking references from former employers is tricky because the former employer is likely to reveal a certain amount of personal information about the employee, such as his or her attitude within the company or the reasons for the termination of his contract.
References can only be taken with the consent of the candidate. Even if the candidate consents, the former employer is still obliged to protect his or her personal data. The disclosure of certain sensitive information, such as health information, is prohibited.
During the employment relationship, the employer is required to create a personal file for each employee which contains, among other things, the employment contract and any amendments, medical certificates, overtime accounts and warnings issued.
The DPA provides that, in principle, the employee has a right of access to his or her personal file, in order to verify, among other things, whether the data are accurate and whether they are processed lawfully.
However, certain documents are not covered by this right of access and the employer is not obliged to transmit them to the employee. Likewise, the employer may refuse the employee access to his or her personal file in certain circumstances, in particular when the employee goes on a fishing expedition for information in view of a proceeding against his or her employer.
The employer often collects a lot of data about customers or suppliers of the company. This information can be confidential and sensitive. In any case, the employer must ensure that this information is not accessible to unauthorized third parties.
Employers must take special measures when allowing employees to telework. The risks to data privacy are increased. The same applies when employees keep company data on their private smartphones or computers.
Whether it is for security reasons, to prevent theft or simply to control the quality of employee performance: employers are tempted to set up surveillance systems in the workplace.
The information collected, such as video surveillance, employee movements in the company car, websites visited or calls made by employees, is personal data. This data is protected by the DPA.
If an employer wants to install a surveillance system in the workplace, he must follow a strict procedure established by the Federal Data Protection Commissioner and issue a directive regulating this surveillance.
When employees are allowed to use the work phone or computer for private purposes, this procedure is particularly delicate to implement. Indeed, there is a strong risk that monitoring may infringe on the privacy of employees.
Finally, where the surveillance is lawful, the employer is still required to take steps to protect the confidentiality of the data collected through the surveillance.
Alcohol and drugs
An employer suspects an employee of being under the influence of alcohol or drugs at work. If this is the case, it may endanger the safety of colleagues or third parties or damage the interests and image of the company.
Sometimes the employer wants to test the employee to confirm his or her suspicions. In higher risk occupations, such as commercial drivers or airline pilots, the employer may wish to conduct random drug testing.
The results of these tests are the employee's personal data. Before implementing such tests, the employer must ensure that certain conditions of validity are met.
In the context of a pandemic such as Covid-19, the employer can and should take measures to protect the health of its employees. In principle, the employer must send his sick employees, who may infect their colleagues, home.
Some companies have decided, as part of Covid-19, to systematically take the temperature of employees upon entering the premises or to require them to take a COVID test regularly, upon returning from vacation or in case of symptoms. The results of these tests are the employees' personal data. Can the employee refuse to be tested or to present the test results to the employer?
Whether or not the employee is vaccinated is a personal matter. Can the employer use the company's interests to find out whether or not the employee is vaccinated, whether he or she wishes to be vaccinated or why he or she refuses to be vaccinated?
Disclosure to third parties
The disclosure of employee personal data to third parties is particularly sensitive. It is only possible if the employee consents or if a law allows it.
The communication of sensitive data, especially on health status, is in principle prohibited.
In particular situations, the employer is required to communicate certain data abroad, especially in the context of international mutual assistance for a criminal investigation abroad. This situation is particularly delicate. It is in principle prohibited if the country does not offer sufficient data protection.