The relevant Czech supervisory authority (the Office for Personal Data Protection) recently released a statement regarding employers’ obligations under the GDPR in connection with such testing. This statement confirms our previous conclusion:

• processing of employees’ personal data related to COVID-19 testing (the “Data”) must be limited to purposes related to the Decree;
• employees’ consent to Data processing is not required;
• employers must inform the employees about the testing, the legal basis of the Data processing, the Data storage period, transfer of the Data, and other standard details of the processing (including controller identity, employees’ rights etc.);
• the Data should be limited to the bare minimum necessary for compliance with the Decree;
• employers must make records of processing activities; such records should contain the obligatory information;
• the Data should be stored only for the period necessary for complying with the Decree;
• the Data must be secured by appropriate technical and organizational measures and accessed only by authorized persons.

Although the Czech supervisory authority has not confirmed this yet, if the conditions are met, employers must also:

• conclude a data processing agreement, if the Data is not processed by the employer only;
• involve a Data Processing Officer (“DPO”), if appointed (and in some cases, appoint a DPO).

More information here.