The Dutch DPA has imposed a fine of 15,000 euros on an employer for processing the cause of sick leave in the absence registration. In doing so, it processed all kinds of data about the physical or mental health of the employees. These are special categories of personal data for which a processing prohibition applies. In other words, the employer may never process these. That is reserved for the occupational health and safety service. The employer in question had also simply put the absence registration online. Everyone could access it. The Dutch DPA advises that access should be via multi-factor authentication. And of course, this only applies to the HR staff involved in the absence and reintegration support.
Tip: do not process medical data in the absence registration, and incorporate multi-factor authentication if the registration is done online.
For more information and the fine decision, see: https://autoriteitpersoonsgegevens.nl/nl/nieuws/boete-voor-cpa-om-privacyschending-zieke-werknemers
