Sick employees and privacy

Publication date 16 October 2017

When your employee is sick you, as an employer, are interested in what is going on and how long you will have to miss your employee. But what about the employee’s privacy? What are you allowed to ask – and what not?

Under the Personal Data Protection Act the processing of personal data regarding a person’s health is prohibited. With the introduction of the General Data Protection Regulation (Algemene Verordering Gegevensbescherming; AVG) in May 2018, these rules will be strengthened even more. As a consequence, there will be more administration, stricter supervision by the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), and higher fines amounting to 20 million euro or – if this amount is higher – 4% of the global annual turnover.

What information are you, as an employer, allowed to register about sick employees?

As an employer, you are allowed to process data regarding the health of sick employees that are necessary to establish their right to continued payment of wages during illness. In addition, you may collect data significant for drawing up the rehabilitation file. In order to establish the right to continued payment during illness the employer does not need to know the nature and cause of the illness. Therefore, the employee does not have to report these.

The following information should be registered:

Telephone number and (nursing) address of the employee during sickness
Probable duration of absence
Ongoing appointments and work
Whether the employee falls under a catch-all clause of the Sickness Benefits Act
Whether the illness is linked to a work-related accident
Whether it regards an accident in which a potentially liable third party is involved, as the right of recourse may apply (recovering labour costs on this third party).

In the event the employee is ill for a longer period, he or she will have to be guided by an occupational health and safety service and/or company doctor. Regarding the monitoring of absenteeism and the re-integration of the employee, the company doctor is allowed to share, inter alia, the following data with the employer which the employer is allowed to process:

Degree of disability of the employee
Expected duration of absence
Tasks the employee is still able to perform
Potential advice on adjustments, work facilities the employer has to provide for the re-integration.

What are you, as an employer, not allowed to register?

The data the employer has legally obtained from the company doctor may be registered. All other data regarding employees’ health are not necessary for the employer for the continued payment of wages and re-integration/monitoring of absenteeism. Therefore, they must not be registered. This involves:

Diagnoses, name of the disease, specific complaints or pains
Subjective observations by the company doctor, both mentally and physically
Data about therapies, appointments with specialists
Former or current other problems of the employee.

Employee consent

The General Data Protection Regulation contains the exemption that data may be processed with the consent of the employee. Employers should be reluctant regarding this exemption however. Employees must give their consent to the processing of specific data. In addition, the employer has a serious requirement concerning the administration and the consent can be withdrawn at all times.

Employees will also be entitled to receive their personal data from the organisation in a standard format. This is referred to as the right to data portability, for instance the identity of the employee and the data necessary for the payroll administration.

What does it mean for you?

The Dutch Data Protection Authority checks if organisations, in practice, comply with the new privacy legislation. You will have to be able to prove by means of documents that you have implemented the correct organisational and technical measures to comply with the new General Data Protection Regulation. We will gladly help you by examining the set-up of your administration in the light of the new rules. Please contact us:

Related publications

Statutory minimum hourly wage

The statutory minimum hourly wage changes every six months. What are the new amounts as of 1 July 2026?

Privacy of ill employees

Employees have a right to privacy in their private lives. This also applies to sick employees. However, they must also comply with their reintegration obligations and provide accurate information about their illness. What options does the employer have to check whether they are actually doing this?

Dismissal on the spot for a minor offence. Is that allowed?

Can you dismiss your employee with immediate effect after a minor offence, such as the theft of a (very) low-value product? Yes, you can! However, a recently published decision shows it does not go without a risk!

Digital General Meeting for Private Law Legal Entities Act adopted

On 2 June 2026, the Dutch Senate adopted the Digital General Meeting for Private Law Legal Entities Act. This Act makes it possible to hold general meetings entirely digitally. What does this mean for directors and shareholders of private limited companies, public limited companies and other legal entities?

Dismissal of a statutory director without just cause: employer ordered to pay EUR 222,000

Statutory directors enjoy less protection against dismissal, but there must still be reasonable grounds for the dismissal. Otherwise, the employer must pay fair compensation. This can be substantial, as a recent ruling has shown. Why was the employer required to pay this compensation?

AI policy for employers

The European AI Act requires employers to ensure that employees have sufficient knowledge of AI systems. This can be achieved through training, but also through an AI policy tailored to the company. What should you include in such a policy? What role does the works council play in the implementation of the AI policy?