May a business request employees' vaccination status?

Vaccination status = special category personal data (GDPR Art. 9(1)(b) — health data). Employer access strictly limited. What is NOT allowed? (1) HR registration of vaccination status. (2) Demanding "proof of vaccination" at hiring. (3) Asking vaccination status via personnel app. (4) Distinction in work schedule/location based on vaccination. (5) "Anonymous polls" traceable at individual level. When IS it allowed? (1) Healthcare institution (Dutch Long-term Care/Health Insurance care provider) where caregivers treat high-risk patients — only via occupational physician, not HR. Hepatitis B for BIG-registered dentists, MRSA status for ICU staff. (2) Specific risk professions where law requires vaccination — aviation on missions, military on deployment. (3) Pandemic exception (Covid 2020-2022) under Temporary Measures Act — no longer applicable 2026. Occupational physician route: only "fit/unfit for function" + "vaccination status retained for month X" — no specific vaccinations by name to employer. On overstepping: works council complaint + AP complaint (serious violation) + civil damages claim Art. 82 + UWV report on termination based on it. AP precedent 2022-2023: multiple rulings against employers demanding Covid vaccination — fines + mandatory data removal.