Member Article

According to press reports, most Germans are willing to accept limitations on the extent of the protection of their personal data vis-à-vis public authorities and agencies in order to tackle the coronavirus crisis. However, that alone is not an adequate justification for measures that employers may take during a coronavirus pandemic to prevent an outbreak in their company. Even in times of crisis, the processing of personal data requires an adequate legal basis under the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) and special legislation on data protection, because the consent of the individual is frequently not suitable for quick and effective action to be taken.On March 13, 2020 the German Data Protection Conference (DSK), the body that represents the independent supervisory data protection authorities of Germany’s national and regional governments, published information about the processing of personal data by employers against the background of the coronavirus pandemic. Previously, individual regional data protection authorities, such as the Regional Officer for Data Protection and Information Security of Baden-Württemberg, had published guidance and FAQs to answer the commonest questions.

Relevant information about how employers can take precautions to help prevent cases of coronavirus includes in particular; knowing whether their own employees and also visitors or guests have been to risk zones, whether anyone has had contact with verified infected patients and information about current symptoms and coronavirus test results. Similarly, precautionary measures such as measuring the temperature of all staff and visitors before entering the company grounds or office premises are frequently mooted.

Under data protection law, the individual measures each require a legal basis. Special rules apply to the processing of data concerning health, which data protection law deems to be sensitive and thus deserving of extra protection. In the field of employment law, in particular section 26 (3) BDSG and Art. 9 (2) (b) GDPR are relevant. Accordingly, the employer is entitled to process data concerning health if this is necessary for the exercise of rights or for compliance with legal obligations under employment law and legislation relating to social security and social protection, and there are no grounds to assume that the data subject has any overriding legitimate interests in excluding such processing. Where no employment relationship applies, for instance in the case of visitors or other external parties, the legitimate interest under Art. 6 (1) (f) GDPR, taking into account the legitimate interests of the data subject, or, in light of the DSK’s broader, Covid-19-related interpretation, Art. 9 (2) (i) GDPR in conjunction with section 22 (1) (1) (c) BDSG may be invoked, depending on the type of the data in question. Accordingly, the processing of health-related information to the required extent is permissible, for instance, on public interest grounds in the field of public health as well as to guard against severe cross-border health risks, however, is subject in particular to additional technical and organizational protective measures at the same time.

Additionally, it goes without saying that all processing is subject to the general principles of the GDPR, which apply to any processing of personal data. Thus, the principles of proportionality, transparency, confidentiality and purpose limitation apply, as does the obligation to erase data once it is no longer required.

According to the DSK’s latest information, an employer’s duty of care to its own employees extends to any reasonable reaction to the epidemic or pandemic spread of a reportable disease for the purposes of prevention and traceability. According to the DSK’s coronavirus statement, the following specific acts are permissible:

• The collection and processing of personal data, in particular of employees’ data concerning health by the employer, to prevent or contain the spread of the virus as far as possible. According to the DSK, this applies especially where an infection has been diagnosed or contact with an infected person has taken place as well as in cases where a visit was made to an area classified as a risk zone by the Robert-Koch-Institut (RKI) during the relevant period. Accordingly, the employer will be permitted to request this information in most cases, whereby the Regional Officer for Data Protection and Information Security for Baden-Württemberg recommends obtaining a negative confirmation in the first instance and only then asking further questions if additional indicators become apparent.
  
  
• Under the DSK’s broader, Covid-19-related interpretation, it is permissible to collect and process personal data, including data from guests and visitors, to establish whether they (i) are infected themselves or have been in contact with an infected person, or (ii) have visited an area classified as a risk zone by the RKI. This means that measures such as temperature-measuring are likely also permissible not only for employees, but also for guests and visitors before entering the company grounds and office premises, provided the measurement itself is sufficiently reliable and the results are only used to make a decision on entry but are not stored.
  
  
• Conversely, the disclosure of the identity of people with a verified or suspected infection with the virus in order to notify people they have had contact with is, in the view of the DSK, only lawful if there is no other option for taking precautions. To that extent a phased approach is recommended in which all other options for notifying and warning people who have potentially been in contact need to be exhausted before the identity of the data subject is disclosed.
  
  

The employer may only pass on data about sick employees, contact with infected patients or visits to risk zones to third parties if there is a legal justification for doing so. In that context, an exchange of such information within the Group is only permissible in rare exceptional cases. To the extent that this relates to the passing on of this type of information to public authorities, the Regional Officer for Data Protection and Information Security for Baden-Württemberg correctly states that this requires a statutory basis that explicitly requires this or, for example, an official decree on the basis of the German Act on the Prevention and Control of Infectious Diseases (IfSG). Any decrees by public authorities must expressly state the legal basis in question. Companies also need to review whether the specified legal basis is actually relevant.

The issues under data protection law regarding the spread of the coronavirus virus are manifold. The recommendations now published by the supervisory authorities are helpful, and tend to be more broadly interpreted due to Covid-19, but they do not relieve the employer of the duty to review the individual measures on a case-by-case basis from the perspective of data protection law, and to ensure that the general requirements of data protection law are complied with.