(Last update: 26 March 2020)
The outbreak of coronavirus raises the question (among many others) of what powers and obligations employers have when processing the personal data of employees and third parties who are in contact with the company.
As a premise, even the supervisory authorities have acknowledged that data protection in such exceptional circumstances must not stand in the way of necessary healthcare measures. However, data protection has not ceased to be in force. Rather, the applicable provisions are the general rules of the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (Bundesdatenschutzgesetz - BDSG), where appropriate in connection with the law governing protection against infection or labor law. These rules ensure a sufficient balance of interests, even in such an exceptional situation.
Individual measures and their legal admissibility
In principle, personal data may be processed if the data subject has consented to it, in order to fulfil obligations and contracts, if this is necessary in the legitimate interests of the company or a third party, in order to fulfil legal obligations or to protect the vital interests of the data subject or other persons.
Private contact details of employees
Private employers, as the responsible parties on the basis of § 26 I BDSG, Art. 6 I 1 f) GDPR, where appropriate in connection with their general duty of care under labor law, may also collect private personal data of employees in this situation. Examples of such data are private contact data which are indispensable for continuing to inform the employee and for the organization of the business (e.g. private mobile phone numbers). Even in the opinion of the State Commissioner for Data Protection and Freedom of Information for Baden-Württemberg, however, this contact data may exclusively be used to the extent necessary for information in emergencies.
Health data of employees and guests
In order to contain a risk of infection or to initiate a test or treatment, it will also regularly be necessary to collect health data, the processing of which is actually prohibited under the GDPR. That this is permissible has been confirmed in recent statements both by the German federal and state data protection authorities and by the European Data Protection Board. Normally, the employer may process health data only in rare cases regulated by law or based on a valid consent; health data belong to a group of sensitive personal data that are subject to a higher level of protection. In case of the corona pandemic, their processing is also possible under § 26 III BDSG, Art. 9 II b) GDPR (processing for healthcare purposes), for example in order to establish a concrete suspicion of infection. It is therefore possible to interview people returning from a holiday in a risk area or after contact with people who are proven to be infected. However, a detailed questioning of all employees using a questionnaire is not necessary. In addition, the supervisory authority in Rhineland-Palatinate is of the opinion that it is not permissible to demand the measuring of employees’ body temperature before allowing them to enter the company premises.
However, data may be collected from visitors and guests to determine whether an infection or suspected infection exists. Here, one can invoke the permission of a legitimate interest (Art. 6 I 1 f) GDPR) or, in case of sensitive health data, public interests of health protection (§ 22 I No. 1 c) BDSG, Art. 9 II i) GDPR).
In order to contain the infection, it may also be necessary in individual cases to disclose an employee’s health data to his colleagues. However, this should be done anonymously to the extent possible. In addition, employers may collect information about the people with whom an ill employee has had contact in order to specifically inform these people. Here too, the powers follow from the legal requirements or the legitimate interests of the company (Art. 6 I c) and f) GDPR).
Finally, in response to official requests (for example according to § 16 of the German Protection against Infection Act [Infektionsschutzgesetz- IfSG]) the employer may and must transmit data to the authorities.
Working from home
Many employees are now working from home. However, the employer’s obligations also exist at the home office as well as the respective employee’s obligation to comply with data protection, as has been reconfirmed by the State Commissioner for Data Protection of Schleswig-Holstein. Documents should not be left unattended or openly accessible, but should be stored in a locked room or container. In addition, the laptops or other computers used should be protected with a secure password and the hard disk and external storage media should be encrypted. Even when the employee leaves his workplace for a short time, he should lock the computer so that no one can access business data without authorization. Employers should also draw up a written concept for handling data in the home office and make it known to employees. The concept should also regulate who the employee should contact immediately in case of a data loss.
Proportionate use of data
It is essential that all measures are proportionate. This includes the principle of (a) collecting as little data as necessary, (b) processing data only for the purposes indicated, i.e. health protection and prevention, and (c) deleting these specific data as soon and as far as possible. Furthermore, the obligation to inform the data subject according to the provisions of Art. 13 et seqq. GDPR must be taken into account. The drawing up of protocols and the adaptation of data protection provisions to meet the new challenges posed by the fight against coronavirus can be of great value in creating the necessary transparency.
Dr. Jürgen Hartung, Patrick Schwarze