German authorities stress data protection laws must be obeyed during epidemic

Germany

Companies across Germany are implementing preventative and proactive measures against the coronavirus, but a series of recent statements from supervisory authorities make it clear that these procedures cannot violate data protection regulations. 

Recently, authorities published their first statements on how to deal with the coronavirus pandemic vis-à-vis data protection law. In its statement dated 13 March 2020, the German Data Protection Conference (DSK) was the first to express its views. On the same day, the Baden-Württemberg Commissioner for Data Protection and Freedom of Information (LfDI BaWü) published a compilation of frequently asked questions. On 16 March 2020, the Rhineland-Palatinate Commissioner for Data Protection and Freedom of Information (LfDI RLP) also made information on employee data protection during the coronavirus epidemic available online. On 16 March 2020, the European Data Protection Board, an alliance of the national supervisory authorities of the EU states, issued a press release.

The following conclusions can be drawn from those statements: 

Collection of employee data

The employer's duty of care requires that the protection of employee health be ensured. In order to fulfil this duty, personal data (including data concerning health) of employees may be processed. The processing must serve to prevent or contain the spread of the virus among employees in the best possible way. The processing of employee data can be permitted within reason, particularly when an infection has been detected, an employee has made contact with a demonstrably infected person or an employee has recently travelled to country or region classified by the Robert Koch Institute as a risk area. 

If sensitive data concerning employee health are processed, the processing can be legitimised by Article 26 (3) German Federal Data Protection Act and Article 9 (2) lit. b) General Data Protection Act. According to these provisions, one criterion for making it permissible to process data concerning health is if it is necessary to fulfil the employer's duty of care under labour law and if, in the case described in section 26 (3) German Federal Data Protection Act, there is no reason to assume that the data subject's legitimate privacy interests outweighs the need for processing. 

Some typical case groups for such data processing include:

  • Collection of private contact details for emergencies: In the opinion of the Baden-Württemberg Commissioner for Data Protection and Freedom of Information, employers may in particular collect current private mobile phone numbers from the staff so that they can warn or ask employees to stay home at short notice in the event of a company closure or similar cases. However, the data may only be stored temporarily and in agreement with the employee. There is no obligation to disclose private contact details, but it is usually in the employee's own interest.
  • Collection of information regarding persons with whom the employee has been in contact: According to the Baden-Württemberg Commissioner for Data Protection and Freedom of Information, in order to limit the risk of infection as part of his duty of care, the employer is also authorised to collect information regarding the persons with whom a sick employee has been in contact. According to Article 6 (1) sentence 1 lit. c) GDPR in conjunction with Article 9 (1), (4) GDPR and section 26 (3) sentence 1, section 22 (1) no 1 lit. b) German Federal Data Protection Act, such processing can be justified for the purpose of occupational health and safety. 
  • Collection of information regarding travel to risk areas: Employers are also entitled to ask employees returning from holiday whether they have visited a risk area. In the opinion of the Rhineland-Palatinate Commissioner for Data Protection and Freedom of Information, a detailed survey of all employees in the form of a questionnaire is not necessary for this purpose. It would be preferable to point out the countries that currently qualify as areas of increased risk of infection and then ask employees to report whether they have recently visited any of these areas. Indicating the specific destination or the length of the stay is therefore unnecessary. The Baden-Württemberg Commissioner for Data Protection and Freedom of Information is also of the opinion that negative information from the employees concerned is generally sufficient.
  • Collection of data concerning health by measuring body temperature: According to the Rhineland-Palatinate Commissioner for Data Protection and Freedom of Information, employers are not allowed to make employees' entry into the premises of the company or authority office dependent on having their body temperature measured, since in view of existing alternatives such as working from home, it cannot be assumed that data processing is necessary in this respect.

Collection of personal data relating to third parties

With regard to guests and visitors, the collection of certain personal data (including data concerning health) is also permitted according to the German Data Protection Conference, especially if the processing serves to identify a possible risk of infection. Data processing for the purpose of implementing measures against third parties should be justified in accordance with Article 6 (1) sentence 1 lit. f) GDPR, while Article 9 (2) lit. i) GDPR in conjunction with section 22 (1) no 1 lit. c) German Federal Data Protection Act also applies to the processing of data concerning health.

Disclosure and sharing of personal data

In the opinion of the supervisory authorities, the disclosure or sharing of employee or customer data by companies may also be permissible in certain cases:

  • Disclosure within the workforce of persons with whom the employee has been in contact: In the opinion of the Data Protection Conference, the disclosure of personal data of persons who are demonstrably infected or persons suspected of being infected in order to inform those with whom they have been in contact is lawful only if this information is necessary so that these individuals can take preventive measures. From the perspective of the Baden-Württemberg Commissioner for Data Protection and Freedom of Information as well, the sharing of the name of an infected employee within the workforce should generally be avoided, even with employees who were in direct contact with the infected person and who may have to be released from their duties. Such measures should be implemented on a departmental or team basis without mentioning any specific names due to the risk of stigmatisation. In exceptional cases, the public health authority or other employees should initially be informed. According to the Rhineland-Palatinate Commissioner for Data Protection and Freedom of Information, the most data economical way is to ask the employee concerned to provide a list of colleagues and to contact them directly, since this would eliminate the need for a company-wide identification of the sick employee by name.
  • Sharing employee or customer data with government authorities: In the opinion of the Baden-Württemberg Commissioner for Data Protection and Freedom of Information, in the case of a request by the competent government authorities regarding employees in the company who are ill, the employer has the authority and is obliged to transmit this data, particularly on the basis of the German Protection Against Infection Act (IfSG). 

Conclusion: Crisis awareness of the supervisory authorities

Special times require special measures. The statements made by the supervisory authorities show practical relevance and provide helpful advice for crisis management in line with data protection regulations to contain the coronavirus pandemic. Nevertheless, employers should take care to document the implemented measures and the data protection assessment. They must also ensure that data are deleted as soon as the purpose is achieved. Given the magnitude of the crisis, substantial data pools will probably be created quickly, and they will have to be adequately protected against unauthorised access. If a data privacy breach occurs due to a lack of adequate security, there is a risk not only of damage to the company's reputation, but also of a substantial fine due to the sensitivity of the data. Despite the urgency of the situation, special attention should be paid to data security. 

For more information on how to respond to the current crisis in line with German data protection regulations, contact your usual CMS advisor or local CMS experts Philippe Heinzke and Lennart Engel.