Corona virus and data protection: Which data may be processed to what extent?
Not only but, in particular, with regard to employment relationships in times of the corona pandemic the question arises whether relevant data may be collected and processed with regard to the employees. Must the employer whether an employee has becomeinfected? If so, what applies with regard to the data of closer contact persons of this employee? And what applies to other guests and visitors of the company? On Friday, 13 March 2020, in the Data Protection Conference the data protection supervisory authorities of the Federal Government and the States published a common recommendation concerning the extent of admissible processing of health data.
Corona-related data are health data
The key statement of the supervisory authorities is that the protection of personal data and measures to control the infection do not oppose each other as long as these measures are reasonable. Personal data in connection with the corona pandemic, as a rule, are health data within the meaning of Art. 9 GDPR, since there is a relation between the relevant person and his/her health condition. Health data are very sensitive data and, therefore, particulary protected by law so that they may be processed only very restrictively. Nevertheless for several measures for containment of the corona pandemic or for the protection of own employees also such data can be processed in a manner conforming with data protection, since the health of citizens is now of core interest according to the opion of the Federal Data Protection Officer Ulrich Kelber.
Admissible data processing
But also in the times of the corona virus the principles of lawful data processing of the GDPR have to be complied with. This means, above all: Any data processing must have a legal basis and must not be unreasonable.
As a rule, the following measures will be admissible to contain and control the corona pandemic:
- Collection and processing of personal data (including health data) of employees by the employer in order to prevent or control a spread of the virus among the employees. This includes, in particular, information concerning cases:
- where an infection has been determined or contact with a provaby infected person existed;
- where in the relevant perio there was a stay in one of the regions classified by the Robert-Koch-Institut (RKI) as risk region.
- Collection and processing of personal data (including health data) of guests and visitors, in particular, to determine whether they
- have become infected themselves or have been in contact with a verifiably infected person;
- stayed in the relevant period in a region classified as risk region.
Data processing of this kind can be based on all statutory permissions of the GDPR and the Federal Data Protection Act. Th consent of the persons affected is, therefore, as a rule, not required and would fail – in case of doubt – because of the lack of voluntariness.
Limits of data processing
However, any data processing going beyond that is no longer readily admissble. Thus, the disclosure of personal data of verifiably infected or suspected persons for the information of contact persons is only lawful if the knowledge of the identity is exceptionally required -for protective measures with regard to contact persons. As a rule, the name of the person concerned should not be given.
Of course, the principles of data economy and confidentiality of processed data continue to be applicable unchanged. Furthermore, data may exclusively processed for a specific purpose. When the concrete purpose of processing no longer exists, i.e. in the present case at the end of the corona pandemic, the data collected in this connection have to be deleted immediately.
The Data Protection Officer of Baden-Wurttemberg, Stefan Brink, further stated in a FAQ concerning corona that, as a rule, not the employer has any investigation and access permission but only the health authorities. Therefore, employers are requested, in case of doubt, to seek the contact with the health authorities and not to collect health data "on their own initiative" and certainly not against the wishes of the employee. (cf. https://www.baden-wuerttemberg.datenschutz.de/wp-content/uploads/2020/03/FAQ-Corona.pdf).
Disclosure by person affected
Notwithstanding the aforesaid, however, also the employees themselves have a duty of thoughtfulness, considerate conduct and cooperation vis-à-vis their employer and third parties. In particular, in the view of the data protection authorities the duty to inform the employer about the existence of an infection with the corona virus constitutes such an ancillary obligation for the protection of high-ranking interests of third parties; from which follows under certain conditions also an authority to disclose personal data of direct contact persons.
Detailed DSK information is here available.
Rechtsanwältin, LL.M., Licensed Specialist for Information Technology Law