Not only but, in particular, with regard to employment relationships in times of the corona pandemic the question arises whether relevant data may be collected and processed with regard to the employees. Must the employer whether an employee has becomeinfected? If so, what applies with regard to the data of closer contact persons of this employee? And what applies to other guests and visitors of the company? On Friday, 13 March 2020, in the Data Protection Conference the data protection supervisory authorities of the Federal Government and the States published a common recommendation concerning the extent of admissible processing of health data.
The key statement of the supervisory authorities is that the protection of personal data and measures to control the infection do not oppose each other as long as these measures are reasonable. Personal data in connection with the corona pandemic, as a rule, are health data within the meaning of Art. 9 GDPR, since there is a relation between the relevant person and his/her health condition. Health data are very sensitive data and, therefore, particulary protected by law so that they may be processed only very restrictively. Nevertheless for several measures for containment of the corona pandemic or for the protection of own employees also such data can be processed in a manner conforming with data protection, since the health of citizens is now of core interest according to the opion of the Federal Data Protection Officer Ulrich Kelber.
But also in the times of the corona virus the principles of lawful data processing of the GDPR have to be complied with. This means, above all: Any data processing must have a legal basis and must not be unreasonable.
As a rule, the following measures will be admissible to contain and control the corona pandemic:
Data processing of this kind can be based on all statutory permissions of the GDPR and the Federal Data Protection Act. Th consent of the persons affected is, therefore, as a rule, not required and would fail – in case of doubt – because of the lack of voluntariness.
However, any data processing going beyond that is no longer readily admissble. Thus, the disclosure of personal data of verifiably infected or suspected persons for the information of contact persons is only lawful if the knowledge of the identity is exceptionally required -for protective measures with regard to contact persons. As a rule, the name of the person concerned should not be given.
Of course, the principles of data economy and confidentiality of processed data continue to be applicable unchanged. Furthermore, data may exclusively processed for a specific purpose. When the concrete purpose of processing no longer exists, i.e. in the present case at the end of the corona pandemic, the data collected in this connection have to be deleted immediately.
The Data Protection Officer of Baden-Wurttemberg, Stefan Brink, further stated in a FAQ concerning corona that, as a rule, not the employer has any investigation and access permission but only the health authorities. Therefore, employers are requested, in case of doubt, to seek the contact with the health authorities and not to collect health data "on their own initiative" and certainly not against the wishes of the employee. (cf. https://www.baden-wuerttemberg.datenschutz.de/wp-content/uploads/2020/03/FAQ-Corona.pdf).
Notwithstanding the aforesaid, however, also the employees themselves have a duty of thoughtfulness, considerate conduct and cooperation vis-à-vis their employer and third parties. In particular, in the view of the data protection authorities the duty to inform the employer about the existence of an infection with the corona virus constitutes such an ancillary obligation for the protection of high-ranking interests of third parties; from which follows under certain conditions also an authority to disclose personal data of direct contact persons.
Detailed DSK information is here available.