Corona und Datenschutz

Important information from the DSK: Health data may be collected to protect against infection during the corona pandemic

Data protection and infection control measures are not mutually exclusive, state the German data protection supervisory authorities together. Many employers and employees are now faced with new questions. To what extent and under what circumstances may or must health data be exchanged at all?

The data protection supervisory authorities of the federal and state governments in the data protection conference (DSK) presented a common position – the original document can be found here.

The Federal Data Protection Officer Ulrich Kelber emphasized that health information is very sensitive data. Data processors should therefore be aware of their particular responsibility. But as long as the measures taken by employers and employers are proportionate, data protection does not stand in the way of combating infection. Citizens’ health is now the focus.

Collection of health data allowed

To contain the corona pandemic, companies and organizations can collect and use personal data not only from employees, but also from guests and visitors in order to prevent the virus from spreading among the workforce. This includes, for example, data on cases in which an infection was found. This also includes cases in which there has been contact with a verifiably infected person.

Health data may also be collected if there has been a stay in an area classified as a risk area by the Robert Koch Institute during the relevant period. What about the transfer of data from infected people or from people suspected of being infected? This is only lawful “if the knowledge of the identity is exceptionally necessary for the precautionary measures of the contact person.” This means that mentioning the name is to be avoided in principle.

The procedure must remain appropriate

The supervisory authorities point out that the duty of care obliges the employer or the employer to ensure the health protection of all employees. Accordingly, he must react “appropriately” to the spread of a reportable disease. However, the precautionary measures must “of course always be proportionate”. Therefore, the respective data must be treated confidentially and used exclusively for a specific purpose. At the latest with the end of the pandemic, the collected data would have to be “deleted immediately”.

Consent of the data subject is only possible if they are informed about the data processing and can voluntarily consent to the measure. However, employees would also have to fulfill duties of consideration, conduct and cooperation towards their employer and third parties. They are obliged to inform their employer about an infection with the corona virus, which can also result in a disclosure authorization under GDPR with regard to the contact persons.

Practice-oriented FAQ from Baden-Württemberg

The Baden-Württemberg state data protection officer, Stefan Brink, makes it clear that, as a rule, the employer is not entitled to investigate and intervene, but only to the state health authorities. In case of doubt, employers should therefore seek contact with the health authorities and not collect health data “on their own” or even against the will of the employees. Brink has published a very detailed, practice-oriented “FAQ on Corona”.

In it, Stefan Brink also states that the employer may collect private contact details from the workforce in order to be able to warn the employees at short notice in the event of a company closure – provided that the employee’s consent. Brink points out that the manual of the Federal Office for Civil Protection and Disaster Relief recommends the establishment of an “internal communication network” tailored to the respective company. The company can take certain measures depending on the pandemic phase. However, the contact details must be deleted and again after the pandemic at the latest may not be used for other purposes.

Extract: “Due to their duty of care and according to the Occupational Safety and Health Act (ArbSchG), employers are obliged to take the necessary measures to ensure the operational safety and health of the workforce. This also includes the employer’s duty to ensure that other employees are protected from infection by a sick person. For this purpose, it is permissible under data protection law to collect information about the people with whom the sick employee was in contact … ”

Do you have any questions on this subject? Call us on 08505 919 27-0 or fill out our contact form. We are happy to help!

This post is also available in: German