In order to protect their employees and maintain their business operation, undertakings will have to take measures to limit the risk of contagion. In many cases, sensitive personal data of employees will be collected and processed for this purpose. Not least due to the threat of large fines, data protection law must not be left by the wayside. The supervisory authorities on the European and national level have meanwhile defined the framework for data protection compliant measures in the current crisis situation. We have summarised the most important guidelines as follows.
What measures can employers take which are in line with data protection law?
„Data protection rules do not hinder measures taken in the fight against the coronavirus pandemic“, This is the beginning of the statement by the Chair of the European Data Protection Board on the subject of data protection in the context of the COVID-19 outbreak. The German supervisory authorities also recognise in a very recently published information paper (German) that the collection and exchange of information are important means for limiting the current health risks.
However, it remains the case that there must be a legal basis for every processing of personal data. A statutory basis for the following typical measures can be found in the General Data Protection Regulation (“GDPR”) and the Federal Data Protection Act (Bundesdatenschutzgesetz) (“BDSG”).
- Collection of information on infections and material risk factors
It is generally permissible for employers to collect information on their employees with regard to whether they- are themselves infected with the coronavirus,
- had contact with a demonstrably infected person,
- were in an area classified by the Robert Koch Institute as a risk area in a relevant period of time.
Employers may request this information from the employees personally or collect it by means of standardised (electronic) questionnaires.
Employers may only collect information beyond that (e.g. on contact with persons who have only possibly been infected, travel to countries which have not been officially classified as risk areas or on symptoms associated with COVID-19) in exceptional cases.
- Further processing of the data
Employers may process the (personal) data thus collected, as well as that which is already lawfully stored, both to evaluate the relevant employee’s ability to work and for the protection of the rest of the employees, the customers and other corporate contacts.
Protective measures are justified under data protection law insofar as they are necessary in an individual case. Such cases include, for example:- Informing the employees on health risks, conducting relevant training sessions
- Determining whether employees belong to “risk groups” (e.g. older employees, people with prior illnesses) or are involved in particularly risky activities (e.g. on-site sales, positions involving contact with the public, employees travelling long distances to work)
- Identifying those employees whose further activity on the company premises would present a risk for others (e.g. if they have returned from a risk area)
- Approving and/or ordering home office/teleworking and ensuring the ability to work outside of the company premises
- Denying business trips, training courses and/or other events
- Determining employees’ inability to work and, if appropriate, release from their duties, continuation of remuneration
- Identifying and informing coworkers who have had contact with employees who might have been infected. However, the identity of the persons involved may only be disclosed in exceptional cases where this is necessary in order to enable possible contact persons to assess the risk and take protective measures.
- If appropriate, documenting the spread of the virus within the undertaking.
- No consent necessary
For these measures, the processing of personal (health) data is permissible on a statutory basis. The relevant legal bases for this are section 26(1), (3) BDSG, Article 9(2)(b) GDPR. Public employers can additionally rely on Articles 6(1)(e) and 9(2)(g) GDPR. Obtaining the consent of the employees is generally neither required nor expedient. However, it must be ensured that the data processing is carried out transparently and the employees receive the information required under Articles 13 and 14 GDPR, e.g. on the anticipated period for which their data will be stored and on possible recipients of the data within and outside of the company.
What other duties under data protection law have to be met?
Along with the need for a legal basis and transparency, despite the current exceptional situation, the general requirements for lawful data processing continue to apply. In particular, the following should be noted:
- Data minimisation
Employers may only process personal data of employees insofar as this is necessary for the measures that are taken to limit the risk of contagion. The data processing must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (Article 5(1)(c) GDPR). Only that information on employees may be collected and used which is necessary in the specific situation to minimise the risk. Gathering data on health status “as a precaution” over a longer period of time (“symptom diary”) or compiling movement profiles of employees would exceed this scope. - Passing on of data
The passing on of personal (health) data within and outside the company must be strictly limited. It must be ascertained in each individual case whether or not the recipient of the information has to know the identity of the (possibly) infected employee in order to effectively combat the risk. This can be the case if it is a matter of enabling the contact persons of an affected employee to assess the risk. On the other hand, it would be impermissible to give the names of infected employees of a group company to the group headquarters so that it can keep statistics on the group as a whole. Anonymised notifications will have to suffice for this purpose.
Personal data should also not be transmitted to (health) authorities without examining the need to do so. However, if the employer receives a legally binding request for information, it may (and must) respond to it. - Erasure
Finally, personal data collected in connection with the corona crisis must be erased once the purpose pursued with its processing is achieved or no longer applies. In the view of the authorities, this point in time will be reached at the latest once the pandemic comes to an end. However, before the data are finally erased, it will be necessary to examine in each case whether their further retention could be necessary and permissible for other reasons, for example if there is a threat of legal disputes involving measures that were taken or failed to be taken during the crisis period.
Conclusion
Consequently, employers may therefore process all personal data which are necessary for a proportionate reaction to the current pandemic situation. At the same time, it must be carefully ascertained which measures are really expedient and to what extent.
Forward