To the point
The coronavirus is gripping the world. The constantly increasing number of infections requires appropriate prevention and defence measures be taken by companies to shield employees, customers and visitors. Many protective measures to combat coronavirus also involve the processing and/or dissemination of personal data, often sensitive health data. But what are the limits regarding what is permissible under data protection law?
The number of infections is increasing rapidly. For this reason, companies are also being forced to take appropriate protective measures as quickly as possible for the benefit of their employees, customers and business partners as well as visitors. Some of these measures often go hand in hand with the collection and transmission/dissemination of personal health data, e.g. through the taking of temperatures or questionnaires. In the course of these measures, companies are faced with the difficult challenge of striking a balance between the rights of the affected employees, customers and business partners as well as visitors to privacy and the health of other people.
Under Article 9 of the General Data Protection Regulation (GDPR), data concerning health or other information on a viral disease are classified as "particularly sensitive data". The processing of sensitive personal data is therefore prohibited in principle, except in those cases where the law expressly permits processing. In addition to consent under Article 9 (2) (a) GDPR, Article 9 (2) (b), (c) and (g) GDPR in particular may be considered as justification for various measures to contain the coronavirus. However, even in the current situation, the exceptional circumstances set out in Article 9 (2) GDPR should be interpreted restrictively in general due to their exceptional character and should not be regarded as a licence for far-reaching invasions of privacy.
For example, processing may be permitted in the employment relationship if this serves the exercise of rights and obligations under employment and social security and social protection law in accordance with Article 9 (2) (b) GDPR. This should also cover among other things the employer's duty of care under employment law for the respective employee and all colleagues. For example, data processing may be permitted to protect employees against infection, to organise sick leave and continued payment of wages or to inform employees about an infected colleague.
However, the other exceptions to the consent requirement should be treated with caution. For example, Article 9 (2) (c) GDPR permits the processing of sensitive data for the protection of vital interests. However, this only applies if the data subject is incapable of giving his or her consent, e.g. in the case of an already advanced or serious illness. Otherwise, the employer must try to obtain consent.
Moreover, the processing of sensitive personal data cannot be based in general on a substantial public interest pursuant to Article 9 (2) (g) GDPR. In fact, the European legislator had the occurrence of a pandemic in mind, as recital 46 suggests. This means that the processing of sensitive data for pandemic surveillance may well be allowed. However, the national legislator must enact appropriate provisions in this regard, which set out the permissibility of such data processing in concrete terms. The German legislator has not made clear use of this option, so that there is no legal basis for this as yet.
Due to the unclear and complicated legal situation, the German data protection authorities have recently published a first set of guidelines for the processing of sensitive company data: In a statement of 13 March 2020, the Data Protection Conference for the first time expressed its views on the handling of the coronavirus and related data processing. In addition, other German and European supervisory authorities have provided guidelines, recommendations for action and instructions for handling the coronavirus in accordance with data protection law (in german):
In addition to concrete questions of employment law, companies could be confronted with completely new data protection scenarios. For example, the report that Telekom had passed on anonymised cell phone data of its customers to the Robert Koch Institute caused a sensation. However, this data only allowed the tracking of rough movement patterns and not of individual persons. The Federal Commissioner for Data Protection and Freedom of Information had already from the outset rejected the targeted analysis of location data of infected persons, as is done in China or South Korea. Such a procedure can only be carried out in exceptional cases based on full information and with the consent of the person concerned.
At present, even special laws such as the German Protection against Infection Act (Infektionsschutzgesetz, IfSG) do not contain any legal basis that could justify a ‘digital tag’ for infected persons. Moreover, tracking individual patients is also not technically feasible, as GPS data is not collected throughout Germany and is therefore far too inaccurate. This is probably one of the reasons why the German Federal Ministry of Health withdrew a bill to this effect.
However, the individual authorities take quite different positions. We therefore wish to provide below an overview of the recommendations published by the authorities. It addresses typical questions that companies face when tackling the challenges posed by the coronavirus. However, the overview does not replace the necessary individual review of the legality of the use and dissemination of personal data on a case by case basis.
If you are a company operating in Germany, we also recommend that you follow the statements and instructions of the German supervisory authorities. Although other European data protection supervisory authorities may take a more pragmatic and less strict view, the assessments of national authorities will be decisive in the first instance. Accordingly, the following questions and answers are mainly based on the statements of German data protection authorities.
Can the employer request information on whether the employee has visited a risk area?
Yes. The employer's duty of care towards its employees requires the employer to take necessary measures to ensure the safety and health of all employees at work. This also includes the duty to prevent infection. For this purpose, the employer is permitted to ask employees returning from holiday whether they have stayed in a country classified as a high-risk area by the Robert Koch Institute. If the employee denies this, this answer is sufficient. If necessary, the employer may ask further questions.
Can the employer collect health data of the employee, e.g. by taking his/her temperature?
No. Such a measure could only be based on Section 26 (3) sentence 1 of the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG). Under this provision, the processing of special categories of personal data for employment-related purposes is only permitted if it is necessary to exercise rights or comply with legal derived from labour law, social security and social protection law, and there is no reason to believe that the data subject has an overriding legitimate interest in not processing the data.
This question is answered inconsistently. Some argue that the employer can, within narrow limits, require that the employee undergo a medical examination. Minimally invasive measures, such as taking temperatures should be permitted, provided that they are used to protect other employees from infection by a potentially infected person who has recently been in a risk area.
However, the Commissioner for Data Protection of Rhineland-Palatinate considers taking temperatures at the entrance to the company premises to be not permissible, as this is not necessary in view of alternative measures such as working from home. What seems to be more important in view of the fact that a large number of employees cannot work from home, is the argument that an elevated body temperature is not a reliable indicator of coronavirus infection. After all, many of the infected people have only mild symptoms or no symptoms at all. Even the WHO does not recommend that employers take temperatures across the board. In summary, from a data protection point of view, such "compulsory medical checks" by the employer should be avoided.
Can the employer require his employees to confirm that they are infected with the coronavirus?
Yes. An obligation to confirm an illness by the employee vis-à-vis the employer would seem to arise from the secondary obligations under the employment contract . Only in this way is the employer able to fulfil his duty of care towards the sick employee and his colleagues. The Federal Commissioner for Data Protection also announced in his recent statement that the collection and processing of health data of employees is permissible if this is the best possible way of preventing infection among employees.
Can the employer request information on whether an employee has had contact with an infected person?
Yes. Both the Federal Commissioner for Data Protection and the Commissioner for Data Protection of Baden-Württemberg have meanwhile commented on this question. According to them, the employer is entitled in principle to request information on whether an employee has had contact with an infected person, provided the request serves the purpose of health protection at the workplace.
Is the employer entitled to systematically ask employees about previous illnesses in order to identify potential risk patients?
No. Such surveys cannot be justified on the basis of Section 26 (3) sentence 1 BDSG. The necessity of such an approach is already highly doubtful, as this information is not likely to be directly related to the employment relationship. Moreover, in this particular case, the interest of the persons concerned that their employer does not obtain information about other existing illnesses would seem to outweigh this.
Can employers inform employees that a particular employee has fallen ill with the virus?
No, but exceptions are possible. Disclosure of personal data of demonstrably infected persons or persons suspected of being infected for the purposes of informing persons who have been in contact with such infected persons is only lawful in absolutely exceptional cases (different view e.g. Danish supervisory authority).
This is to be assumed if, in exceptional cases, knowledge of the identity is necessary for the precautionary measures to be taken by persons who have been in contact with infected persons. According to the Commissioner for Data Protection of Baden-Württemberg, passing on the name of an infected employee within the workforce is to be avoided in principle. This also applies in the event that the infected person has been in direct contact with other employees and they may therefore have to be sent home from work themselves. Due to the risk of stigmatisation, such measures should rather be carried out on a departmental or team basis without mentioning any specific names. In exceptional cases, the local health authority should be informed first and, if necessary, the other employees should be informed only as a last resort. The Commissioner for Data Protection of Rhineland-Palatinate recommends that the workers themselves be asked to provide a list of colleagues at risk and then to address these colleagues directly. This way it can be avoided that the name of the sick employee becomes known throughout the company or needs to be provided to authorities.
Do companies have an obligation to report to the health authorities?
No. Companies are not subject to any active reporting obligations to the health authorities. Section 8 IfSG provides an exhaustive list of persons who are obliged to report. According to this, only physicians and members of other health care professions are obliged to report whereas private individuals and companies are not. However, according to the Commissioner for Data Protection of Baden-Württemberg, the employer is obliged to do so at the request of the competent authorities with regard to sick employees in the company, in particular on the basis of the IfSG and is authorised to pass on the relevant information to the authorities. However, the legal basis for this is likely to derive from regulatory law and the authority to issue orders based on this law.
What preparations does the employer have to make for working from home?
If working from home is permitted or ordered, the employer must provide the employee with the necessary equipment to be able to work from home. In addition, the employer must establish appropriate technical/organisational measures for data protection, confidentiality (e.g. also of trade secrets) and IT security. However, there is no general right to work from home unless this is explicitly agreed in the employment contract, but such may exist if the physical presence at the workplace is unreasonable. However, this must be decided on a case-by-case basis.
Can the employer maintain a list of the private telephone numbers of employees so that they can be reached in an emergency?
Yes. The employer is allowed to maintain a list of the current private mobile phone numbers of the workforce in order to be able to warn or urge employees to stay at home at short notice in the event of a plant closure or similar circumstances. However, they may only be stored for a limited period of time for specific, legitimate purposes and with the written consent of the informed worker. Although the employee will in most cases agree to this request in his own interest, there is no legal obligation to disclose this information. It would not be permissible under data protection law to (continue to) use the private data at a later point in time, as data processing must always be carried out for a specific purpose in accordance with Article 5 (1) (b) GDPR. If the specific purpose no longer applies, the data must be erased.
Can companies collect, store or transmit personal data of customers or visitors to events in case it is later determined that an infected person attended the event?
Yes. A typical case for this question would be, for example, whether a trade fair organiser may pass on information about trade fair visitors to health authorities. If the competent authority has issued an order to store visitor data, the organisers may collect and store such data. Which authority is responsible in an individual case is determined by the law of the federal state where the event is hosted. Such an order to store visitor data is usually accompanied by an obligation to transmit the data to the competent authority. As long as no official order has been issued, organisers may in principle only collect and store such data on the basis of the voluntary consent of the person concerned. Furthermore, in view of the requirement regarding the purpose limitation of the data processing, the data should also only be stored for the duration of the presumed incubation period. In addition, the information obligations set out in Articles 13 and 14 GDPR must be taken into account. Unless an official order has been issued, companies may only process such data in exceptional cases. The identity of an infected person may only be disclosed to a person who has been in contact with him/her if this is essential for the implementation of a coronavirus containment measure.
Failure to comply with data protection provisions can, in addition to heavy fines, provide opportunities for cyber criminals to attack and exploit the current situation to infiltrate corporate systems. Certainly, measures such as working from home support the containment of the coronavirus, but companies must also be aware of the weaknesses that arise from working from home. For this reason, it is recommended that companies establish IT security teams on site to counteract any hacker attacks quickly and effectively. Particular caution is also recommended here in the interests of effective protection of trade secrets,, as spam and phishing e-mails are already being sent to exploit the fear of the coronavirus and its effects. In contrast to the ICO, the German authorities have not yet announced that they intend to be less strict in punishing data protection violations under the current circumstances. Until this has been clarified, data privacy should be respected even in times of crisis.
The statements of the supervisory authorities provide helpful and practical advice on crisis management to contain the corona epidemic that complies with data protection rules. However, companies must always be aware that the privacy of the individual is a fundamental right that does not lose its value even in times of crisis. Data protection principles (e.g. data minimisation and purpose limitation) must also continue to be observed despite the crisis, so that unlimited and unprompted data collection is still not permitted.
Companies should therefore inform their employees, customers and visitors transparently and in detail about any data processing undertaken in connection with the coronavirus. Furthermore, the measures taken and the corresponding data protection assessment should be documented. Once the purpose of the processing no longer applies (e.g. recovery of the employee, end/control of the epidemic), data processing operations must be restricted immediately, and stored data must then be erased within certain time limits (e.g. after any possible claims are statute-barred).
In view of the continuing increase in the number of people who are ill, the problems discussed are likely to keep companies busy for some time to come. Further statements of the supervisory authorities should therefore be closely monitored in order to accordingly adapt your own data processing processes where necessary. It would also be desirable that, in view of the exceptional situation, the unclear and complicated legal situation as well as the limited resources of companies, the supervisory authorities refrain from being too strict in penalising any breaches of data protection.