The Conference of German Data Protection Authorities (“DSK”), the body of the federal and state Data Protection Authorities (“DPAs”) in Germany, recently issued joint recommendations regarding employers’ processing of employee personal data in the context of the coronavirus (“COVID-19”) pandemic. The DSK makes it clear that data protection does not hinder measures to fight COVID-19. According to DSK, employers can collect personal data of employees in order to prevent the spreading of the virus at the workforce. Employers also may process personal data of workplace visitors for COVID-19 related purposes. However, all measures must be proportionate.
Federal Data Protection Commissioner
The DSK published detailed guidance on the website of the German Federal Data Protection Commissioner’s Office. The guidance clarified the following:
- Purposes: Employers can collect and process personal data of employees and visitors, including health information, to determine whether (1) they are infected or have been in contact with an infected person, or (2) they were in a high-risk area during the relevant period. The disclosure of personal data of infected persons (confirmed and suspected) to inform others is lawful only if it is strictly necessary under exceptional circumstances to know the identity of that person, in order to allow others to take relevant precautions.
- Legal basis: The relevant legal basis for such data processing by employers in the private sector is the EU General Data Protection Regulation’s (“GDPR’s”) legitimate interests legal basis (Article 6 (1)(f)). Where health information is processed, the relevant legal basis is the GDPR’s employment and social protection legal basis (i.e., processing that is necessary for the purpose of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law – Article 9 (2)(b). In addition, the guidance notes that Section 26 (3) of the German Federal Data Protection Act includes additional requirements for the GDPR’s employment and social protection legal basis to process sensitive data, in particular that there is no reason to believe that the data subject has an overriding legitimate interest in not processing the data. Measures against third parties that require the processing of health data can be justified based on the GDPR’s legal basis regarding processing that is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health (Article 9 (2)(i)).
- Consent: The consent of data subjects can only be considered as a legal basis for COVID-19 measures if the data subjects are informed about the data processing and can provide consent about the measures voluntarily.
In addition, the Federal Data Protection Commissioner published General FAQs that clarifies, among other points, the following:
- Duty of care: With regard to the legal basis considerations, the employer’s legitimate interests legal basis and, for health data, the employment and social protection legal basis, derive from the general duty of care of the employer toward their employees. Under the duty of care, the employer must ensure the protection of the health of all employees. This also includes developing an appropriate response to the spreading of COVID-19, in particular for prevention and traceability purposes (i.e., subsequent prevention toward contact persons).
- Types of data: There is no definite answer to the question of what personal data the employer is allowed to process in the context of the COVID-19 pandemic. However, the criteria should be whether the processing is necessary for a given purpose (such as processing that is necessary for the protection of the health of employees and for compliance with statutory reporting obligations), and the implementation of the GDPR’s principle of data minimization. The Federal Data Protection Commissioner does not have concerns regarding the processing of the following categories of personal data of employees, contractors and visitors in connection with the COVID-19 pandemic:
- Current contact information;
- Contacts with other persons made within the organization;
- Previous or intended stay in a high risk area;
- Previous contacts with supposedly infected persons; or,
- Whether a person is symptom-free.
- Retention: The data must be deleted when the original purpose for processing no longer applies. For example, the data of visitors can be deleted after 1 – 3 months if no cases of infection have become known to the employer.
Furthermore, the Federal Data Protection Commissioner published Employee-Privacy FAQs that clarify the following points:
- Private contact information: The employer can collect the private mobile numbers and email addresses of employees, as their use may be necessary to ensure the ongoing accessibility of those persons during the COVID-19 crisis. These communications may need to be used to provide quick information and warnings to employees in case of illness or in case of an overload of the IT infrastructure where a different arrangement should be made within the work units. However, there should be care taken not to transmit sensitive information via unsafe communications or email services since there can be a risk of unauthorized access by third parties to such data.
- Works council candidates: There is no issue with publishing works council election proposals on the company’s Intranet page, as this is not disclosure to a third party.
- Processing employee files in home office: The processing of employee files in an employee’s home office can only take place in exceptional circumstances if it is strictly necessary and provided that technical and organizational measures have been taken to protect personal data in the home office. The Federal Data Protection Commissioner recommends, among others, the following technical and organizational measures for use in home office:
- Regular reminders to comply with the data protection regulations and principles;
- The transport of paper files in courier folders, inside lockable cases with two combination locks;
- Keeping a list of the files carried and returned;
- Having a separate lockable room as a home office;
- Locking documents at home;
- Not disposing of documents in the home office;
- The exclusive use of hardware components that are approved for identification and authentication on the company’s network;
- Hardware and software encryption;
- A three-level password authentication system;
- Maintaining access log files;
- Evaluation of log files, especially with regard to private use;
- Not printing in the home office; and,
- Using screen protectors, if necessary.
Similar COVID-19 guidance has been issued by several state data protection authorities in Germany, including the following: