Over the past several days, Germany Supervisory Authorities and health authorities have issued statements and guidance about the handling of personal data in the context of the ongoing COVID-19 pandemic. In this blog, we consider some these statements in greater detail, as well as their implications for employers and employees.
(1) Coronavirus FAQ for Employees
On March 13, 2020, The German Federal Ministry of Labor and Social Affairs (“BMAS”) published a Coronavirus FAQ for employees, which includes information about measures that employers may take to protect their employees. The BMAS explains that an employer is obliged under the Occupational Safety Act (Arbeitsschutzgesetz) to conduct a risk assessment that considers the health and safety of its employees (Gefährdungsbeurteilung) and develop appropriate protective measures to mitigate identified risks. Moreover, within the framework of pandemic planning (civil protection), the employer must also identify and implement additional measures, as necessary. Further information can be found in the National Pandemic Plan published on the homepage of the Robert Koch Institute (“RKI”) and on the websites of the local health authorities (Gesundheitsämter).
As of today, the National Pandemic Plan sets out a strategy for health authorities to track persons who have been in contact with confirmed COVID-19 cases, as well as persons who have recently been in a high-risk region as identified by the RKI. It includes recommendations for health authorities about how to conduct such tracking (including via questionnaires), and notes that the local health authority is in charge of conducting and coordinating these efforts.
As the strategy to combat COVID-19 may change as the situation evolves, it is recommended to regularly check the websites of the RKI, the Federal Ministry of Health and of the local health authority where a company is based.
(2) Data Protection Guidance from German Supervisory Authorities
The Conference of German Data Protection Authorities (DSK) and the Data Protection Supervisory Authority for Baden-Württemberg have also issued statements over the past few days with guidance on the proper handling of personal data by employers in the context of the COVID-19 pandemic. They both state that employers have a valid legal basis to process personal data (including health data) to combat the COVID-19 pandemic, so long as the principle of proportionality is observed.
In line with the National Pandemic Plan outlined above, it is considered compliant with data protection laws for company’s to collect and process the personal data of employees, guests, and visitors to company premises, in order to determine whether they (i) are infected or have been in contact with a person who is proven to be infected, or (ii) have been in an area classified as a “high risk” area by the RKI during the relevant period.
To the extent that the information relates to employees, the Federal Data Protection Commissioner requires that the processing serve the purpose of preventing or containing the spread of the virus among employees. However, while persons with whom an infected person has been in contact should be warned, the disclosure of the specific identity of infected or potentially infected persons to others with whom they may have been in contact is only permitted if this is exceptionally necessary.
Data processing in connection with the COVID-19 pandemic should only be based on consent if the data subjects are fully informed and it can be reasonably assumed that their consent is indeed voluntary.
The Supervisory Authority of Baden-Württemberg further notes that employees have an ancillary duty under their employment contract to disclose limited personal information that enables the employer to determine whether they pose a risk to other employees. This includes information on persons with whom they have been in contact and/or whether they have recently visited an area designated as a “high risk” area. In contrast, employees are not obliged to reveal if they have contracted COVID-19, except to the competent authorities. Therefore, employers should not conduct such investigations themselves, but request the help of the health authorities. Notably, this contradicts the BMAS FAQ, which states that while an employer normally must not ask for the diagnosis of an employee who is sick, he is authorized to ask whether an employee is infected with COVID-19 because he must be able to take adequate protective measures for other employees.
Generally, the safest approach for an employer is to liaise with the local health authority whenever possible, and especially if an employer is aware of any COVID-19 cases within its establishment.
The competent authorities may also order employers and event organizers to collect personal information from employees (or, where applicable, from participants and guests of an event) under the Protection Against Infections Act (“IfSG”). In such cases, the addressee of the order should ask the authority for the exact legal basis of the order, document it, and take care not to store the information for a longer period than necessary.
The COVID-19-related notification obligations of physicians and hospitals (which may trigger such orders against private entities) are regulated by the IfSG and a separate regulation.
The Supervisory Authorities emphasize that any personal data collected to combat the COVID-19 pandemic must be deleted once it no longer serves the purpose for which it was collected – i.e., when the pandemic has ended or is sufficiently contained. Also, data controllers should take care to update the information they provide to data subjects under Art. 13 and 14 GDPR if it does not yet mention such processing activities.
* * * *
These statements from the German authorities follow similar statements from other European regulators, including the European Data Protection Board and the Supervisory Authorities of Belgium, Czech Republic, Denmark, Finland, France, Germany, Hungary, Iceland, Ireland, Lichtenstein, Lithuania, Luxembourg, the Netherlands, Norway, Slovakia, Slovenia, Spain, Sweden, Poland and the UK. Covington will continue to monitor ongoing developments in this area.