Are employers allowed under German law to ask about vaccination status of their employees?

The pandemic situation has created a number of new obligations and duties of care for companies in Germany. For example, the most recent version of the SARS-CoV-2 Occupational Health and Safety Ordinance, which came into force in January 2021, requires companies to take measures to reduce contact in the workplace, to implement company hygiene concepts, to provide and wear mouth-nose protection masks and, in particular, to offer a free COVID-19 test at least twice per calendar week to employees who do not work exclusively at home (§§ 2 to 4 Corona-ArbSchV). Many of these measures are based on the vaccination status of employees, meaning companies could allow a lot of relief orders for vaccinated and recovered employees if they only knew which employees are affected. To better protect employees and customers from the higher infection burden of unvaccinated employees, they would like to ask about the vaccination status of their employees.

Does German law permit a general inquiry into vaccination status by employers?

The overwhelming majority of published legal opinion, particularly on the part of the data protection supervisory authorities in Germany, has so far rejected a general authorization of the employer to query and store the vaccination status of employees for reasons of data protection law. If employees voluntarily provide their vaccination status without being asked, this information may be stored under certain circumstances. However, the employer is not allowed to ask for it. To justify this, the authorities point out that the disclosure of vaccination status constitutes particularly sensitive health information within the meaning of Article 9 of the General Data Protection Regulation (GDPR). In order to justify why he is not vaccinated, the employee could, for example, feel compelled to disclose an illness that prevents him from being vaccinated. The very question about this would therefore represent a significant intrusion into the personal rights of the data subject

At the same time, the legislator has not yet been able to decide to formulate a general duty to vaccinate or a legal basis for processing information on vaccination status. § Section 23a and Section 36 (3) of the Infection Protection Act (InfSchG) formulate the exceptional authority to collect vaccination status for pandemic control purposes, insofar as this is necessary to prevent the spread of disease. However, this only applies to a conclusively enumerated list of business sectors, which include, for example, hospitals and day clinics, schools and daycare facilities for children, mass accommodations, correctional facilities and nursing homes. In some German states, the relevant infection control ordinances stipulate that events or trade fairs may only be held using the 2G model (i.e., with vaccinated and recovered persons). In these cases, the organizer of the event  may exceptionally and only for the purpose of admission control ask visitors and participants about their vaccination status. However, here too, the information may only be stored within narrow limits.

Even where the legislator has added in the version of the SARS-CoV-2-Arbeitsschutzverordnung of 10.09.2021 that the employer can take into account a vaccination or recovery status of the employees known to him when determining and implementing the measures of the company infection protection, no general right of the employer to ask with regard to the vaccination status of his employees still unknown to him can be derived from this. The legislator explicitly links to the vaccination status already known to him, so that this information can only be used if the employer is already aware of it.

Why is the German legislator so reluctant to ask about vaccinations?

On the basis of the deliberations of the German government’s infection advisors (RKI), the legislator is of the opinion that neither compulsory vaccination nor the internal requirement to employ only vaccinated and recovered persons in the company would be sufficiently suitable for combating the pandemic. After all, it has been proven that vaccinated persons can also fall ill and pass on the viral load to third parties and unvaccinated persons. Even if only vaccinated and recovered persons were to work in a company, the employer would still have to fulfill his duty of care with general hygiene concepts and measures such as compulsory masks, distance rules and testing offers as well as home office options. These measures are therefore at least as effective, if not considerably more effective, for the protection of all employees, but interfere considerably less with the personal rights of the employee than a query about the vaccination status.. 

Can employers still ask about vaccination status?

The desire of employers for targeted relaxation for vaccinated and recovered persons nevertheless leads many companies to ask whether legally solid possibilities are there for carrying out queries on the vaccination status of employees.

a) Consents of employees

Attempts by companies to solve this by obtaining employee consent largely fail due to the strict requirements of the GDPR and the German Federal Data Protection Act (BDSG) regarding the voluntary nature of consent. Due to the strong power imbalance between employer and employee, this voluntariness can only be ensured under narrowly defined special conditions, which hardly seem feasible for the comprehensive query of vaccination status. Only if the employee actually communicates his vaccination status voluntarily and quasi unasked (e.g. in order to avoid a legally regulated testing obligation for unvaccinated persons in hospitals and care facilities according to § 9 BayIfSMV or for the purpose of organizing seating plans in offices), the employer may also document this communication. However, it will then have to be examined very closely in each individual case for which purposes the documented information may subsequently be used.

b) Infection control concepts with 2G model

Others take up the idea of the 2G model when formulating the infection protection concept in the company and, for example, deny unvaccinated persons access to the company premises or restrict testing and masking obligations to the unvaccinated part of the workforce. To implement such concepts, the vaccination status is already checked upon entering the company. 

In terms of labor law, it should be noted that in the absence of a statutory vaccination requirement, employees who refuse to produce a certificate must at least be offered equivalent employment opportunities - otherwise the employer must pay the wages owed without receiving anything in return. If the employees voluntarily present a vaccination certificate, e.g. in order to be exempt from the mask obligation at the workplace, the employer may, in our opinion, also record this information. In order not to have to constantly interrupt the workflow by renewed control queries, it should also be permissible to keep temporary documentation of the vaccination status for clearly limited purposes.

c) Payment of remuneration in case of quarantine

Some companies also take advantage of the legislator's decision to refuse continued payment of wages to employees who, for example, have to be quarantined as potentially at risk due to contact with infected persons, even though they could have avoided quarantine by undergoing recommended vaccination (Section 56 (1) sentence 3 InfSchG). They offer employees the option of shortening the quarantine period by voluntarily providing proof of the vaccination certificate, thus ensuring uninterrupted payment of wages. In an opinion on the continued payment of wages in the event of quarantine dated October 2, 2021, the State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg confirmed the view that the employer should be entitled in such a case to actively inquire about the vaccination status of the respective employee concerned.

d) Limitations in the documentation of vaccination status

Even in a pandemic, the general principles of personal data processing continue to apply. This applies in particular to the principles of purpose limitation and data economy in accordance with Article 5 of the GDPR. Just because data may be requested, it is far from decided how long and for what purposes they may then be stored and further used after collection.

The particular sensitivity of information on vaccination status strongly suggests that this information can in principle be used rather selectively and strictly on an ad hoc basis. If, for example, the vaccination status of employees is requested for the purposes of admission control or exemption from statutory testing obligations, it will probably not be possible to use this information for more far-reaching measures relating to office plan or canteen times, etc. (cf. also the opinion of the Bavarian State Office for Data Protection Supervision (BayLDA)). With the argument of the undisturbed workflow one will be able to justify that the information, who is released due to its proven vaccination status from mask obligations, can remain documented at least over a working day. However, the question of data economy arises again with the very next working day, and those who want to be completely sure delete the stored information at the end of the working day on which it was collected.

Practical tip:

In our view, pandemic protection and the proportionality of ordering contact restrictions, even for vaccinated and recovered persons, must give companies the option of carrying out targeted queries of vaccination status in clearly justified cases as part of their infection protection concepts. At the same time, however, we recommend that companies refrain from general and unjustified queries until further notice, due to the extensive concerns expressed by both data protection supervisory authorities and employee representatives against general queries of vaccination status within the company. At the same time, special attention must be paid to the previously defined purposes for which the collected information is used and how long this information may be stored. Those who do not proceed sensitively and prudently here risk not only heavy fines from the supervisory authorities, but also unpleasant disputes with employee representatives and the associated problems in communication with customers, employees and the public.