Does data protection stand in the way of infection control?
The coronavirus (Covid-19) poses a great challenge to all of us. The WHO has meanwhile classified Covid-19 as a pandemic. The number of infected people is rising daily. While consequences cannot yet be assessed, uncertainty is increasing.
Data protection is surely not the most important issue in this context. Nonetheless, the following questions are increasingly being considered: What measures does data protection allow employers and companies to take? Is it permitted to collect sensitive (health) data of employees and visitors to protect workers, the company, and customers or visitors? The European data protection authorities hold different views on these issues. German data protection authorities consider the collection of such data to be permissible under certain conditions. Above all, any measures taken must be necessary and proportionate. It will have to be decided on a case-by-case basis when necessity and proportionality are given.
When collecting personal data in connection with the corona pandemic, links between individuals and their state of health are typically established. In these cases, the relevant data are health data which are special categories of personal data that are protected under Article 9 General Data Protection Regulation (GDPR). The processing of health data is generally only possible to a limited extent. Such data may be processed in compliance with data protection regulations, however, where necessary to contain the corona pandemic or to protect employees. Several German data protection supervisory authorities have commented on this topic in the meantime and are making overviews available to employers of how to deal with the corona pandemic:
- Federal Commissioner for Data Protection and Freedom of Information
- Lower Saxony State Commissioner for Data Protection [in German]
- Baden-Württemberg State Commissioner for Data Protection and Freedom of Information [in German]
German supervisory authorities are concluding that employers may collect all data needed to meet their assurance duties. The duty of care requires employers to ensure the health protection of all their employees. This includes measures to protect other employees from infection by a sick person. These measures must always be necessary and proportionate. The relevant data must be treated confidentially and used exclusively for the intended purposes. After the respective processing purpose ceases to apply, thus typically at the end of the pandemic at the latest, the data collected must be deleted without delay.
What exactly does this mean, however, for the multitude of measures that employers currently intend to take or have to take to protect their employees? In the following, some of those measures are presented as examples below and briefly assessed as relates to data protection law on the basis of the aforementioned comments:
- To contain and combat the corona pandemic, it may be permissible under data protection law for employers to collect data on the persons with whom the sick employee had been in contact.
- While in general mentioning the name of the affected employee to colleagues is to be avoided, this may be necessary in individual cases if employees who have been in direct contact with an infected person need to be warned and released from work themselves to contain the risk of infection.
- In addition, employers may ask individuals returning from vacation whether they stayed in a risk area as defined by the Robert Koch Institute. Negative information from employees is usually sufficient. The employers can make further requests if it is justified by other reasons or further indications.
- Employers may also request and temporarily store their employees’ current private mobile phone numbers so as to warn employees at short notice and, for example, tell them to not show up at work. This is only permissible with employees’ consent and must serve to reduce the risk of infection. Under no circumstances can the mobile phone numbers be used for other purposes, such as for contacting employees afterhours for business reasons.
- German data protection supervisory authorities have not yet taken a position on the issue of whether the taking of employees’ and visitors’ temperatures is permissible. While this measure may in principle be covered by the employers’ powers to enforce house rules as far as visitors are concerned, this to be assessed differently for employees. Since their constitutionally protected personality right is to be taken into account, a proportionality test must be carried out. For example, in assessing the appropriateness of the measure the company’s industry sector (e.g. food industry) can play a role. In addition, it can also be considered whether there are already cases of suspected infections in the company, whether employees were in a risk area or whether the company is located in a region with a large number of infected people. All of the above mentioned may argue for the permissibility of taking temperatures.
Legally, the necessary measures may be legitimized on the basis of the GDPR and the German Federal Data Protection Act (possibly in conjunction with data protection acts and other specialized laws of the relevant German state). For employers in the non-public sector, the authorization to process personal employee data is derived from Section 26 (1) Federal Data Protection Act and Article 6 (1) sentence 1 (f) GDPR in conjunction with the relevant provisions of national law under civil service law, collective bargaining law, employment law, and social law. Where health data are processed, Article 26 (3) Federal Data Protection Act and Article 9 (2) (b) GDPR are also relevant.
Similar to the German data protection authorities, the Irish Data Protection Commission DPC, the Hungarian National Authority for Data Protection and Freedom of Information NAIH [in Hungarian], and the UK Information Commissioner's Office ICO consider the processing of personal data, including health data, to be permissible where this is necessary and proportionate. The Irish DPC explicitly includes an obligation for all employees to complete a questionnaire.
The French Data Protection Supervisory Authority CNIL [in French] takes an entirely different view. According to CNIL, employers can not take any measures that might infringe the privacy of data subjects, in particular, by collecting health data since this category of data is subject to the special protection of the GDPR and national statutory provisions. The systematic collection of medical records or questionnaires from all employees is therefore considered not permitted. The Luxemburg's National Commission for Data Protection CNPD holds a similar view.
CNIL also expressly points out that the mandatory taking of employees’ or visitors’ temperatures, which are daily sent to their superiors, is inadmissible. This view is shared by the Italian Data Protection Authority Garante and the Dutch Data Protection Authority AP [in Dutch].
Tip for use in practice:
In times of Covid-19 the developments are dynamic and the above mentioned positions can change at any time. The different arguments and assessments by European data protection supervisory authorities show that it is hardly possible to give a generally valid answer to the issue of a measure’s admissibility under data protection law. Whether or not a measure taken by employers to protect employees and the company is admissible can therefore only be assessed on the basis of the status quo and the specific individual case.
We therefore recommend every specific individual case to be examined and a decision be made in consultation with the works council and the internal or external data protection officer as to which specific measure is necessary and proportionate. We will be pleased to support you in assessing the processing of data in compliance with data protection regulations in connection with implementing measures to contain the corona pandemic and to protect your employees and company.
Status: March 18, 2020
Does the ECJ prohibit all US service providers? - Online webinar with our SKW Schwarz data protection experts
What are the next steps after Schrems II? – An initial assessment of the DSK press release - The Conference of Independent German Federal and State Data Protection…
BfDI publishes its position on anonymization under the GDPR - At the end of June 2020, the Federal Commissioner for Data Protection and…