Germany: Covid-19 And Data Protection In Germany

What are the guidelines issued?

On March 13, 2020, The German "Datenschutzkonferenz", a collective body comprising independent federal and state data protection authorities, published guidelines regarding Covid-19 and data protection.¹ On the same day, the state data protection authority of Baden-Württemberg published Q&As on the subject². A few days later, the state data protection authority of Rhineland-Palatinate issued a note focusing on employee data protection.³

Snapshot of guidelines issued covering:

Asking employees, customers, vendors, and visitors about their diagnoses or symptoms

Controllers are allowed to collect and process personal data of employees and visitors, including health data, in particular to determine whether they are infected with Covid-19, have been in contact with a person who is proven to be infected, or have traveled to an area classified by the German Robert Koch Institut as a Covid-19 risk area.

Conducting or requiring examinations of employees

Employers are not allowed to actively collect health data of employees (data protection authority of Baden-Württemberg). In addition, temperature testing is not lawful given the existing doubts as to the suitability of such tests, as well as the various less intrusive measures that could be used (data protection authority of Rhineland-Palatinate). This applies even where employees do not oppose the tests.⁴

Sharing information about affected individuals

It is only lawful to share personal information of individuals infected with Covid-19 or suspected of being infected if the knowledge of their identity is exceptionally necessary for protecting people they had contact with. In this case, controllers may rely on Art. 6(1)(c) or (f) GDPR.

Any other relevant considerations from the guidelines

Health data must be kept confidential, used solely for the intended purpose and deleted once the purpose is achieved (as a general rule, at the latest after the end of the pandemic). For data processing activities that are not covered by the legal ground of necessity of data processing for reasons of public interest in the area of public health, controllers may rely on consent only where data subjects have been informed about the data processing and have voluntarily consented.

Footnotes

1 https://www.bfdi.bund.de/DE/Datenschutz/Themen/Gesundheit_Soziales/GesundheitSozialesArtikel/
Datenschutz-in-Corona-Pandemie.html?nn=5216976

2 https://www.baden-wuerttemberg.datenschutz.de/faq-corona/

3 https://www.datenschutz.rlp.de/de/themenfelder-themen/beschaeftigtendatenschutz-corona/

4 https://www.covid19.law/2020/03/compulsory-temperature-testing-and-the-protection-of-employee-data/

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2020. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.