The Conference of German Data Protection Authorities (“DSK”), the body of the federal and state Data Protection Authorities (“DPAs”) in Germany, recently issued joint recommendations regarding employers’ processing of employee personal data in the context of the coronavirus (“COVID-19”) pandemic. The DSK makes it clear that data protection does not hinder measures to fight COVID-19. According to DSK, employers can collect personal data of employees in order to prevent the spreading of the virus at the workforce. Employers also may process personal data of workplace visitors for COVID-19 related purposes. However, all measures must be proportionate.
Federal Data Protection Commissioner
The DSK published detailed guidance on the website of the German Federal Data Protection Commissioner’s Office. The guidance clarified the following:
- Purposes: Employers can collect and process personal data of employees and visitors, including health information, to determine whether (1) they are infected or have been in contact with an infected person, or (2) they were in a high-risk area during the relevant period. The disclosure of personal data of infected persons (confirmed and suspected) to inform others is lawful only if it is strictly necessary under exceptional circumstances to know the identity of that person, in order to allow others to take relevant precautions.
- Legal basis: The relevant legal basis for such data processing by employers in the private sector is the EU General Data Protection Regulation’s (“GDPR’s”) legitimate interests legal basis (Article 6 (1)(f)). Where health information is processed, the relevant legal basis is the GDPR’s employment and social protection legal basis (i.e., processing that is necessary for the purpose of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law – Article 9 (2)(b). In addition, the guidance notes that Section 26 (3) of the German Federal Data Protection Act includes additional requirements for the GDPR’s employment and social protection legal basis to process sensitive data, in particular that there is no reason to believe that the data subject has an overriding legitimate interest in not processing the data. Measures against third parties that require the processing of health data can be justified based on the GDPR’s legal basis regarding processing that is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health (Article 9 (2)(i)).
- Consent: The consent of data subjects can only be considered as a legal basis for COVID-19 measures if the data subjects are informed about the data processing and can provide consent about the measures voluntarily.
In addition, the Federal Data Protection Commissioner published General FAQs that clarifies, among other points, the following:
- Duty of care: With regard to the legal basis considerations, the employer’s legitimate interests legal basis and, for health data, the employment and social protection legal basis, derive from the general duty of care of the employer toward their employees. Under the duty of care, the employer must ensure the protection of the health of all employees. This also includes developing an appropriate response to the spreading of COVID-19, in particular for prevention and traceability purposes (i.e., subsequent prevention toward contact persons).
- Types of data: There is no definite answer to the question of what personal data the employer is allowed to process in the context of the COVID-19 pandemic. However, the criteria should be whether the processing is necessary for a given purpose (such as processing that is necessary for the protection of the health of employees and for compliance with statutory reporting obligations), and the implementation of the GDPR’s principle of data minimization. The Federal Data Protection Commissioner does not have concerns regarding the processing of the following categories of personal data of employees, contractors and visitors in connection with the COVID-19 pandemic:
- Name;
- Current contact information;
- Contacts with other persons made within the organization;
- Previous or intended stay in a high risk area;
- Previous contacts with supposedly infected persons; or,
- Whether a person is symptom-free.
- Retention: The data must be deleted when the original purpose for processing no longer applies. For example, the data of visitors can be deleted after 1 - 3 months if no cases of infection have become known to the employer.
Furthermore, the Federal Data Protection Commissioner published Employee-Privacy FAQs that clarify the following points:
- Private contact information: The employer can collect the private mobile numbers and email addresses of employees, as their use may be necessary to ensure the ongoing accessibility of those persons during the COVID-19 crisis. These communications may need to be used to provide quick information and warnings to employees in case of illness or in case of an overload of the IT infrastructure where a different arrangement should be made within the work units. However, there should be care taken not to transmit sensitive information via unsafe communications or email services since there can be a risk of unauthorized access by third parties to such data.
- Works council candidates: There is no issue with publishing works council election proposals on the company’s Intranet page, as this is not disclosure to a third party.
- Processing employee files in home office: The processing of employee files in an employee’s home office can only take place in exceptional circumstances if it is strictly necessary and provided that technical and organizational measures have been taken to protect personal data in the home office. The Federal Data Protection Commissioner recommends, among others, the following technical and organizational measures for use in home office:
- Regular reminders to comply with the data protection regulations and principles;
- The transport of paper files in courier folders, inside lockable cases with two combination locks;
- Keeping a list of the files carried and returned;
- Having a separate lockable room as a home office;
- Locking documents at home;
- Not disposing of documents in the home office;
- The exclusive use of hardware components that are approved for identification and authentication on the company’s network;
- Hardware and software encryption;
- A three-level password authentication system;
- Maintaining access log files;
- Evaluation of log files, especially with regard to private use;
- Not printing in the home office; and,
- Using screen protectors, if necessary.
Similar COVID-19 guidance has been issued by several state data protection authorities in Germany, including the following:
- Baden-Württemberg
- Schleswig-Holstein
- Bayern
- Hamburg
- Rheinland-Pfalz
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code