Many employers are unsure how to deal with the sensitive health data of employees in the face of the Corona crisis. This is because both the data protection requirements for the processing of health data, which is only permitted in exceptional cases, and the employer’s duty of care and protection towards its employees must be reconciled. Here is a brief overview of frequently asked questions:
May the employer process health data relating to the Coronavirus and Covid-19?
Yes. Although it concerns particularly sensitive data of employees, the processing is necessary to fulfil the employer’s duty of care, its obligations under the Work Safety Act (“Arbeitsschutzgesetz”) and to protect the workforce from infections. This has been expressly confirmed by the Federal Data Protection Commissioner and the Data Protection Conference of the Federal Government and the Federal States.
May the employer ask the employee whether he or she has travelled to a Corona risk area?
Yes, because information on travel destinations does not constitute sensitive health data that can only be processed in exceptional circumstances. It is therefore sufficient that the employer has a legitimate interest to take appropriate protective measures if an employee has been in a risk area (comp. Data Protection Conference of the Federal Government and the Federal States).
If an employee is on sick leave, may the employer ask whether the employee has Covid-19?
In principle, the employer may only know that an employee is incapable to work due to an illness, not which particular illness it is. In view of a rapidly spreading pandemic, however, it can be assumed that the employee should have a duty of loyalty, which implies the obligation to disclose a Covid-19 disease in order to protect colleagues from infection. It is controversial whether such a duty exists. However, an inquiry by the employer will often not be necessary anyway, as the employer is usually informed of a Covid-19 case by the responsible health authority (comp. the State Data Protection Commissioner of Baden-Württemberg in his statement).
May the employer ask its employees about symptoms of Covid-19 disease?
No. The employer may only ask whether an existing incapacity to work is due to an illness or another circumstances. In contrast to an actual illness of Covid-19, there will regularly be no obligation on the employee to disclose only the mere symptoms of the illness, which can also occur in case of other illnesses (e.g. fever and cough).
In the event of a confirmed infection in the company, may the employer tell the workforce who the infected person is in order to identify contact persons?
In principle, it is sufficient if the employer itself identifies the contact persons (e.g. colleagues in the team) and informs these contact persons of the risk of infection without disclosing the name of the infected person. The disclosure of personal data of infected persons or persons suspected of being infected in order to identify contact persons is only lawful in exceptional cases, if the knowledge of the identity is exceptionally necessary for the precautionary measures to protect or to identify the contact persons (see statement of the State Data Protection Commissioner of Baden-Württemberg).
Can employers provide the health authorities with personal data of infected employees?
Yes. Generally the public health authority has received this data from the attending doctor anyway. According to the State Data Protection Commissioner of Baden-Württemberg, the employer is also entitled to communicate the personal data of the infected person to the competent public health authority.
May medical tests (e.g. fever measurements at the entrance to the premises) be carried out by the employer?
Medical tests, such as fever measurements or thermal imaging cameras for people external to the company may generally be covered by the employer’s domiciliary right. Generally external parties will also agree to such precautions being taken. Under data protection law, this data processing would be based on voluntary consent. For consent to be effective, however, the circumstances of the data processing must be clear to the data subject. A secret thermal image recording is therefore not permitted. Thus, the data processing must be disclosed, by means of information signs or similar. The general principles of data protection law must be observed, e.g. the data must be deleted immediately (principle of data minimization).
More difficulties arise regarding the measurement of temperature of the company’s employees. In the current time of crisis, there is a risk that many employees will endure such measures for fear of losing their jobs. In such a case, there is a risk that not a “voluntary” but a forced consent of the employee will be assumed. If a works council exists, it has a right of co-determination in the introduction of such health-protective measures. However, a shop agreement cannot be so far-reaching that it inappropriately encroaches on the employee’s personal rights against his or her will. In the absence of the consent of the concerned employee, it is highly questionable whether there can be a legal basis for a forced temperature measurement. In particular, it is doubtful whether taking a temperature helps to protect against infection, as fever can have other causes and an infection with the Coronavirus can occur without any symptoms, although the person still being contagious.
A clear prevailing opinion or a positioning of data protection authorities has not yet emerged. Due to the existing uncertainty, such measures should only be taken with the express consent of the employee and only by a person subject to medical confidentiality (e.g. company doctor). For employees who expressly do not wish to have their temperature measured, other measures should be considered, e.g. setting up a “working from home” workplace.
Which data protection particularities have to be respected for activities during working from home?
The general data protection regulations also apply during working from home. The employer must take appropriate technical and organisational measures to ensure the security of data processing. The employer must inform its employees about the general data protection provisions in a working from home workplace. For example, the computer must be adequately protected against access by family members and third parties and confidential documents must be stored securely. It must be ensured that reliable providers are selected for video and telephone conferences.
Can the employer limit the data protection rights of employees in light of the Corona crisis, e.g. right of access, right of deletion and rectification, etc.?
No, employees may continue to exercise their rights under the GDPR (right of access, right of deletion, right of rectification, right to restrict processing, right of data portability and right of objection). In principle, the employer, as the person responsible for data processing, must process the requests without delay, at the latest within one month. In our opinion, this period can easily be extended by a further two months under the current circumstances.
(27 March 2020)