COVID-19 – Data protection law aspects
04/03/2020 - Reading time: 2 minutes
The recording of confirmed and suspected cases of coronavirus infections is a core measure for containing the spread of the virus. Data on coronavirus infections or suspected cases is considered sensitive data which is subject to special data protection. The processing of such data requires an adequate legal basis.
Overall, it must be stated that the processing of this health data is admissible to an extent necessary for stopping the spread of the coronavirus and for protecting others. As the legal basis for employers collecting data of individuals with a confirmed or suspected infection with the virus, Article 9 (2) (h) of the General Data Protection Regulation on the one hand and Article 9 (2) (b) ibidem on the other hand come into question. Article 9 (2) (h) GDPR acknowledges the processing of data for the purpose of preventive medicine. Article 9 (2) (b) GDPR acknowledges the processing for the purpose of meeting obligations under employment and social law. The obligations under employment law also include the employer’s duty of care. Based on the duty of care, employers are obligated to take measures to protect the life and health of their employees and to reduce the respective health risks.
The lawfulness of transmitting data of individuals with confirmed or suspected infection with the virus to health authorities is based in part directly on the Epidemics Act (Epidemiegesetz). It expressly provides for an obligation to report cases of confirmed and suspected infection. This, however, applies only to individuals with an obligation to report as explicitly set out in the Epidemis Act (e.g. doctors, nursing staff, owners of catering and bar businesses, etc.). In general, employers are thus not subject to the obligation to report under the Epidemics Act. An obligation to report may, however, result from the duty of care (protection of the other staff members). In addition, Article 9 (2) (i) GDPR which acknowledges the processing of health data for, inter alia, staving off a pandemic (processing for reasons of public interest in the area of public health) also comes into consideration.
Section 3a of the Epidemics Act furthermore expressly authorises a district administration authority (Bezirksverwaltungsbehörde) to disclose the name and necessary contact details of a person subjected to COVID-19 segregation action under the Epidemics Act to the mayor of the community where that person is resident, if and to the extent that such disclosure is indispensable for providing that person with the necessary healthcare services or with goods and services to cover everyday needs. The mayor must erase this data immediately after it has ceased to be required for the stated purpose. In addition, the mayor must take suitable data protection measures.
In order to protect the public from infectious diseases, the rights of the data subject under data protection laws are significantly restricted with regard to the processing of health data . In this case, among other things, the right to object, the right to information and the right to erasure under the GDPR do not apply.
Health data may be processed solely for the purpose of fighting the spread of the coronavirus and for the purpose of medical treatments. The data shall thus be erased once it is no longer required for fighting the pandemic or for medical treatments.
As in all cases of unlawful data processing, personal data breaches in connection with the measures taken to fight the coronavirus may also result in penalties under the GDPR.
Data protection regulations must be observed also in connection with employees in home office, a practice which is currently increasing. Employees in home office shall, in general, observe the same data protection rules that apply to their work in a regular office.
Special care in this context must be taken in particular to ensure that company (and in particular personal) data is not disclosed to third parties. Hardware (laptop, company mobile phones made available to employees etc.) is to be kept in a safe place and access by third parties is to be prevented in particular, without limitation, through passwords. Data should be encrypted and a secure Wi-Fi connection should be used when working from home. Employers are obligated to provide employees with IT equipment appropriate to ensure that work in home office is carried out in line with the data protection law.