The past ten weeks have put the entire population to the test. Many have themselves fallen ill with corona, or one of their close ones has. Most citizens have, however, experienced the past weeks without health constraints, but with restrictions in their daily lives. Nevertheless, the corona crisis can, without cynicism, be seen as an opportunity to “build a Germany with more freedoms and, above all, to use investments in such a way that sustainable economic strength and growth can be achieved”, as Annegret Kramp-Karrenbauer recently pointed out in an interview with the news service n-tv.
But even if corona seems to be on the retreat, normality is returning to everyday life and workers are returning to their companies, it is worth taking a look at the current and discussed measures to protect companies (also in preparation for a possible second wave). The spectrum of measures ranges from the collection and publication of employee data, have the temperature taken, collection of visitor data and contact persons in cases of suspicion or positive corona reports. The legitimacy of some of these measures is, in parts, viewed as controversial.
Observance of data protection principles
In the context of all measures that involve the use of personal data, the basic principles of data protection law must be observed. Personal data must be processed in a lawful manner, in good faith and in a manner that is comprehensible (i.e. transparent) for the data subject, Article 5 para. 1 a) GDPR. Data may only be processed for specified, explicit and legitimate purposes (Article 5 para. 1 b) GDPR) and must be limited to what is necessary for the purposes of the processing (Article 5 para. 1 c) GDPR). When processing data in the context of corona, the special requirements of Article 9 GDPR must be taken into account. Data collection within the context of corona goes along with the processing of health data which, as “sensitive” personal data, are in need of particular protection and require special justification in accordance with the conception of the GDPR. The most important legal bases for the processing of health data for non-public bodies are to be found in Section 26 para. 3 of the BDSG [Federal data protection law of Germany, Bundesdatenschutzgesetz] (with regard to health data of employees) and Article 9 para. 2 i) GDPR in conjunction with Section 22 para. 1 no. 1 c) BDSG (in relation to health data of non-employees). For certain companies, these provisions are accompanied by corona protection ordinances of the individual federal states as an implementation of the legal basis under Section 32 of the IfSG [ Infection Protection Act, Infektionsschutzgesetz], e.g. in Bavaria through the Fourth Bavarian Infection Protection Ordinance of 5 May 2020 together with the Amendment Ordinance or in North Rhine-Westphalia by the Ordinance on Protection against New Infections with the corona Virus SARS-CoV-2.
Also the other requirements of data protection legislation for legitimate data processing must not be neglected, in particular compliance with transparency obligations in the form of privacy policies and the introduction of adequate security measures and guidelines to ensure confidentiality, as pointed out by the European Data Protection Committee in its opinion on the processing of personal data in the context of the COVID-19 outbreak of 13 March 2020 or by the Data Protection Conference in its resolution of 3 April 2020.
The accountability obligation under data protection law (Article 5 para. 2 GDPR) obliges companies to document the specific measures, their legal basis and, where applicable, the weighing up of interests carried out and to provide evidence that the entity has fully complied with its obligations under data protection law.
Legitimacy of specific measures
Collection and publication of employee data
The employer is obliged to react appropriately to the spread of corona due to its obligations under labour law to provide care for other employees arising from the employment contract and the German Occupational Safety and Health Act (Arbeitsschutzgesetz, ArbSchG) and from its obligation to protect towards third parties. This includes precautionary measures and traceability of possible corona cases, which can include, for instance, to ask questions to employees. Such form of self-disclosure is covered by the duties of care and protection and is permitted under data protection law in accordance with Section 26 para. 3 BDSG (for health data) or Article 6 para. 1 Sentence 1 f) of the GDPR (for all other data). The right to ask questions is, however, limited by the requirement of necessity and may only comprise questions relating to the investigation with regards to corona. Legitimate questions include:
- Whether typical symptoms of a corona infection are present;
- Whether a positive corona test has been issued;
- Questions about travel activities to one of the recognised and officially designated risk areas (if available);
- Questions about infections and suspected cases of infection in persons with whom employees or persons from their immediate environment (e.g. members of the household, close acquaintances) have had direct contact within the last 14 days.
The transparency obligations entail that any questionnaire must be accompanied by data protection notices (Article 13 GDPR) or, if necessary, refer to online data protection notices. In addition, the other documentation under data protection law, in particular the processing directory, must be updated, (technical) security measures must be taken to preserve the data and deletion periods or measures for the secure deletion of the data must be specified.
It is not permitted to disclose the name of a person suspected or proven to be infected to the public (e.g. on the website) in order to reach all persons who have had potential contact with an infected employee, the internal disclosure within the company (e.g. intranet) is only permitted as the ultima ratio. In the first case, the disclosure of the employee’s name to the public, in particular due to the associated stigmatisation of the employee, is likely to be disproportionate, because the publication is directed at an indeterminable group of persons who have had no contact with the employee and where an infection with corona is thus excluded. In the second case, possible contact persons within the company must first be identified, which the employee is obliged to do on the basis of his secondary obligations arising from the employment relationship. However, even in this case, disclosure of the name for the purpose of informing contact persons is only legitimate if the knowledge of the identity is exceptionally necessary for the contact persons’ preventive measures.
Company internal corona trackers
While the general corona tracking app (corona warning app) is still under development, some developers offer contact tracing apps for smartphones or stand-alone products in the form of portable devices especially for internal company purposes. Such technologies record contacts between employees in pseudonymised form. Access to the data within the company should only be granted to a person with appropriate admin rights (e.g. IT representative). This would enable the tracing of possible infection courses within the company without having to rely on the (possibly incomplete) memory of the employee. However, in order for the generated data to achieve its purpose (contact tracing), it is necessary that the users always carry the corona tracer with them, which cannot be guaranteed in a reliable manner.
Apart from this practical problem, it is questionable whether employers can make the use of these technologies mandatorily by virtue of their right of direction. In the intention of the European Data Protection Committee, tracing technologies must remain voluntary in principle. If the mandatory use of such technologies is considered by the employer, the works council must be involved, because the use concerns matters of the order of the business and the behaviour of the employees in the business (Section 87 para. 1 no. 1 BetrVG [German Works Constitution Act, Betriebsverfassungsgesetz]), and such technologies are suitable for monitoring the behaviour of the employees (Section 87 para. 1 no. 6 BetrVG). The GDPR holds further formal hurdles within the context of the use of corona tracing apps or devices, namely the obligation for the employer to consider a data protection impact assessment in accordance with Article 35 GDPR and the adaptation of the data protection documentation.
The taking of temperature / thermographic cameras
Taking the temperature of individuals (fever measurements) as a measure is being very controversially discussed. The supervisory authority of Rhineland-Palatinate, for example, doubts the suitability of taking the temperature for the detection of corona disease as such. The supervisory authority of North Rhine-Westphalia, on the other hand, considers taking the temperature at the entrance of company premises or buildings to be justified under strict conditions in accordance with Section 26 para. 3 p. 1 BDSG. It is correct that taking the temperature of a person does not allow an unambiguous detection of a corona infection. It is not correct, however, to simply deny its suitability as such. Such measure is suitable for detecting a corona infection because one of the corona symptoms can be fever. They are merely not suitable for the unambiguous detection of a corona infection. Similarly, however, asking employees about corona-specific symptoms is not suitable for the unambiguous detection of a corona infection, because a corona infection can also asymptomatic. It is also not obvious why asking employees about corona-specific symptoms by means of questionnaires should infringe their personal rights less than taking their temperature would. Viewing fever measurements as generally inadmissible under data protection law would thus go too far. If not without cause, fever measurements should at least be permitted as an additional detection measure of concrete suspected cases, as provided for in Section 13 of the SARS-CoV-2 occupational safety standard of 16 April 2020.
Taking the temperature of non-employees – to the extent that it constitutes the processing of data under data protection law at all, cf. Article 2 para. 1 GDPR – can only be assessed in light of Article 9 para. 2 i) GDPR in conjunction with Section 22 para. 1 no. 1c) BDSG. It is certainly questionable to what extent taking the temperature of visitors “is necessary for reasons of public interest in the field of public health, such as protection against serious cross-border health risks or to ensure high quality and safety standards in health care and for medicinal products and medical devices”, as Section 22 para. 1 no. 1c) BDSG requires. Concrete measures such as fever measurements can only be covered to a limited extent by this provision of rather general character. The supervisory authority of Hesse, by the occasion of fever measurements of store visitors by the computer manufacturer Apple, has undertaken a data protection review and a discussion within the framework of the Data Protection Conference. It remains to be seen how the supervisory authorities position themselves on the legitimacy of the measure and whether the statements of the supervisory authorities can be applied to other situations.
In any case, even for such measures, the obligations under data protection law, in particular transparency obligations, must be observed and, if applicable, the documentation necessary under data protection law must be updated.
Collection of customer data/visitor data
In the opinion of the Data Protection Conference, the collection of customer data/visitor data to determine whether they themselves are infected or have been in contact with a person who is demonstrably infected can be based on Article 6 para. 1 sentence 1f) GDPR and, insofar as health data are concerned, on Article 9 para. 2 i) in conjunction with Section 22 para. 1 no. 1c) BDSG may be invoked. With regard to the type and permissible scope of the personal data collected in this process, it is necessary, but also sufficient, to request the name and a further contact information (address, telephone number or e-mail address) of the person and the period of time the person has been at the company (cf. point 12 of the SARS-CoV-2 occupational health and safety standard of 16 April 2020). Due to the principle of data minimization, further data queries shall be avoided.
Gastronomic establishments are obliged to collect data relating to guests on the basis of the corona Protection Ordinances at state level, e.g. in Bavaria on the basis of Section 13 para. 4 sentence 3 of the Fourth Bavarian Infection Protection Ordinance in conjunction with the “Gastronomy Hygiene Concept of the Bavarian State Ministries of Health and Care and for Economy, State Development and Energy” (point 3.2.9): name, telephone number and duration of stay. These data are to be gathered solely for the purpose of contact person identification and may not be used for other purposes, e.g. advertising.
Companies are sitting on the fence in times of corona. On the one hand, they are obliged to take appropriate measures to contain corona and protect their employees and customers. On the other hand, data protection provisions set limits and formal hurdles for some of the measures, even though data protection has proven its flexibility and does not fundamentally oppose measures. The formalities that can be necessary range from the preparation/updating of privacy policies, the weighing of interests and data protection impact assessments to the implementation of technical security measures. Where this has not been done yet, the “period of rest” should be used to prepare suitable measures and to comply with data protection requirements.