Data protection requirements regarding measures to protect personnel in case of an infection at the workplace
German employers have to seize numerous measures these days to protect their employees from an infection with the coronavirus SARS-CoV-2. If there is a suspicion of an infection or an in-fection of an employee has been confirmed, data protection requirements and the employer's in-terest in informing the staff about the infection conflict: The (potential) infection of an employee with the coronavirus qualifies as information about the employee's health. According to Art. 9 (1) of the General Data Protection Regulation ("GDPR"), such health data is a special category of personal data, the processing of which is generally prohibited and only permitted in certain exceptional cases. However, an employer, due to its duty of care arising under employment law, but also out of a public interest, has a considerable interest in obtaining early knowledge of a (potential) case of infection of an employee in order to be able to take protective measures for the staff and third parties. It is obviously vital to obtain the information that a case of infection has occurred in the company in order to prevent a spread of the disease, and to notify contact persons immediately.
Last Friday (13 March 2020), the German Data Protection Conference, the committee of the data protection supervisory authorities of the Federal government and the states ("DSK"), published guidance on the processing of employees’ personal data by their employer in connection with the coronavirus pandemic. Taking into account the information provided by DSK and the current ex-ceptional pandemic situation, the processing of health data of such employees who have been in-fected with the coronavirus is likely to be permissible on the basis of the following justification grounds from a data protection perspective:
Processing of health data for employment-related purposes
By derogation from Art. 9 (1) GDPR, Sec. 26 (3) of the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG) allows for the processing of special categories of personal data for employment-related purposes, i.e. if the processing is necessary to exercise rights or comply with legal obligations derived from labor law, social security and social protection law, and there is no reason to believe that the data subject has an overriding legitimate interest in not processing the data.
The scope of this clause is generally interpreted narrowly in order to ensure that only such data processing activities are covered which have an immediate link to an employment relationship. However, under labor law, the employer is also obliged, to the extent possible, to ensure a safe and healthy workplace. From our point of view (which has now been confirmed by the guidance of the DSK dated 13 March 2020), the processing of employees’ personal data in the context of coronavirus notifications to staff can, under certain circumstances, be necessary to comply with this duty of care for employees.
However, disclosure of the name of an infected employee must be strictly limited under the principle of proportionality. This requires a careful evaluation of the circumstances of each in-dividual case, taking into account any relevant risk factors for a spread of the disease, e.g.
- the size of the company and type of work,
- the specific characteristics of the workplace of the infected employee and
- the exposure of the (potentially) infected employee to other people.
The data protection authorities have made it clear that only in very rare cases it may be neces-sary to inform the entire staff about the (potential) infection of a specific employee. In our view, this may be the case if an employee has travelled a lot in the past between business loca-tions and has had broad contact potentially with all colleagues. In other cases (which would be the standard case), an employer must carefully evaluate whether is it sufficient e.g. to only disclose the name of an infected person to colleagues who have worked closely together with that infected person (e.g. team members, colleagues sharing an office room), or to alert persons in the specific team the infected person works with or in a specific (small) location where the in-fected person is based. Other colleagues can be informed on a no name-basis.
Please note that Sec 26 (3) BDSG usually does not permit the employer to force a potentially in-fected employee to disclose a diagnosis when an employee has reported sick. The employer is entitled to ask an employee whether he has been to an area classified as “risky” by the competent health authorities. However, under the current exceptional circumstances, the data protection authorities even suggest that employees may be obliged, under the employment relationship, to disclose whether they have been diagnosed with the coronavirus. We note, however, that this view has not yet been confirmed by competent courts. Irrespective of that, in case the authorities have formally ordered an employer to request this information from its employees, there is a statutory obligation to provide the authorities with the respective information.
Processing of health data for reasons of public interest
Furthermore, Sec. 22 (1) no. 1 lit. c) BDSG (in conjunction with Art. 9 (2) lit. i) GDPR) stipu-lates that the processing of health data is permitted if it is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health. In this context, Recital 46 GDPR explicitly states that the processing may serve both important grounds of public interest and the vital interests of the data subject when the processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies.
Although Sec. 26 (3) BDSG is specifically addressing data processing in the context of an em-ployment relationship, there are good reasons to argue that an employer may also rely on Sec. 22(1) no. 1 lit. c) BDSG as an additional justification ground. If an employer notifies staff about an infection at the workplace, this is not only done to ensure safe working conditions but also for reasons of public interest (Sec. 22 (1) no. 1 lit. c) BDSG), i.e. to prevent the continuous spread of the coronavirus to colleagues and further people. Again, this will require a careful assessment whether and to who personal data shall be disclosed (see above).
Please do not hesitate to contact us if you have further questions.