Almost every hour we receive new reports about precautionary and protective measures in the fight against the corona virus. In order to effectively combat the spread of the Covid19 virus, sensitive health data will probably have to be collected in future – in public life as well as in employment. Even if the main focus in these times is rather subordinate to data protection, a data protection-legal consideration of the measures for infection protection cannot be neglected.

Legal basis for the processing of health data

In the wake of the corona pandemic, many companies are faced with the question of what measures they may or must take in the context of infection control and occupational safety. The collection and processing of personal data – especially health data – plays an important role here. What kind of information may be collected, how and when? Employees and employers are often unaware of the nature, scope and context of the collection and processing of health data. To answer these questions, the data protection supervisory authorities of the Federal Government and the Länder (German federal states) have now drawn up a joint position in the Data Protection Conference (Datenschutzkonferenz, DSK).

The processing of health data is subject to strict requirements under the General Data Protection Regulation (GDPR, in German: “DSGVO”). In connection with appropriate measures, therefore, article 9 GDPR must be observed – in contrast to “regular data processing operations” under article 6 GDPR.
The definition of health data can be found in article 4 No. 15 GDPR. Recital (“ErwG”) 35 provides further clarification and specifies the term to the effect that it refers to information on the past, present and future state of health of a natural person.

However, the strict requirements for the processing of health data in article 9 GDPR indicate in paragraph 2 exceptional cases in which processing is permissible. As a legal basis, the following permissible offences under article 9, paragraph 2 GDPR may be considered within the framework of measures to protect against infection:

  • The informed and voluntary consent of the data subject (article 9, para. 2 lit. a)
  • The creation of exceptional circumstances by the national legislator (according to article 9, paragraph 2 lit. i), in order to safeguard public health, especially in the case of “serious cross-border health threats”
  • The adoption by the national legislator of legal provisions allowing undertakings to process special categories of personal data if there is a “substantial public interest” (Article 9, para. 2 lit. g)


Furthermore, the exception in Section 22 of the German Bundesdatenschutzgesetz (BDSG, a federal data protection act) is concretised in that companies can base the processing of health data on the “public interest” or “public health”.

If a company processes the health data of its employees, Section 26 (3) BDSG serves as the legal basis. According to this, the processing of health data within the scope of an employment relationship is permissible if “it is necessary for the exercise of rights or the fulfilment of legal obligations arising from labour law, social security and social protection law and there is no reason to assume that the data subject’s legitimate interest in the exclusion of the processing outweighs the processing.”

Balancing of interests is mandatory

The “legal obligations of the employer” result from the requirements of the German Occupational Safety and Health Act (§ 618 Para. 1 BGB§ 3 ArbSchG).

Nevertheless, a balancing of interests must take place within the framework of Section 26 (3), because the interests of the data subject worthy of protection must not outweigh the interests of processing the data.

On the one hand, the company must therefore fulfil its duty of care towards its employees, but on the other hand it must not disproportionately interfere with or restrict their personal rights.
However, due to the generally “uncertain risk situation”, it is currently difficult to assess which measures should be considered proportionate and which disproportionate. There is also still no uniform assessment by European data protection supervisory authorities. The legal situation regarding the admissibility of measures can therefore not be conclusively assessed at present.

Combating the corona pandemic: what is currently permitted?

Companies and institutions are permitted to collect and process personal data from their employees and visitors as part of the fight against the corona pandemic in order to prevent infection of the company’s employees. In this context, data on diagnosed infections or data on contact persons of persons known to be infected may be collected.

The collection of information as to whether employees were in a risk area designated by the German Robert Koch Institute at a relevant time or had direct contact with those who were ill is also considered to be permissible data collection.

However, there is only a legal basis for processing the data of infected persons or persons suspected of being infected “if, exceptionally, knowledge of the identity is necessary for the preventive measures taken by the contact persons”. This means that mentioning the names of data subjects must be avoided.
Voluntary self-declaration or questionnaires on whereabouts and symptoms are permitted, as are voluntary fever measurements by company medical staff or the employees themselves. However, private mobile phone numbers or private contact details of employees may only be collected with their express consent.

What is currently inadmissible?

Names of infected persons may only be given to a small circle of people when necessary. In the event of an infection of an employee, it is recommended that appropriate measures be taken at departmental or team level if necessary. Employees who work with or have been in direct contact with an infected person must be informed accordingly or given leave.

A blanket survey of all employees regarding their travel plans or whereabouts is just as impermissible as a blanket survey of all employees regarding their current state of health without concrete evidence.

Protection against infection and privacy: General measures

In the interest of data minimization and data economy, it is recommended to first resort to measures for general infection protection without collecting large amounts of (personal) data. In this context, for example, information signs, the provision of disinfectants or the establishment of a consultation hotline should be mentioned. Options for working remotely and the restriction of business trips as well as the restriction of visits are also proven measures that do not interfere with the personal rights of employees.

Observe the appropriateness of the measures

On the one hand, the data protection supervisory authorities point out that companies must act responsibly and appropriately for the health protection of their employees as part of their duty of care. On the other hand, the proportionality of the measures taken must be observed. Therefore, the data collected must be treated with appropriate confidentiality and strictly limited to the purpose for which they were collected. Among other things, the data collected must therefore be deleted immediately, at the latest after the end of the corona pandemic.

Emergency plans and business continuity management

Business Continuity Management (BCM) provides the prerequisites for continuing essential business activities in crisis situations. In addition to business-oriented measures, such as securing the supply chain, the Human Resources department is also concerned with the welfare and preventive care of employees. Scenario-based action models are described in contingency plans, which are intended to ensure both the safety and health of employees, for example on business trips, and the maintenance and continuation of key business activities. An appropriate BCM program takes into account the applicable legal requirements, particularly with regard to data protection. This program must then “only” be activated in the event of a crisis.

Further information (in German):


Authors: Dr. Stefanie Schneider, Stefan Eigler


Stefanie Schneider

Stefanie Schneider

Security Consultant - Mastering Risk & Compliance

Stefanie Schneider has been working for TÜV Rheinland as Security Consultant – Mastering Risk & Compliance in the area of data protection since September 2019. As an external data protection officer, she is happy to assist companies in the production and service sectors with advice and practical support. She first completed a scientific degree in the field of climate research and then an additional training in the IT sector. Stefanie Schneider is a network specialist and certified MCSE, MCP and CNA. Through her employment with a data protection supervisory authority, she first came into contact with the topic of data protection, which has been a central theme of her professional life ever since. She was also able to deepen and broaden her knowledge of various data protection issues in other positions at a project management agency for the promotion of research projects and at a consulting organization for medical research. As a freelancer for the Heise-Verlag she continued to write various articles for the format “Telepolis”. Outside the office, she likes to balance her professional preference for abstract topics in a theatre group. Her heart beats especially for comedies, in which the characters are wonderfully overdrawn.

More Posts

e scooter

e-scooter or bicycle? The cars are the problem!

I’m selfish, and I’m prejudiced. Plus, I’m a cyclist. In Berlin. Taken together, this can drive you crazy sometimes. More and more of my friends have been saying things like this recently.

No milk today – or, how our diet impacts our climate

Today, I could write about the various ways in which each one of us can help to save our climate: Second-hand clothing, furniture, electronic equipment or toys, less air travel.

Work-life balance or “you only have this one life”

As so often is the case, I’m sitting here at my desk thinking about the topic I can dedicate my upcoming blog article to: “Penetration test,” “Becoming a hacker,” “machine translation”? No!



Submit a Comment

Your email address will not be published. Required fields are marked *


No one likes popups. But you’ll like our newsletter.

Get remarkable articles on digitization, modern life, energy and technology.