Legal basis for the processing of health data
In the wake of the corona pandemic, many companies are faced with the question of what measures they may or must take in the context of infection control and occupational safety. The collection and processing of personal data – especially health data – plays an important role here. What kind of information may be collected, how and when? Employees and employers are often unaware of the nature, scope and context of the collection and processing of health data. To answer these questions, the data protection supervisory authorities of the Federal Government and the Länder (German federal states) have now drawn up a joint position in the Data Protection Conference (Datenschutzkonferenz, DSK).
The processing of health data is subject to strict requirements under the General Data Protection Regulation (GDPR, in German: “DSGVO”). In connection with appropriate measures, therefore, article 9 GDPR must be observed – in contrast to “regular data processing operations” under article 6 GDPR.
The definition of health data can be found in article 4 No. 15 GDPR. Recital (“ErwG”) 35 provides further clarification and specifies the term to the effect that it refers to information on the past, present and future state of health of a natural person.
However, the strict requirements for the processing of health data in article 9 GDPR indicate in paragraph 2 exceptional cases in which processing is permissible. As a legal basis, the following permissible offences under article 9, paragraph 2 GDPR may be considered within the framework of measures to protect against infection:
- The informed and voluntary consent of the data subject (article 9, para. 2 lit. a)
- The creation of exceptional circumstances by the national legislator (according to article 9, paragraph 2 lit. i), in order to safeguard public health, especially in the case of “serious cross-border health threats”
- The adoption by the national legislator of legal provisions allowing undertakings to process special categories of personal data if there is a “substantial public interest” (Article 9, para. 2 lit. g)
Furthermore, the exception in Section 22 of the German Bundesdatenschutzgesetz (BDSG, a federal data protection act) is concretised in that companies can base the processing of health data on the “public interest” or “public health”.
If a company processes the health data of its employees, Section 26 (3) BDSG serves as the legal basis. According to this, the processing of health data within the scope of an employment relationship is permissible if “it is necessary for the exercise of rights or the fulfilment of legal obligations arising from labour law, social security and social protection law and there is no reason to assume that the data subject’s legitimate interest in the exclusion of the processing outweighs the processing.”
Balancing of interests is mandatory
Nevertheless, a balancing of interests must take place within the framework of Section 26 (3), because the interests of the data subject worthy of protection must not outweigh the interests of processing the data.
On the one hand, the company must therefore fulfil its duty of care towards its employees, but on the other hand it must not disproportionately interfere with or restrict their personal rights.
However, due to the generally “uncertain risk situation”, it is currently difficult to assess which measures should be considered proportionate and which disproportionate. There is also still no uniform assessment by European data protection supervisory authorities. The legal situation regarding the admissibility of measures can therefore not be conclusively assessed at present.
Combating the corona pandemic: what is currently permitted?
Companies and institutions are permitted to collect and process personal data from their employees and visitors as part of the fight against the corona pandemic in order to prevent infection of the company’s employees. In this context, data on diagnosed infections or data on contact persons of persons known to be infected may be collected.
The collection of information as to whether employees were in a risk area designated by the German Robert Koch Institute at a relevant time or had direct contact with those who were ill is also considered to be permissible data collection.
However, there is only a legal basis for processing the data of infected persons or persons suspected of being infected “if, exceptionally, knowledge of the identity is necessary for the preventive measures taken by the contact persons”. This means that mentioning the names of data subjects must be avoided.
Voluntary self-declaration or questionnaires on whereabouts and symptoms are permitted, as are voluntary fever measurements by company medical staff or the employees themselves. However, private mobile phone numbers or private contact details of employees may only be collected with their express consent.
What is currently inadmissible?
Names of infected persons may only be given to a small circle of people when necessary. In the event of an infection of an employee, it is recommended that appropriate measures be taken at departmental or team level if necessary. Employees who work with or have been in direct contact with an infected person must be informed accordingly or given leave.
A blanket survey of all employees regarding their travel plans or whereabouts is just as impermissible as a blanket survey of all employees regarding their current state of health without concrete evidence.
Protection against infection and privacy: General measures
In the interest of data minimization and data economy, it is recommended to first resort to measures for general infection protection without collecting large amounts of (personal) data. In this context, for example, information signs, the provision of disinfectants or the establishment of a consultation hotline should be mentioned. Options for working remotely and the restriction of business trips as well as the restriction of visits are also proven measures that do not interfere with the personal rights of employees.
Observe the appropriateness of the measures
On the one hand, the data protection supervisory authorities point out that companies must act responsibly and appropriately for the health protection of their employees as part of their duty of care. On the other hand, the proportionality of the measures taken must be observed. Therefore, the data collected must be treated with appropriate confidentiality and strictly limited to the purpose for which they were collected. Among other things, the data collected must therefore be deleted immediately, at the latest after the end of the corona pandemic.
Emergency plans and business continuity management
Business Continuity Management (BCM) provides the prerequisites for continuing essential business activities in crisis situations. In addition to business-oriented measures, such as securing the supply chain, the Human Resources department is also concerned with the welfare and preventive care of employees. Scenario-based action models are described in contingency plans, which are intended to ensure both the safety and health of employees, for example on business trips, and the maintenance and continuation of key business activities. An appropriate BCM program takes into account the applicable legal requirements, particularly with regard to data protection. This program must then “only” be activated in the event of a crisis.
Further information (in German):
- Federal Data Protection Commissioner “Datenschutzrechtliche Informationen zur Verarbeitung von personenbezogenen Daten durch Arbeitgeber und Dienstherren im Zusammenhang mit der Corona-Pandemie”
- FAQs der Datenschutzaufsicht Baden-Württemberg zum Thema Corona
- FAQs des Bundesministeriums für Arbeit und Soziales „Coronavirus: Arbeitsrechtliche Auswirkungen“
- Services zum Business Continuity Management von TÜV Rheinland
Authors: Dr. Stefanie Schneider, Stefan Eigler
Security Consultant - Mastering Risk & Compliance
e-scooter or bicycle? The cars are the problem!
I’m selfish, and I’m prejudiced. Plus, I’m a cyclist. In Berlin. Taken together, this can drive you crazy sometimes. More and more of my friends have been saying things like this recently.
No milk today – or, how our diet impacts our climate
Today, I could write about the various ways in which each one of us can help to save our climate: Second-hand clothing, furniture, electronic equipment or toys, less air travel.