Rechtsgrundlagen der DSGVO
Health data are subject to the processing ban pursuant to Art. 9 para. 1 of the GDPR and thus to stricter requirements than the processing of “regular” data. The law defines exceptional cases in which processing is permitted. As a legal basis for the processing of health data in connection with measures to protect against the coronavirus, some of the permissive elements of Art. 9 para. 2 GDPR can be considered in principle, as this regulation permits data processing on the basis of consent of the data subject. It must be taken into account that consent cannot be given implicitly in contrast to Art. 6 para. 1 sentence 1 (a) of the GDPR. In addition, consent must be given in an informed manner and voluntarily. It must not be mandatory.
According to the exceptions in Art. 9 para. 2 (i) and (g) GDPR, the national legislator can create regulations under certain conditions. According to the first part the processing of sensitive data is permissible if it concerns the area of public health, which includes in particular “serious cross-border health threats” and “ensuring high standards of quality and safety in health care and medicinal products and medical devices”. Due to the increasingly rapid spread of the coronavirus, measures for protection can be seen as cross-border health threats.
As a further legal basis for the lawfulness of the processing, Art. 9 para. 2 (g) could apply. According to this, the national legislator can enact legal provisions that allow companies to process special categories of personal data if there is a substantial public interest. Such a substantial public interest certainly exists in the case of measures against Covid-19.
The GDPR also aims at protection during a pandemic and wants to allow data processing for the purpose of “health monitoring and health warnings” – which is exactly what is needed during a pandemic. In this context, special attention must generally be paid to the transparency of measures, special confidentiality/IT security and data minimisation. The GDPR clarifies:
Some types of processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread […].
However, as things stand at present, the national legislator has not made clear use of the possibilities given in Art. 9 GDPR to enact special laws to protect against pandemics and to allow companies to process health data for this purpose. Only a specification of various provisions in national law has been made.
Conclusion on Data Processing in the Context of the COVID-19 Pandemic
As soon as companies process health data for their protection measures – this can hardly be avoided for protection against the Coronavirus – data protection requirements must be taken into account. Art. 9 of the GDPR provides for various possibilities in this regard, which, however, have only been used rudimentarily by the German legislator.
Companies can and should take defensive measures to protect their workforce and operations. Unproblematic measures are, for example, putting up warning signs with information, asking employees to disinfect their hands, setting up home office workplaces, whereby IT security must be taken into account, or asking employees with symptoms not to enter workrooms.
The storage of health data of visitors is – irrespective of the existence of effective consent – inadmissible, as is the publication of detailed sensitive data of an employee. Permissible measures involving the processing of data are, especially in the case of the company’s own employees, the creation of questionnaires and the storage of the resulting health data.
The following measures to contain and combat the Covid-19 pandemic can therefore be considered legitimate under data protection law:
Collection and processing of personal data (including health data) of employees by the employer or service provider in order to best prevent or contain the spread of the virus among employees. This includes, in particular, information on cases in which
- an infection has been detected or there has been contact with a proven infected person, and/or
- a stay in an area classified as a risk area by the Robert Koch Institute (RKI) has taken place in the relevant period.
Collecting and processing personal data (including health data) of guests and visitors, in particular to determine whether they are
- themselves infected or have been in contact with a person who is known to be infected, and/or
- have stayed in an area classified as a risk area.
The disclosure of personal data of infected persons or persons suspected of being infected for the purpose of informing contact persons, on the other hand, is only lawful if knowledge of the identity is exceptionally necessary for the precautionary measures of the contact persons.