Up Again Germany: Privacy and Data

Intellectual Property and Technology

1. Can an employer carry out temperature monitoring and other health checks on employees and visitors prior to them entering work premises?

The collection and processing of personal data (including health data) of employees or visitors by the employer to prevent or contain the spread of the virus as far as possible may be permitted, depending on the specific circumstances and subject to compliance with applicable data protection principles and requirements (see question 9 below).

In that regard, and only for the time being, it may be permitted on  case by case basis to check the body temperature of workers/visitors or carry out other health checks, notably in work environments with particularly close contact.

Employers must, however, keep the collected information to the necessary minimum, for example by only documenting the general result. The specific symptoms of illness or the specific body temperature will generally not need to be stored. Employees and visitors must be informed in a transparent manner about the processing of their personal data, in accordance with Article 13 GDPR.

The use of thermo-cameras needs to be reviewed particularly carefully on a case by case basis, as a German data protection authority has already ordered a supermarket to remove thermo-cameras due to a violation of GDPR.

Temperature monitoring and other health checks might be subject to co-determination rights of the works council.

2. Can an employer ask employees and visitors to complete a questionnaire on whether they are experiencing typical COVID-19 symptoms, have been in contact with an infected individual, or recently travelled to high risk countries?

As per question 1 above, employers must comply with data protection principles and requirements. They must keep such processing to what is actually necessary to fulfil the purpose of containing the spreading of the virus (principle of proportionality), and ensure that processing is based on valid legal grounds, as assessed on a case-by-case basis. The data must also be treated in strict confidence, subject to strict access restrictions, and deleted as soon as the relevant processing purpose no longer applies.

Employers must pay particular attention to the scope (i.e. the necessary minimum) and the storage/documentation of completed questionnaires, and consider whether this is necessary at all (e.g. to be able to warn others and interrupt infection chains).

Employees and visitors must be informed in a transparent manner about the processing of their personal data, in accordance with Article 13 GDPR.

Please also note that according to newly adopted regulations at state level regarding the containment of the virus, it may be mandatory for employers to maintain contact lists to be able to trace back infection chains. This mainly depends on the employer's area of business. Several German data protection authorities have published guidelines and templates for such contact lists (especially with regard to the permitted content, deletion routines, and access restrictions).

Employers may not make access to their premises conditional on employees presenting the German corona-warning smartphone app, which shows whether the user had a risk encounter with someone proven to be infected.

According to the German data protection authorities, this would be an improper use, which is incompatible with the concept of voluntary use of the app. Discrimination against persons who not use the app should be excluded. Whether this concerns data protection law is another matter, as an employer is definitely not the controller of the data processing carried out via the app.

Merely checking whether the app is installed on a smartphone does, in general, not constitute data processing by automated means or data processing in a filing system within the scope of GDPR. For employees, however, there is an exemption in the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG) that extends the scope of GDPR for the processing of personal data. According to Section 26(7) BDSG, the rules for the processing of employee personal data apply in addition to Art. 2(1) GDPR when personal data of employees are processed without forming or being intended to form part of a filing system.

This includes checking whether the app is installed on an employee’s smartphone. A separate assessment may be necessary if the smartphones of external service providers or visitors are to be checked before entering the premises.

For more information on the corona-warning app, see the People section of these FAQ.

3. Can an employer require their employees to notify them if they or a member of their household has contracted COVID-19, or that they have the antigen?

The employer may be justified in asking employees to actively provide this information, though there is generally no obligation for employees to do so. Employees cannot be forced to notify, especially in circumstances where there is no infection risk the employer should be aware of (e.g. if the employee has the antigen).

However, in cases where the employee has, or suspected to have, contracted COVID-19, notification to the health authorities is required (also see below).

If personal data about members of the household is collected via the employee, these members need to be informed by the employer under Article 14 GDPR, unless an exceptions applies in the individual case.

4. Can an employer tell their employees that a colleague may have potentially contracted COVID-19?

Names of employees should be shared only if strictly necessary to contain the spreading of the virus. As a general rule, the general information that an employee from a certain business unit is infected will suffice, and it will only be necessary to share names in very limited scenarios, if at all.

5. Can an employer share information with a health authority about COVID-19 cases they become aware of?

In general, the processing of employee personal data in response to requests from competent authorities (e.g. regarding employees in the company who are infected) is lawful. It is assumed the employer has the obligation to transmit such information (Article 6(1)(c) GDPR in connection with the respective provision of the German Infection Protection Act (Infektionsschutzgesetz / IfSG)). However, an assessment in each individual case is required to ensure legal compliance.

6. Can an employer send employees’ health data to one of their affiliates outside the EEA or otherwise in another jurisdiction?

The employer should assess, in each case, whether such a transfer/disclosure of personal data to affiliates has a legal basis.

For the transfer of health data as a special category of personal data, in addition to the requirements of Article 6(1) GDPR, the requirements of Article 9 GDPR must be met.

The legal permission provided in Section 26(3) sentence 1 BDSG and Section 22(1) BDSG is applied quite restrictively, and needs to be assessed in the individual case

The employer must always consider whether its objectives could be achieved with anonymised or pseudonymised data.

7. Can an employer monitor how employees move around the workplace to help keep social distancing rules?

The monitoring of employees is subject to data protection law and employment law, particularly when it comes to co-determination rights of the works council. In general, from a data protection view, employers should refrained from implementing most employee-monitoring measures, as they may be either not permitted or only permitted in exceptional, limited circumstances and under strict conditions.

The lawfulness of such measures depends on the specific measure and the particular circumstances.

Employers should assess the compliance of any measure with the relevant data protection law, particularly the principle of data protection by design.

Employers should also consider carrying out a data protection impact assessment.

8. Does an employer need to comply with any other GDPR principles or local privacy laws, when collecting data for the purpose of tackling COVID-19?

Each controller further needs to comply with the data protection principles in Article 5(1) GDPR, in particular the principle of data minimization.

As the processed data contains health data as a special category of personal data pursuant Article 9(1) GDPR, additional principles must be observed. In this respect, Section 22(2) BDSG stipulates additional measures to be taken by a controller, taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing.

Further, in the assessment of the legal basis of a processing activity the employer must keep in mind that Germany made broad use of the opening clause under Article 88 GDPR and has basically implemented an entire special regime for the handling of employee personal data in Section 26 BDSG. Section 26(1) BDSG only applies for the processing of personal data for employment-related purposes.

In addition, an employer shall observe the statements and guidance published by the German data protection authorities concerning the processing of personal data in connection with COVID-19 and should always pay attention to whether such statements and guidance are updated or whether new statements and guidance are published.

9. What are the risks if I am in breach of the GDPR or local privacy laws?

In the worst-case scenario, a violation of the provisions of the GDPR or the BDSG may be subject to administrative fine up to EUR20 million, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher (Article 83(5)(a) GDPR).

The data protection authorities further have investigative powers according to Article 58(1) GDPR, such as carrying out investigations in the form of data protection audits or obtaining access to any premises of the controller, including to any data processing equipment and means.

Article 58(2) GDPR grants corrective powers to the data protection authorities, such as issuing reprimands to a controller where processing operations have infringed GDPR or imposing a temporary or definitive limitation, including a ban, on processing.

Employees and other affected data subjects may also sue the employer for both material and immaterial damages under Article 82 GDPR.