COVID-19: People: data protection update for employers (Germany)

For many employers, COVID-19 has led to the closure or the impairment of operations. However, some employers have been able to continue their operations unchanged. If the business reopens after the lockdown, all employers will be equally compelled to take measures to ensure both business continuity and employee protection. In many instances, this involves increased processing of health data, in ways that were not envisaged a short time ago. This increase, combined with the timeframes involved in processing health data, and the speed at which government advice and directions are changing, has presented a number of challenges. Even if data protection regulators are recognising these challenges, it is important to remember that a global pandemic is not a general waiver for privacy compliance.

In this article we present individual measures that are conceivable to prevent the spread of COVID-19 in the company and highlight the data protection aspects of these individual measures. Besides we give a short overview of five key legal steps regarding data protection, which employers should consider when allowing employees to work from home.

1. Potential individual measures to stop or prevent the spread of COVID-19 within the company

The question as to how the spread within a company can be stopped or prevented is highly relevant for employers. From our experience, many employers have been asking employees to fill out questionnaires on whether they are experiencing any symptoms associated with COVID-19 and/or have had any contact with persons who have or had contracted the virus. However, some employers have introduced stricter measures such as scanning body temperatures prior to entering the workplace or other medical measures such as assessing the state of health of individuals and whether for example they have been showing signs of sweating or coughing.

The data protection authorities of the Rhineland-Palatinate and Saxony states published statements on their websites stating that requiring employees to fill out a health questionnaire, to report information about their health (with the exemption of information on any recent holidays to risk zones and any contact with suspected persons) and requiring employees to undergo a medical examination such as measuring body temperatures are not justified according to German data protection law. However, other authorities seem to have taken a different view. For example, the Federal Commissioner of Data Protection and Freedom of Information has published a statement that it is permissible to query the health status of all employees in order to ensure the safety of their own employees and prevent the spread of the virus (the statement is available here). According to statements of the data protection authority of the state Hamburg and North Rhine-Westphalia, measuring the temperature of employees prior to entering the premises can be justified on a case-by-case basis. The authority of the state North Rhine-Westphalia recommends reaching a desired solution having considered the views of the employees, the works council and the data protection officer. Entering into a works council agreement as legal basis for processing of employees’ data should in our view help employers to reduce the risk of potential non-compliance with data protection law.

Please note that all other relevant principles and obligations of the General Data Protection Regulation will be need to be kept in mind and complied with when implementing new measures – for example, the data minimisation principle, the information obligation under Article 13, the requirement to document processing activities under Article 30 and to put in place appropriate retention and deletion periods.

2. Key steps when allowing employees to work from home

Employers around the world have encouraged their employees to work from home since the outbreak of the COVID-19 pandemic. We have set out five key steps employers should consider when doing so, from a data protection perspective:

• implement or ensure that company policies on working from home are up to date. This can include ensuring that there are restrictions on access rights, informing employees to lock devices when unattended, making sure any phone calls or online meetings are carried out somewhere where they cannot be overheard, (particularly if what is being discussed is confidential or sensitive information), ensuring employees know not to forward emails to private addresses, and will destroy any hardcopies when back in the office;
• necessary IT security measures must be in place, e.g. the system must be kept up-to-date, all devices should have virus and firewall protection, and that there are contact persons in case of any technical problems;
• remind employees to be alert to security issues (e.g. phishing emails);
• consider ad-hoc training for those employees who typically do not work from home; and
• remind employees that existing rules on the prohibition of private use of the IT and the email system remain in place.

In this context, the Federal Office for Information Security provides a four-page leaflet that employers can share with their employees. The leaflet is available here.

If these topics are of interest to you or one of your colleagues, please feel free to contact us.