1. Does data protection limit the options companies have to combat the Corona virus?
This should generally not be the case. Data protection is a fundamental right, but – as all fundamental rights – it is no absolute right but must be balanced with other fundamental rights. The dimension of the Corona threat has made clear to all European governments that extraordinary measures are needed to protect the most important of all fundamental rights: life and health. The same balancing applies to companies, and with the threat increasing every day statements and guidance of data protection authorities more and more acknowledge the need and justification of exceptional measures. In our view, the following limits apply:
- The measures must serve a sensible purpose with regard to the protection of the company’s employees’, business partners’ or wider public’s health. They must be appropriate. So, companies are not to collect personal data if they are not used, will likely not be used and need not to be used in connection with reasonable measures to combat the Corona virus. Example: it makes absolute sense to measure the temperature of visitors/employees entering a building and refuse access if they disagree or have a high temperature, but for controlling the access the data does not need to be further retained (granting access is usually a yes/no decision).
- Personal data collected for the Corona virus must not be used for any other purposes (unless there is a separate justification for it) and there must be technical and organisational measures in place to ensure this.
2. May I record and share information about an employee who is infected with the Corona virus?
- Measurements must be applied in a non-discriminatory manner. Example: only measuring the temperature of people of a specific origin would clearly not be allowed.
Yes, personal data of employees may also be collected and processed if an infection has been detected (i.e. the employees have been tested positive or, as will be more and more relevant in the future, they are deemed to be positive under the guidance of the relevant health authorities). The employer may (and should have) a respective record of infected people (but access to this data should be carefully restricted).
The information may (and, as a duty of care under employment and contract laws, even must) be shared with relevant potential contacts, which can be reasonably identified. In many cases this will also require sharing the name of the relevant individual, but it does usually not allow the disclosure of the name or other information to the general public (because it is usually not required). However, it should include notifying everybody (other employees or even business partners) who may have had close contact with the infected person in the relevant period.
3. Must a company inform authorities and/or certain people (contacts of an infected person) about an infection?
For a normal company (outside medical care), there is (currently) no duty to inform the authorities (this is done by laboratories, the hospitals, doctors etc.). However, there may be an obligation under general duty of care to inform potential contacts, see question 2.) for details.
4. May a company ask its employees about symptoms/their health status?
As far as relevant in connection with Corona (or similar serious infections), yes. We think it is justified to ask whether an employee has specific COVID-19 symptoms (which can be listed), but in most cases yes/no answers should be sufficient.
This may even be done as part of a daily routine (when entering a building or otherwise).
A different evaluation may be applied to people merely working from home (question 9).
5. May a company ask people wanting to enter a building about symptoms/their health status?
Yes. A company may generally use its house right to decide the conditions under which it allows access to the extent described in 4.) above. It is important that this is done in a non-discriminatory manner and that the data is not used for other purposes. Data that is used for access control may not be stored (see example under 1) above).
6. May a company ask employees or visiting business partners for their travel history?
This is a rapidly evolving question. There had been guidance of data protection authorities that it is not allowed to ask for general travel history, but only for travel history with respect to "risk areas" as defined by the relevant body (in Germany the Robert Koch Institute). However, the development of the spread of the virus has shown that this may be too short-sighted. The risk areas change rapidly and whether an area is considered risky at a certain time may only be determined 1 or 2 weeks later. Meanwhile there are general international travel restrictions in place. In this context, we think there is an argument at the moment that it should also be allowed and even be appropriate to collect all relevant travel history (subject to strict access restrictions and further technical and organisational measures) – this may change if the spread of the virus further progresses throughout the whole world and locations become less relevant.
7. May a company ask its employees or visitors about COVID-19 symptoms of relatives or housemates?
There is no specific guideline from the DPAs yet. However, given that the risk of becoming infected in families resp. the household is rather high we think that companies may also ask employees/visitors whether relatives (if they live together) or housemates are infected or have COVID-19 symptoms (see above) provided they need this information (e.g. the company decides that this group of individuals should stay at home/work from home – in that case it may even be sufficient to add this to the list of scenarios in which employees should work from home; another example: this information is used for access control). In most cases a yes/no answer should be sufficient.
A different evaluation may be applied to people already working from home only (question 8.).
8. May a company ask information for (COVID-19 infection, symptoms, travel history, body temperature etc.) from people working at home?
As explained under question 1.), any measures or information requests must be appropriate. For example, measures (e.g. temperature measurement, questions about health etc.) that are applied for access control or should avoid that one employee infects another employee or business partner may not necessarily be appropriate in case an employee only works from home. Therefore, all measures need to be considered on a case-by-case basis. In some cases, it may be difficult to group employees (e.g. who should be informed?) and there may be certain grey areas. We think that it is not the right time to make things more complex than necessary.
9. How about the general data protection obligation of a company in times of Corona, in particular regarding deadlines to fulfil data subject rights?
There is no specific relief under any Corona related legislation or the general German Infection Protection Act. Hence, the general rules apply. This means that all obligations still exist and there is no general relief from the obligations, but if a company has operational issues which are triggered by Corona, this may (and will likely be) be a justification not to comply with certain deadlines (e.g. requiring more time to answer data subject requests). However, it should be noted that many of the data protection related tasks may be fulfilled by people working from home in fully operational capacities. Thus, it should be checked case by case whether a certain deadline may not be applicable.