May employee data be processed in order to fight a pandemic? Are employers allowed to process the “3G data” of their employees? May employee data be processed when using video conference systems? Many employers ask themselves these and other data protection questions in times of pandemics. Now an application guide from the Conference of the Independent Data Protection Authorities of the Federal and State Governments (DSK) provides the answers. The PDF document is entitled “Frequently asked questions and answers about the processing of employee data in connection with the corona pandemic”.
The answers on a total of 21 pages “should serve as an aid for practical implementation” in the scope of the GDPR. The application help is to be understood as a supplement to a press release by the DSK dated March 13, 2020. At the beginning of the pandemic situation, the DSK had already commented on issues relating to the processing of personal data of employees in times of pandemic. In April 2020 and March 2021 there were resolutions by the DSK, which also examined the interface between employee data protection and the fight against pandemics
Can only be used to a limited extent
According to the DSK, employee data may only be processed by employers to combat pandemics to a very limited extent, as it is initially the state’s task to combat a pandemic. However, the following also applies: “The employers’ duty of care obliges them to ensure the health protection of all their employees.” In any case, however, the general data protection regulations apply, such as proportionality, confidentiality, purpose limitation and the obligation to delete after the purpose of processing no longer applies. Processing based on the consent of the employees is a challenge in the relationship between employer and employee. In such a dependent relationship, it would be difficult to obtain “voluntary” consent. However, the application guide gives some specific advice on this.
The main statements of the application aid are:
- “It is not necessary to disclose the names of the employees who tested positive within the entire workforce in order to perceive the interests pursued by the employer.” Name may only be given to possible contact persons in a few exceptional cases.
- Employers may inform employees of a positive Covid19 test result from a colleague (not named) for the purpose of contact tracking and education about risk encounters. However, there are exceptions for employees if they are subject to special protection of confidentiality, such as company data protection officers or members of the supervisory board. Their contact history data may only be processed, apart from a transmission to the health department, if the confidentiality of their contact persons is not endangered.
- Private contact details of employees may only be processed in order to fight a pandemic (e.g. to contact us during risk encounters) with effective consent.
- The use of thermal imaging cameras for temperature recording is only permitted on the basis of effective consent.
- Permanent camera surveillance in the “home office” is not permitted. Processing of employee data when using video conference systems is, however, generally permitted. At this point, the DSK refers to its orientation aid and checklist on these aspects from autumn 2020.
- “3G data” of employees may only be processed by the employer in legally regulated cases. “According to § 28b Paragraph 3 Clause 1 IfSG, employers are obliged to check whether employees who enter their workplace have been vaccinated, recovered or have been tested (obligation to check).” The DSK makes it clear that the identity of an employee may be provided by means of a works ID card or ID card in the case of 3G proof.
- If employers “want to record the 2G status of their employees and, if necessary, the end date of the respective status (for example, for health records, digital evidence) for a simplified control process, they are advised to obtain the consent of their employees for reasons of legal certainty”.
- This statement by the DSK is important within the scope of the obligation to document the verification of evidence by employers: “The personal storage of health data of employees or even copying of 3G evidence of employees will generally not be necessary.”
- With the effective consent of the employees, employers may organize vaccination appointments and, in this context, also process employee data.
(avr)