Following the outbreak of COVID-19 and its development into a global pandemic, organisations have been implementing exceptional measures to safeguard employees, customers and others against the health threat that is being posed. Organisations are also endeavouring to maintain 'business-as-usual' to the extent allowed by their particular circumstances. We already discussed the resulting data protection compliance implications from the perspective of the European Union ("EU") General Data Protection Regulation ("GDPR")¹.

Besides EU law, it is also important to consider the respective national data protection laws, bearing in mind that, despite the fact that the GDPR is a Regulation, it does not create completely identical data protection rules across all Member States. Instead, it permits or requires Member States to implement specifications or restrictions on certain rules set out in the GDPR. National Data Protection Authorities ("DPAs") have already provided guidance on such particularities relating to COVID-19. The present article discusses the legal situation in Germany.

1. Overview: guidance provided by German DPAs

As a reminder, in Germany, multiple DPAs exist. In addition to a DPA on the federal level ("Federal DPA") – which is responsible for supervising telecommunications and postal services providers as well as the public sector at federal level – there are 16 DPAs on the state level ("State DPAs"), dealing with the supervision over the majority of the private sector as well as the public sector at state level².

So far, guidance has been provided by the DSK³, an assembly of the Federal DPA and the State DPAs, as well as by the State DPAs of Baden-Wuerttemberg⁴, Rhineland-Palatinate⁵ and Hamburg⁶.

2. As a principle, data protection does not stand in the way of infection control, as long as measures taken by organisations observe the legal requirements

All DPAs highlight that, at the moment, organisations are rightly asking themselves how to adequately address the risk situation posed by the COVID-19 pandemic. They emphasize the comprehensibility of organisations wanting to maintain their business as far as possible while maintaining their employees' well-being.

However, the DPAs uniformly point out that data protection considerations should be included in organisations' actions even in emergency situations, as the compliance with legal requirements is a mandatory prerequisite for prudent and level-headed action. In this context, special attention should be given to the observation of the proportionality principle.

3. National particularities: the German Federal Data Protection Act

Organisations must have an appropriate legal basis for the processing of personal data and/or special categories of personal data ("SCD")⁷ relating to COVID-19. In addition to the legal bases laid down in the GDPR⁸, the German DPAs have stressed that such processing can also be based on provisions set out in the German Federal Data Protection Act ("BDSG")⁹. These special German provisions concern in particular:

• Data processing for employment-related purposes: personal data of employees may be processed for employment-related purposes where necessary for entering into, carrying out or terminating the employment contract¹⁰. Furthermore, for employment-related purposes, the processing of SCD shall be permitted if it is necessary to exercise rights or comply with legal obligations derived from labour law, social security and social protection law, and there is no reason to believe that the data subject has an overriding legitimate interest in not processing the data¹¹; and
• Data processing of SCD in general: the processing of SCD shall be permitted by public and private bodies inter alia if it is necessary for the reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health¹².

4. Applying the national particularities: individual measures and their legal admissibility

Considering the national legal particularities outlined above, the DPAs have assessed the admissibility of specific individual measures in relation to organisations processing data concerning employees in the private sector:

• Collection of private mobile phone numbers or other contact details: organisations may want to collect contact details such as mobile phone numbers from their employees in order to be able to¹³ inform them at short notice, e.g. in the event of business closure. Whilst the DPAs highlight the usefulness of setting up an internal communication network through the collection of employees' contact details, they also stress that it can only be done with the employees' consent. Such consent would be considered as freely given if an employee, by consenting to the collection of his or her contact details, seeks to gain a time advantage in the event that the organisation shares information at short notice.
• Collection of information relating to a COVID-19 case concerning an employee: information on whether the employee is infected or has been in contact with an infected person and/or on whether the employee has been staying in a risk area (as defined by the Robert Koch Institute¹⁴) concerns the health of the respective employee and therefore qualifies as SCD. Due to both their general duty of care as employers and the German Occupational Safety and Health Act¹⁵, organisations are obliged to take the necessary measures to ensure the occupational safety and health of their employees, including the protection from infection by a sick co-worker. The organisations can therefore collect the relevant SCD for this purpose¹⁶. However, they must observe the proportionality principle: if, for instance, an employee denies having stayed in a risk area, further investigations are generally not permissible, unless indications exist to reasonably doubt the statement. Another exception might be made concerning employees in organisations that are indispensable for the acute care of the population, such as hospitals or medical device manufacturers, or in organisations involving working environments with particularly close contact. In these cases, even the measurement of the employees' body temperature is, exceptionally, conceivable as a proportionate measure.
• Sharing of a COVID-19 case concerning an employee with the other employees: in general, SCD can also be shared on the basis of releasing those employees that have possibly been in contact with the infected employee from work in order to prevent further infection¹⁷. However, the mentioning of the name of the infected employee should, in principle, be avoided, as it is generally not necessary and would therefore not be proportionate. For instance, in order to find out with whom the infected employee has had contact within the organisation, he or she can be asked to submit a list of the colleagues possibly concerned and/or to contact the latter directly him or herself.
• Specific measures with regard to a COVID-19 case concerning a third party: the DPAs have also assessed the admissibility of specific individual measures in relation to organisations processing data concerning third parties, e.g. guests entering the organisations' premises. These measures encompass the collection of information relating to a COVID-19 case concerning a third party and the sharing of such information with the employees. In both cases, the third party's SCD at issue can be processed on the basis that the processing is necessary for reasons of public interest in the area of public health¹⁸.
• Sharing of a COVID-19 case concerning an employee with public health authorities: if the competent public health authority requests the sharing of such information from organisations on the basis of the German Protection against Infection Act¹⁹, the latter are under a duty to transmit this information. It is to be assumed that this duty to transmit the information is accompanied by a corresponding right to process the information from a data protection law point of view.

Each of the above-mentioned measures need to respect the general principles relating to processing of personal data. These include that personal data shall be collected for specified, explicit and legitimate purposes – in the cases discussed above in particular for the purpose of reducing the risk of infection –, that they shall be kept for no longer than is necessary for the purposes for which they are processed – i.e. no longer than necessary on the grounds of the COVID-19 pandemic's persistence – and that they shall be processed in a manner that ensures appropriate security and confidentiality of the personal data, including protection against unauthorised or unlawful processing – which is of particular importance in the context of processing of SCD²⁰.

Alissa Arms (White & Case, Associate, Frankfurt) co-authored this publication.

1 For further information, please see our general guide on COVID-19 and Data Protection Compliance.
2 For more information on the establishment of the DPAs in Germany, please see our GDPR Guide to National Implementation: Germany.
3 See the guidance of the Konferenz der unabhängigen Datenschutzbehörden des Bundes und der Länder – DSK (Conference of the independent DPAs of the Federal and State Governments).
4 See the guidance of the State Commissioner for Data Protection and Freedom of Information of Baden-Wuerttemberg (der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg).
5 See the guidance of the State Commissioner for Data Protection and Freedom of Information of Rhineland-Palatinate (der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Rheinland-Pfalz).
6 See the guidance of the State Commissioner for Data Protection and Freedom of Information of Hamburg (der Hamburgische Beauftragte für den Datenschutz und die Informationsfreiheit).
7 See Article 9 GDRP; for further information on the qualification of personal data as SCD in the context of data processing following the COVID-19 pandemic, please see our general guide on COVID-19 and Data Protection Compliance.
8 See Articles 6 and 9 GDPR; for further information on the possible legal bases for processing of personal data relating to COVID-19 under the GDPR, please see our general guide on COVID-19 and Data Protection Compliance.
9 German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG).
10 See Section 26 para. 1 BDSG.
11 See Section 26 para. 3 BDSG.
12 See Section 22 para. 1 no. 1 letter c) BDSG.
13 See Section 26 para. 2 sentence 2 BDSG.
14 See the Robert Koch Institute’s classification of international risk areas.
15 Act on the Implementation of Measures of Occupational Safety and Health to Encourage Improvements in the Safety and Health Protection of Workers at Work (Arbeitsschutzgesetz – ArbSchG).
16 See Section 26 paras. 1 and 3 BDSG.
17 Ibid.
18 See Section 22 para. 1 no. 1 letter c) BDSG.
19 See Section 16 para. 1 sentence 1 of the German Protection against Infection Act (Infektionsschutzgesetz – IfSG) sets out that, if circumstances are observed which could lead to the outbreak of a communicable disease, the competent authority shall take the measures necessary to avert the danger which these circumstances pose to the individual or the public at large, and para. 2 sentence 3 specifies that persons in a position to provide information on the circumstances specified in para. 1 shall be obliged to furnish the requisite information. Section 16 para. 1 sentence 2 German Protection against Infection Act specifies that the personal data collected in the course of these measures may only be processed and used for the purposes of that Act.
20 See Art. 5(1)(b), (e) and (f) GDPR.

Watch our video
GDPR implementation: Greater harmonisation or increased complexity?

[View source.]