COVID-19 and GDPR

Currently, we only have one dominating topic – COVID-19 and its global spread. In that respect, many questions of employers and employers with respect to the protection of personal data arise. Please find our summary of the FAQs below.

I. Employee’s Questions:

1. Do I have to inform my employer if I became infected with COVID-19?
Yes, you are under duty to inform your employer. Only by doing so the employer can comply with his/her duties of care towards you and the other employees and take the required safety measures, including but not limited to contacting the health authority.

2. Do I need to inform my employer that one of my family members and friends got infected with COVID-19?
You need to inform your employer if you can be regarded as so-called “contact person” in that respect. A contact person is someone who liaised with an infected individual for at least 15 minutes. As the infection takes place by the coronavirus moving from one throat to the other a chat with that person of about 15 minutes or longer, not keeping the required distance of 2 metres is sufficient. However, you are not obliged to tell concrete names of our friends and family members rather than informing that you got in contact with an infected individual.

3. Do I need to inform the employer on my movement profile and contacts I had?
Yes, you are obliged to do so. You need to provide your employer with all information relating to your work, which means your ways in the office and which colleagues you contacted in the past days. The health authority can have further questions to you with respect to your private mobility.

4. Do I need to inform on the progress of my COVID-19 infection?
No, you do not have such duty. However, you cannot return to work before you are officially regarded as recovered and provide your employer with a confirmation on your recovery.

5. How come that the Robert-Koch-Institute („RKI“) received movement data from the telecommunication providers? Can I be traced by such data?
This data is anonymized. Hence, the GDPR does not apply. Based on Recital 26 of the GDPR, anonymized data includes information which does not relate to an identified or identifiable natural person. The data sent to RKI consists of surveys of movement profiles, which cannot be linked to individuals. This data serves the purpose of evaluating the current risk situation and assessing if additional measures are required. By such data, you cannot be traced individually.

II. Employer’s Questions:

1. Do I have to track which individuals entered my office? How long do I have to store such data?
If you do not already provide of a reception control you should install this service now for protecting your office. Further, only required meetings should take place with enough room and safety distance of 2 metres per person.
You should have control and knowledge on any delivery, cleaning service or facility manager entering your office and the time when they do.
For reasons of health with respect to COVID-19 you can store such data for at least 14 days. If you collect such data also for safety purposes, they can be stored for up to three months. Please consider that a name and at least one contact data, like email address or phone number, is required for combatting the epidemic. Otherwise, those people cannot be contacted in the event you become aware of an incident.

2. May I draft sheets with contact persons and movement profiles after getting knowledge of a COVID-19 infection of an employee? For what time can such data be stored?
If need be, you will be asked for drafting those sheets by the health authority. Moreover, you should prepare those sheets for effectively protecting your other employees and taking the required safety measures. This is required for efficiently fulfilling the required hygienic steps, like disinfecting rooms.
For verification purposes such data can be kept for up to three months.

3. Currently, I do not want to carry out any job interviews. Can I keep application data longer than usual?
The periods for deleting application data start with the completion of the application procedure. Hence, periods for deleting data automatically extend if the procedure will take more time than expected. Each applicant currently needs to expect delays due to COVID-19 as any company reduces it business activities to a minimum.
However, it is preferable to contact the applicant and point out that there are delays and the applicant is free to withdraw from his application or having his/her data deleted.

4. Can I use data collected with respect to COVID-19 for other purposes, for example for drafting statistics?
In general, data may only be used for the purpose they have been collected for. For changing the purpose specific requirements under GDPR will need to be fulfilled (see Art. 6 Section 4 GDPR). This does not apply if data have been anonymized (please also see the answer to Section I. No. 5). Thus, drafting an anonymous statistic on illness days of a company is legally compliant. Movement profiles of specific employees cannot be used if data is not anonymized.

5. Can I measure the temperature of my employees on a regular basis?
No, you are not allowed to. Such measure would be very privacy-intrusive and cannot be justified with your legitimate interests according to Art. 6 Section 1 f) GDPR. Considering the relationship of dependence, also an employee’s consent cannot serve for that purpose. However, if there is an indication that an employee is seriously ill you can send him/her home.

Do you have any further GDPR-related questions with respect to Covid-19? Then do not hesitate to contact us:

Your contacts
Lawyer Dr. Karolin Nelles, LL.M., Frankfurt
Lawyer Lukas Behnke, Osnabrueck