Since the WHO declared COVID-19 (Corona) a pandemic on 11.03.2020, the political measures to contain the virus have intensified across all countries. Employers are facing the dilemma of having to maintain normal business operations on the one hand, while at the same time complying with their duty of care towards their employees. In order to minimize the risk of infection within their business premises, they depend on additional information. Which employee has recently been in an area that is deemed risky? Do some employees already have the first disease related symptoms? Has any of my employees been confirmed carrying COVID-19? How do I communicate a COVID-19 case within my company? May I disclose names? As these questions concern personal data, the data protection regulations of the GDPR apply. Processing data is made even more difficult as health data (i.e. special categories of personal data within the meaning of Art. 9 (1) GDPR) are affected. Such data may only be processed under strict conditions. According to a statement of the EDPB*, the GDPR does not hinder measures taken in the fight against COVID-19. Despite these “exceptional times”, the protection of the data subjects’ personal data must be ensured. The personal data of some employees may be processed – even without their consent – in accordance with Articles 6 and 9 GDPR either to comply with legal obligations or to protect vital interests.
In the last few days, the first European supervisory authorities have published statements on the issue of "Data protection and COVID-19".
For a preliminary overview, we have compiled for you the rough positions of the individual supervisory authorities:
Opinions of the European supervisory authorities: Data protection and COVID-19
We have compiled on our website comprehensive information and recommendations for action in response to the legal implications arising from the coronavirus pandemic: Coronavirus - legal issues