Both public and private employers currently have their hands full trying to contain the negative effects of the Corona crisis as far as possible. The contact tracing measures that public health authorities are carrying out in accordance with their public mandate in order to interrupt chains of infection are also taking place on a small scale in the same or similar ways in companies. After all, every employer should try to prevent the spread of the virus in his own company. Data protection issues appear to be problematic here. Neither the GDPR nor the Federal Data Protection Act contain specific regulations on how to behave in times of a pandemic.
BM for Labor and Social Affairs – Measures
For the employer, therefore, all that remains initially are the general regulations on the health protection of his employees. In addition, there are the recommendations of the Robert Koch Institute and the federal and state authorities. For example, on April 16, 2020, the German Federal Ministry of Labor and Social Affairs published a paper called “SARS-CoV-2 Occupational Health and Safety Standard,” in which company action concepts for infection protection are proposed.
Data protection issues
Many questions naturally remain unanswered – every company has its own peculiarities that must be taken into account. Should a crisis team be formed? In what form should the works council (if any) be involved? Is a pandemic concept to be drawn up? May health data be passed on to authorities? Are questions about previous illnesses or the current state of health permitted? May symptom tests be carried out? May questions be asked about travel destinations when returning from vacation?
This list of questions is not exhaustive; countless other questions arise. One thing seems certain from the point of view of data protection: on the one hand, it must not be neglected, but on the other hand, it should not be an insurmountable obstacle in the fight against the pandemic. However, health data require special protection. Therefore, internal measures must be carefully weighed up with the involvement of the company or external data protection officer.
Dr. Wolfhard Steinmetz