The testing obligation for companies is now a done deal. Whether it makes sense and is affordable or not is no longer a question.
In terms of data protection law, however, there are a few points to consider. The processing of health-related employee data falls under Art. 9 DSGVO and § 22 BDSG. The fact that this data is particularly worthy of protection and sensitive does not need to be emphasized.
The Federal Data Protection Act
(1) By way of derogation from Article 9(1) of Regulation (EU) 2016/679, the processing of special categories of personal data within the meaning of Article 9(1) of Regulation (EU) 2016/679 shall be permitted …
1. by public and non-public bodies if they.
(h) is necessary for the purposes of preventive health care, the assessment of the employee’s fitness for work, medical diagnosis, health or social care or treatment, or the management of health and social care systems and services, or on the basis of a contract between the data subject and a health professional, and such data are processed by or under the responsibility of medical staff or by other persons subject to an appropriate obligation of confidentiality,
(i) the processing is necessary for reasons of public interest in the field of public health, such as protection against serious cross-border threats to health or to ensure high standards of quality and safety of health care and of medicinal products and medical devices, on the basis of Union law or the law of a Member State which lays down appropriate and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy.”,
Federal Data Protection Act, § 22
And in Art. 9, para. 2 lit h is stated as a reason for permission for processing:
Processing is necessary for the purposes of preventive health care or occupational medicine, for the assessment of the employee’s fitness for work, for medical diagnosis, health or social care or treatment, or for the management of health or social care systems and services, on the basis of Union law or the law of a Member State or on the basis of a contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3
Art. 9 DSGVO
No compulsion to test for employees
Compliance with the legal obligation requires the processing of health-related data. In practice, companies face some questions that need to be clarified. Addressed are all companies whose employees do not work in a home office. Employees must be offered a self-test or quick test at least once a week. However, participation in the testing program is not mandatory for employees; the employee can and may refuse to participate. What does an employee’s refusal to participate in the test mean for the company? Can and are companies allowed to tie on-the-job performance to the presence of a negative test result? Indirect compulsory testing for employees should be avoided.
Of course, an employee with symptoms of illness can still be asked to submit a test in the future, as in the past, and may also be sent home if necessary.
The vast majority of employees are likely to respond positively to the offer of testing. However, it is advisable to point out in writing that participation is voluntary and to have this confirmed. In addition, basic questions, such as the relevance of positive test results, should be addressed in the initial information provided to employees.
What should be done in the event of positive test results?
If the employee receives a positive test result, the priority is to protect the workforce from possible infection. The employee should be sent home immediately and advised that PCR testing is mandatory. A positive test result does not automatically mean that the person concerned is actually infected with the Corona virus. This must be explicitly pointed out at this point.
In smaller companies in particular, it is impossible to avoid the rapid spread of such a measure by way of “word of mouth”. The resulting unrest requires a communication strategy that both preserves the organization’s ability to work and satisfies data protection requirements. This is no easy task for managing directors and employees with personnel responsibility. It should be clear that test results are subject to confidentiality. In such a case, it would be advisable to offer unsettled employees another test, if necessary.
Tests by healthcare professionals
As an alternative to self-tests, it is also possible to offer tests by medical professionals within the company. This also provides the option of offering written confirmation of the negative test, which could possibly give employees more freedom in the future, at least on the day of the test.
Anonymized contact tracing
One conceivable option could be to introduce an anonymized contact tracing procedure in the company. Elsewhere, we have already looked at the possibilities offered by the Luca app. The upcoming version of the Corona warning app should also open up this option. Contact tracing options of this kind can be used to warn employees in the event of an infection without third parties, with the exception of the relevant health authorities, finding out about it. Despite the shortcomings known to date, contact tracing offers advantages over other, more public procedures in terms of data protection.
The practical implementation of the testing obligation in the company
remains a challenge, not only but also in terms of data protection law. If you have any questions, please do not hesitate to contact us using the contact options provided.