Art. 9 para. 1 GDPR defines, inter alia, health data as particularly sensitive data, which certainly includes information on whether a specific person is infected with SARS-Cov2 or suffers from COVID-19.
Such senstive data may only be processed within tight restrictions.
An exception from these restrictions can be found in Art. 9 para. 2 lit. b GDPR. Included within the employer’s duty of care for his or her employees is the care for employee health. Consequently, an employer may (and must) implement measures to safeguard employee health in the current situation. To the extent this requires the processing of health data, such processing is permitted. What is “required”? This encompasses processing data of persons who are infected or regarding whom there is a serious suspicion of infection. Such data may generally not be made accessible to third parties. However, it may be passed on to the competent health authorities. Also, persons who may have been in contact with an infected person may be made aware of this fact. Yet generally this does not require disclosure of the infected person’s identity and hence such is generally not permitted. The same applies with regard to general information distributed to employees about an infection or infection risk within the company.
Further exceptions are provided for in Art. 9 para. 2 lit. h) GDPR regarding data processing for purposes of preventive health care and in Art. 9 para. 2 lit. i) GDPR for purposes oft he general public’s health interests.
Further details can be found in ...
- ... a statement of the Federal Data Protection Officer
- ... an FAQ-paper oft he Data Protection Officer of Baden-Wuerttemberg
- ... a publication of the Data Protection Officer of Rhineland-Palatine
In any case, each case should be assessed individually and the basic data protection and privacy principles set forth in Art. 5 GDPR must be maintained, in particular the principles of transparency and data minimization.
