Corona (SARS Cov2) – data privacy implications

Created by Dr. Christian Engelhardt |

The Corona-Virus-Pandemic has a tight grip on much of the world and serious effects on both our private lives and business. Many companies are switching to home-office work, inter alia to protect their employees’ health. Part of these efforts will be to stay informed about current infections of employees and to take the appropriate measures. In this context, very sensitive health data will be processed. Data privacy laws and regulations must, however, still be complied with. Hence, employers should keep in mind some important cornerstones.

Art. 9 para. 1 GDPR defines, inter alia, health data as particularly sensitive data, which certainly includes information on whether a specific person is infected with SARS-Cov2 or suffers from COVID-19.

Such senstive data may only be processed within tight restrictions.

An exception from these restrictions can be found in Art. 9 para. 2 lit. b GDPR. Included within the employer’s duty of care for his or her employees is the care for employee health. Consequently, an employer may (and must) implement measures to safeguard employee health in the current situation. To the extent this requires the processing of health data, such processing is permitted. What is “required”? This encompasses processing data of persons who are infected or regarding whom there is a serious suspicion of infection. Such data may generally not be made accessible to third parties. However, it may be passed on to the competent health authorities. Also, persons who may have been in contact with an infected person may be made aware of this fact. Yet generally this does not require disclosure of the infected person’s identity and hence such is generally not permitted. The same applies with regard to general information distributed to employees about an infection or infection risk within the company.

Further exceptions are provided for in Art. 9 para. 2 lit. h) GDPR regarding data processing for purposes of preventive health care and in Art. 9 para. 2 lit. i) GDPR for purposes oft he general public’s health interests.

Further details can be found in ...

In any case, each case should be assessed individually and the basic data protection and privacy principles set forth in Art. 5 GDPR must be maintained, in particular the principles of transparency and data minimization.