Many employers and employees are faced with the question of the extent to which they can and must exchange health data and under what circumstances. The data protection supervisory authorities of the governments presented a common position in a data protection conference.
Data Collection Is Allowed
To contain the corona pandemic, companies and organizations can collect and use not only the personal data of employees, but also of guests and visitors to prevent the virus from spreading among employees. This includes data on cases in which an infection was identified or in contact with a person who has been proven to be infected.
Health data may also be collected if a stay in an area is classified as a risk during the relevant period. The data of persons who have been proven to be infected or who are suspected of being infected are only lawful if the knowledge of the identity is exceptionally necessary for the precautionary measures of the contact persons. This means that the name should always be avoided.
The duty of care obliges the employer or employer to ensure the health protection of all employees. However, the precautionary measures would of course always be proportionate. Therefore, the respective data would have to be treated confidentially and used exclusively for the intended purpose. At the latest with the end of the pandemic, the data collected would have to be deleted immediately.
Consent is only possible if they are informed about the data processing and can voluntarily consent to the measure. However, employees would also have to comply with duties of consideration, conduct and cooperation towards their employer and third parties. For example, they are obliged to inform their employer about an infection with the Corona virus, which could also result in a disclosure right under the contact persons.