Category: Series Data Protection and Corona

(Update) Processing of COVID-19 immunization data of employees in non-EEA countries

21. January 2022

With COVID-19 vaccination campaigns well under way, employers are faced with the question of whether they are legally permitted to ask employees about their COVID-19 related information and, if so, how that information may be used.

COVID-19 related information, such as vaccination status, whether an employee has recovered from an infection or whether an employee is infected with COVID-19, is considered health data. This type of data is considered particularly sensitive data in most data protection regimes, which may only be processed under strict conditions. Art. 9 (1) General Data Protection Regulation (GDPR)(EU), Art. 9 (1) UK-GDPR (UK), Art. 5 (II) General Personal Data Protection Law (LGPD) (Brazil), para. 1798.140. (b) California Consumer Privacy Act of 2018 (CCPA) (California) all consider health-related information as sensitive personal data. However, the question of whether COVID-19-related data may be processed by an employer is evaluated differently, even in the context of the same data protection regime such as the GDPR.

Below, we discuss whether employers in different European Economic Area (EEA) countries are permitted to process COVID-19-related data about their employees.

Brazil: According to the Labor Code (CLT), employers in Brazil have the right to require their employees to be vaccinated. The employer is responsible for the health and safety of its employees in the workplace and therefore has the right to take reasonable measures to ensure health and safety in the workplace. Since employers can require their employees to be vaccinated, they can also require proof of vaccination. As LGPD considers this information to be sensitive personal data, special care must be taken in processing it.

Hong-Kong: An employer may require its employees to disclose their immunization status. Under the Occupational Safety and Health Ordinance (OSHO), employers are required to take all reasonably practicable measures to ensure the safety and health of all their employees in the workplace. The vaccination may be considered as part of  COVID-19 risk assessments as a possible additional measure to mitigate the risks associated with infection with the virus in the workplace. The requirement for vaccination must be lawful and reasonable. Employers may decide, following such a risk assessment, that a vaccinated workforce is necessary and appropriate to mitigate the risk. In this case, the employer must comply with the Personal Data Protection Regulation (PDPO). Among other things, the PDPO requires that the collection of data must be necessary for the purpose for which it is collected and must not be kept longer than is necessary for that purpose. According to the PDPO, before collecting data, the employer must inform the employee whether the collection is mandatory or voluntary for the employee and, if mandatory, what the consequences are for the employee if he or she does not provide the data.

Russia: Employers must verify which employees have been vaccinated and record this information if such vaccinations are required by law. If a vaccination is not required by law, the employer may require this information, but employees have the right not to provide it. If the information on vaccinations is provided on a voluntary basis, the employer may keep it in the employee’s file, provided that the employee consents in writing to the processing of the personal data. An employer may impose mandatory vaccination if an employee performs an activity involving a high risk of infection (e.g. employees in educational institutions, organizations working with infected patients, laboratories working with live cultures of pathogens of infectious diseases or with human blood and body fluids, etc.) and a corresponding vaccination is listed in the national calendar of protective vaccinations for epidemic indications. All these cases are listed in the Decree of the Government of the Russian Federation dated July 15, 1999 No 825.

UK: An employer may inquire about an employee’s vaccination status or conduct tests on employees if it is proportionate and necessary for the employer to comply with its legal obligation to ensure health and safety at work. The employer must be able to demonstrate that the processing of this information is necessary for compliance with its health and safety obligations under employment law, Art. 9 (2) (b) UK GDPR. He must also conduct a data protection impact assessment to evaluate the necessity of the data collection and balance that necessity against the employee’s right to privacy. A policy for the collection of such data and its retention is also required. The information must be retained only as long as it is needed. There must also be no risk of unlawful discrimination, e.g. the reason for refusing vaccination could be protected from discrimination by the Equality Act 2010.

In England, mandatory vaccination is in place for staff in care homes, and from April 2022, this will also apply to staff with patient contact in the National Health Service (NHS). Other parts of the UK have not yet introduced such rules.

USA: The Equal Employment Opportunity Commission (EEOC) published a document proposing that an employer may implement a vaccination policy as a condition of physically returning to the workplace. Before implementing a vaccination requirement, an employer should consider whether there are any relevant state laws or regulations that might change anything about the requirements for such a provision. If an employer asks an unvaccinated employee questions about why he or she has not been vaccinated or does not want to be vaccinated, such questions may elicit information about a disability and therefore would fall under the standard for disability-related questions. Because immunization records are personally identifiable information about an employee, the information must be recorded, handled, and stored as confidential medical information. If an employer self-administers the vaccine to its employees or contracts with a third party to do so, it must demonstrate that the screening questions are “job-related and consistent with business necessity.”

On November 5th, 2021, the U.S. Occupational Safety and Health Administration (OSHA) released a emergency temporary standard (ETS) urging affected employers to take affirmative action on COVID-19 safety, including adopting a policy requiring full COVID-19 vaccination of employees or giving employees the choice of either being vaccinated against COVID-19 or requiring COVID-19 testing and facial coverage. On November 12th, 2021, the court of appeals suspended enforcement of the ETS pending a decision on a permanent injunction. While this suspension is pending, OSHA cannot take any steps to implement or enforce the ETS.

In the US there are a number of different state and federal workplace safety, employment, and privacy laws that provide diverging requirements on processing COVID-19 related information.

(Update) Processing of COVID-19 immunization data of employees in EEA countries

With COVID-19 vaccination campaigns well under way, employers are faced with the question of whether they are legally permitted to ask employees about their COVID-19 related information and, if so, how that information may be used.

COVID-19 related information, such as vaccination status, whether an employee has recovered from an infection or whether an employee is infected with COVID-19, is considered health data. This type of data is considered particularly sensitive data in most data protection regimes, which may only be processed under strict conditions. Art. 9 (1) General Data Protection Regulation (GDPR)(EU), Art. 9 (1) UK-GDPR (UK), Art. 5 (II) General Personal Data Protection Law (LGPD) (Brazil), para. 1798.140. (b) California Consumer Privacy Act of 2018 (CCPA) (California) all consider health-related information as sensitive personal data. However, the question of whether COVID-19-related data may be processed by an employer is evaluated differently, even in the context of the same data protection regime such as the GDPR.

Below, we discuss whether employers in different European Economic Area (EEA) countries are permitted to process COVID-19-related data about their employees.

Austria: The processing of health data in context of the COVID-19 pandemic can be based on Article 9 (2) (b) of the GDPR in conjunction with the relevant provisions on the duty of care (processing for the purpose of fulfilling obligations under labor and social law). Under Austrian labor law, every employer has a duty of care towards its employees, which also includes the exclusion of health hazards in the workplace. However, this only entitles the employer to ask the employee in general terms whether he or she has been examined, is healthy or has been vaccinated. Therefore, if the legislator provides for two other equivalent methods to prove a low epidemiological risk in addition to vaccination, the current view of the data protection authority is that specific questioning about vaccination status is not possible from a data protection perspective. An exception to this is only to be seen in the case of an explicit (voluntary) consent of the employee (Art. 9 (2) a) GDPR), but a voluntary consent is not to be assumed as a rule due to the dependency relationship of the employee.
As of November, employees will be obliged to prove whether they have been vaccinated, recovered from a COVID-19 infection or recently tested negative if they have physical contact with others in enclosed spaces, such as the office.

Austria was the first EU country to introduce mandatory Corona vaccination. From the beginning of February, Corona vaccination will be mandatory for all persons over 18 years of age, otherwise they will face fines of up to 3,600 euros from mid-March.

Belgium: In Belgium, there is no legal basis for the processing of vaccination information of employees by their employer. Article 9 (1) GDPR prohibits the processing of health data unless an explicit exception under Article 9 (2) GDPR applies. Such an exception may be a legal provision or the free and explicit consent of the data subject. Such a legal provision is missing and in the relationship between employee and employer, the employee’s consent is rarely free, as an employee may be under great pressure to give consent. The Belgian data protection authority explicitly denies the employer’s right to ask.

The Belgian government plans to make vaccination mandatory for health workers from April 2022.

Finland: The processing of an employee’s health data is only permitted if it is directly necessary for the employment relationship. The employer must carefully assess whether this necessity exists. It is not possible to deviate from this necessity by obtaining the employee’s consent. The employer may process an employee’s health data if this is necessary for the payment of sick pay or comparable health-related benefits or to establish a legitimate reason for the employee’s absence. The processing of health data is also permitted if an employee expressly requests that his or her ability to work be determined on the basis of health data. In addition, the employer is entitled to process an employee’s health data in situations expressly provided for by law. The employer may require occupational health care to provide statistical data on the immunization coverage of its employees.

France: In general employers may not require their employees to disclose whether they have been vaccinated, unless specific circumstances determined by law apply.

In France, mandatory vaccination has been in effect since mid-September for healthcare workers, i.e., employees of hospitals, retirement and nursing homes, care services, and employees of emergency services and fire departments.

Since July 21st, 2021, a “health passport” is mandatory for recreational and cultural facilities with more than 50 visitors, such as theaters, cinemas, concerts, festivals, sports venues. The health passport is a digital or paper-based record of whether a person has been vaccinated, recovered within 11 days to 6 months, or tested negative within 48 hours. Due to the Health Crisis Management Law No 2021-1040 of August 5, 2021 there are several workplaces where the health pass is mandatory for employees since August 30th, 2021. These include bars, restaurants, seminars, public transport for long journeys (train, bus, plane The health passport is also mandatory for the staff and visitors of hospitals, homes for the elderly, retirement homes, but not for patients who have a medical emergency.Visitors and staff of department stores and shopping malls need to present a health pass in case the prefect of the department decided this necessary. In these cases, the employer is obliged to check if his employees meet their legal obligations. However, the employer should not copy and store the vaccination certificates, but only store the information whether an employee has been vaccinated. Employers who do not fall into these categories are not allowed to process their employees’ vaccination data. In these cases, only occupational health services may process this type of information and the employer may not obtain this information under any circumstances. At most, he may obtain a medical opinion on whether an employee is fit for work.

Germany: Processing of COVID-19-related information is generally only allowed for employers in certain industries. Certain employers named in the law, such as in §§ 23a, 23 Infection Protection Act (IfSG), employers in certain health care facilities (e.g. hospitals, doctors’ offices, rescue services) and § 36 (3) IfSG, such as day care centers, outpatient care services, schools, homeless shelters or correctional facilities, are allowed to process the vaccination status of their employees.

Other employers are generally not permitted to inquire about the vaccination status of employees. But since §28b IfSG came into force on November 24, 2021, employees may only be granted access to company premises if they can prove that they have either been vaccinated, recently recovered or tested negative (so-called “3G status”). In this context, employers may require employees to provide proof of one of the three statuses but may not specifically ask about vaccination status. When it comes to processing and storing information obtained during access control, for data protection reasons, this information must be limited to the fact that employees have access to the premises (taking into account their documented status) and how long this access authorization has existed.

Under current law, while “vaccinated” status does not expire, the information may only be stored for 6 months. “Recently recovered” status is only valid for three months. After that, they must provide other proof that they meet one of the 3G criteria. A negative test is valid for either 24 or 48 hours, depending on the type of test.

Since November 2021, employers are required to verify whether an employee who has been sanctioned with a quarantine for COVID-19 infection was or could have been vaccinated prior to the infection. Under the fourth sentence of Section 56 (1) of the IfSG, an employee is not entitled to continued payment for the period of quarantine if the employee could have avoided the quarantine, e.g., by taking advantage of a vaccination program. The employer must pay the compensation on behalf of the competent authority. As part of this obligation to make an advance payment, the employer is also obliged to check whether the factual requirements for granting the benefits are met. The employer is therefore obliged to obtain information on the vaccination status of its employee before paying the compensation and to decide on this basis whether compensation can be considered in the individual case. The data protection law basis for this processing activity is Section 26 (3) of the German Federal Data Protection Act (BDSG), which permits the processing of special categories of personal data – if this is necessary for the exercise of rights or the fulfillment of legal obligations under labor, social insurance and social protection law and there is no reason to assume that the interests of the data subjects worthy of protection in the exclusion of the processing outweigh this. The Data Protection Conference, an association of German data protection authorities, states that processing the vaccination status of employees on the basis of consent is only possible if the consent was given voluntarily and thus legally valid, Section 26 (3) sentence 2 and (2) BDSG. Due to the relationship of superiority and subordination existing between employer and employee, there are regularly doubts about the voluntariness and thus the legal validity of the employees’ consent.

If employers are allowed to process the vaccination status of their employees, they should not copy the certificates, but only check to see if an employee has been vaccinated.

A mandatory vaccination for all german citizens is being discussed.

Greece: Corona vaccination became mandatory for nursing home staff in mid-August and for the healthcare sector on September 1. Since mid-September, all unvaccinated professionals have had to present a negative Corona rapid test twice a week – at their own expense – when they go to work.

Italy: Since October 15, Italy has become the first country in the EEA to require all workers to present a “green passport” at the workplace. This document records whether a person has been vaccinated, recovered, or tested. A general vaccination requirement has been in effect for health care workers since May, and employees in educational institutions have been required to present the green passport since September. In mid-October, mandatory vaccination was extended to employees of nursing homes.

Netherlands: Currently, there is no specific legislation that allows employers to process the vaccination data of their employees. Government guidelines for employers state that neither testing nor vaccination can be mandated for employees. Only occupational health services and company physicians are allowed to process vaccination data, for example, when employees are absent or reinstated. The Minister of Health, Welfare and Sport has announced that he will allow the health sector to determine the vaccination status of its employees. He also wants to examine whether and how this can be done in other work situations. Currently, employers can only offer voluntary testing in the workplace, but are not allowed to document or enforce the results of such tests.

Spain: Employers are allowed to ask employees if they have been vaccinated, but only if it is proportionate and necessary for the employer to fulfill its legal obligation to ensure health and safety in the workplace. However, employees have the right to refuse to answer this question. Before entering the workplace, employees may be asked to provide a negative test or proof of vaccination if the occupational health and safety provider deems it necessary for the particular workplace.

Processing of COVID-19 immunization data of employees in non-EEA countries

27. October 2021

As COVID-19 vaccination campaigns are well under way, employers are faced with the question of whether they are legally permitted to ask employees about their COVID-19 related information (vaccinated, recovered) and, if so, how that information may be used.

COVID-19 related information, such as vaccination status, if an employee has recovered from an infection or whether an employee is infected with COVID-19, is considered health data. This type of data is considered particularly sensitive data in most data protection regimes, which may only be processed under strict conditions. Art. 9 (1) General Data Protection Regulation (GDPR)(EU), Art. 9 (1) UK-GDPR (UK), Art. 5 (II) General Personal Data Protection Law (LGPD) (Brazil), para. 1798.140. (b) California Consumer Privacy Act of 2018 (CCPA) (California) all consider health-related information as sensitive personal data.

The following discusses whether employers in various non-EEA countries are permitted to process COVID-19-related information about their employees.

Brazil: According to the Labor Code (CLT), employers in Brazil have the right to require their employees to be vaccinated. This is because the employer is responsible for the health and safety of its employees in the workplace and therefore has the right to take reasonable measures to ensure health and safety in the workplace. Since employers can require their employees to be vaccinated, they can also require proof of vaccination. Because LGPD considers this information to be sensitive personal data, special care must be taken in processing it.

Hong-Kong: An employer may require its employees to disclose their immunization status. Under the Occupational Safety and Health Ordinance (OSHO), employers are required to take all reasonably practicable steps to ensure the safety and health of all their employees in the workplace. The vaccine may be considered as part of COVID-19 risk assessments as a possible additional measure to mitigate the risks associated with contracting the virus in the workplace. The requirement for vaccination must be lawful and reasonable. Employers may decide, following such a risk assessment, that a vaccinated workforce is necessary and appropriate to mitigate risk. If the employer does so, it must comply with the Personal Data Privacy Ordinance (PDPO). Among other things, the PDPO requires that the collection of data must be necessary for the purpose for which it is collected and must not be kept longer than is necessary for that purpose. Under the PDPO, before collecting data, the employer must inform the employee whether the collection is mandatory or voluntary for the employee and, if mandatory, what the consequences are for the employee if he or she does not provide the data.

UK: An employer may inquire about an employee’s vaccination status or conduct tests on employees if it is proportionate and necessary for the employer to comply with its legal obligation to ensure health and safety at work. The employer must be able to demonstrate that the processing of this information is necessary for compliance with its health and safety obligations under employment law, Art. 9 (2) (b) UK GDPR. He must also conduct a data protection impact assessment to evaluate the necessity of the data collection and balance that necessity against the employee’s right to privacy. A policy for the collection of such data and its retention is also required. The information must be retained only as long as it is needed. There must also be no risk of unlawful discrimination, e.g. the reason for refusing vaccination could be protected from discrimination by the Equality Act 2010.

USA: The Equal Employment Opportunity Commission (EEOC) published a document in which it suggests that an employer may implement a vaccination policy as a condition of physically returning to the workplace. Before implementing a vaccination requirement, an employer should consider whether there are any relevant state laws or regulations that might change anything about the requirements for such a provision. If an employer asks an unvaccinated employee questions about why he or she has not been vaccinated or does not want to be vaccinated, such questions may elicit information about a disability and therefore would fall under the standard for disability-related questions. Because immunization records are personally identifiable information about an employee, the information must be recorded, handled, and stored as confidential medical information. If an employer self-administers the vaccine to its employees or contracts a third party to do so, the employer must demonstrate that the screening questions are “job-related and consistent with business necessity.”

Processing of COVID-19 immunization data of employees in EEA countries

As COVID-19 vaccination campaigns are well under way, employers are faced with the question of whether they are legally permitted to ask employees about their COVID-19 related information (vaccinated, recovered, test result) and, if so, how that information may be used.

COVID-19 related information, such as vaccination status, whether an employee has recovered from an infection or whether an employee is infected with COVID-19, is considered health data. This type of data is considered particularly sensitive data in most data protection regimes, which may only be processed under strict conditions. Art. 9 (1) General Data Protection Regulation (GDPR)(EU), Art. 9 (1) UK-GDPR (UK), Art. 5 (II) General Personal Data Protection Law (LGPD) (Brazil), para. 1798.140. (b) California Consumer Privacy Act of 2018 (CCPA) (California) all consider health-related information as sensitive personal data. However, the question of whether COVID-19-related data may be processed by an employer is evaluated differently, even in the context of the same data protection regime such as the GDPR.

The following discusses whether employers in various European Economic Area (EEA) countries are permitted to process COVID-19-related information about their employees.

Austria: The processing of health data in context of the COVID-19 pandemic can be based on Article 9 (2) (b) of the GDPR in conjunction with the relevant provisions on the duty of care (processing for the purpose of fulfilling obligations under labor and social law). Under Austrian labor law, every employer has a duty of care towards its employees, which also includes the exclusion of health hazards in the workplace. However, this only entitles the employer to ask the employee in general terms whether he or she has been examined, is healthy or has been vaccinated. Therefore, if the legislator provides for two other equivalent methods to prove a low epidemiological risk in addition to vaccination, the current view of the data protection authority is that specific questioning about vaccination status is not possible from a data protection perspective. An exception to this is only to be seen in the case of an explicit (voluntary) consent of the employee (Art. 9 (2) a) GDPR), but a voluntary consent is not to be assumed as a rule due to the dependency relationship of the employee.
As of November, employees will be obliged to prove whether they have been vaccinated, recovered from a COVID-19 infection or recently tested negative if they have physical contact with others in enclosed spaces, such as the office.

Belgium: In Belgium, there is no legal basis for the processing of vaccination information of employees by their employer. Article 9 (1) GDPR prohibits the processing of health data unless an explicit exception under Article 9 (2) GDPR applies. Such an exception may be a legal provision or the free and explicit consent of the data subject. Such a legal provision is missing and in the relationship between employee and employer, the employee’s consent is rarely free, as an employee may be under great pressure to give consent. The Belgian data protection authority also explicitly denies the employer’s right to ask.

Finland: The processing of an employee’s health data is only permitted if it is directly necessary for the employment relationship. The employer must carefully verify whether this necessity exists. It is not possible to deviate from this necessity by obtaining the employee’s consent. The employer may process an employee’s health data if this is necessary for the payment of sick pay or comparable health-related benefits or to establish a justified reason for the employee’s absence. The processing of health data is also permitted if an employee expressly requests that his or her ability to work be determined on the basis of health data. In addition, the employer is entitled to process an employee’s health data in situations expressly provided for elsewhere in the Act. The employer may request from occupational health care statistical data on the vaccination protection of its employees.

France: Since July 21st, 2021, a “health passport” is mandatory for recreational and cultural facilities frequented by more than 50 people, such as theaters, cinemas, concerts, festivals, sports venues. The health passport is a digital or paper-based record of whether a person has been vaccinated, recovered within 11 days to 6 months, or tested negative within 48 hours. There are several workplaces where vaccination has been mandatory for workers since August 30th, 2021. These include bars, restaurants, seminars, public transport for long journeys (train, bus, plane). The health passport is also mandatory for the staff and visitors of hospitals, homes for the elderly, retirement homes, but not for patients who have a medical emergency. Also, visitors and staff of department stores and shopping malls need to present a health pass in case the prefect of the department decided this necessary. In these cases, the employer is obliged to check if his employees meet their legal obligations. However, the employer should not copy and store the vaccination certificates, but only store the information whether an employee has been vaccinated. Employers who do not fall into these categories are not allowed to process their employees’ vaccination data. In these cases, only occupational health services may process this type of information, but the employer may not obtain this information under any circumstances. At most, he may obtain a medical opinion on whether an employee is fit for work.

Germany: Processing of COVID-19 related information is generally only permitted for employers in certain sectors. Certain employers named in the law, such as in §§ 23a, 23 Infection Protection Act (IfSG), employers in certain health care facilities (e.g. hospitals, doctors’ offices, rescue services, ) and § 36 (3) IfSG, such as day care centers, outpatient care services, schools, homeless shelters or correctional facilities, are allowed to process the vaccination status of their employees. Other employers are generally not permitted to inquire about the vaccination status of employees. If allowed to process their employee’s vaccination status, employers should not copy the certificates but only check whether an employee is vaccinated. Although there has been an ongoing discussion in the federal government for several weeks about introducing a legal basis that would allow all employers to administer vaccination information. From November 2021, employers must check whether an employee who has been sanctioned with a quarantine due to a COVID-19 infection was or could have been vaccinated prior to the infection. According to Section 56 (1) sentence 4 IfSG, there is no entitlement to continued payment of remuneration for the period of quarantine if the employee could have avoided the quarantine, e.g. by taking advantage of a vaccination program. The employer must pay the compensation on behalf of the competent authority. As part of this obligation to pay in advance, the employer is also obliged to check whether the factual requirements for the granting of benefits are met. The employer is therefore obliged to obtain information on the vaccination status of its employee before paying compensation and, on this basis, to decide whether compensation can be considered in the individual case. The data protection basis for this processing activity is Section 26 (3) of the German Federal Data Protection Act (BDSG), which permits the processing of special categories of personal data – if this is necessary for the exercise of rights or the fulfillment of legal obligations arising from labor law, social security law and social protection law, and if there is no reason to assume that the data subjects’ interest in the exclusion of the processing, which is worthy of protection, outweighs this. The Data Protection Conference, an association of German data protection authorities, states that processing the vaccination status of employees on the basis of consent is only possible if the consent was given voluntarily and therefore legally effective, Section 26 (3) sentence 2 and (2) BDSG. Due to the relationship of superiority and subordination existing between employer and employee, there are regularly doubts about the voluntariness and thus the legal validity of the employees’ consent.

Italy: Since October 15, Italy has become the first country in the EEA to require all workers to present a “green passport” at the workplace. This document records whether a person has been vaccinated, recovered, or tested. A general vaccination requirement has been in effect for health care workers since May, and employees in educational institutions have been required to present the green passport since September.

Netherlands: Currently, there is no specific legislation that allows employers to process employee immunization data. Only the occupational health service and company doctors are allowed to process immunization data, for example when employees are absent or reintegrated. The Minister of Health, Welfare and Sport has announced that he will allow the health sector to determine the vaccination status of its employees. He also wants to examine whether and how this can be done in other work situations. Currently, employers can only offer voluntary testing in the workplace, but are not allowed to document the results of such tests or force

Spain: Employers are allowed to ask employees if they have been vaccinated, but only if it is proportionate and necessary for the employer to fulfill its legal obligation to ensure health and safety in the workplace. However, employees have the right to refuse to answer this question. Before entering the workplace, employees may be asked to provide a negative test or proof of vaccination if the occupational health and safety provider deems it necessary for the particular workplace.

Series on Data Protection and Corona – Part 8: Social assessment of the importance of data protection

30. March 2020

The Corona crisis is not only a challenge for the health system, the economy and each and every one of us. People in the so-called ‘systemically important’ professions have been working at their physical and psychological limits for days and are constantly exposed to the virus and its consequences.

The economic damage to be feared has so far only been guessed and is causing additional concern. The issue is currently omnipresent. Everyone is worried about infecting themselves or others and whether you, your family, friends and acquaintances will survive the crisis economically or in terms of health.

In these times, it is understandably difficult to continue dealing with data protection. Quite a few people, especially in times of the coronavirus, simply don’t want to deal with the “annoying” data protection issues and some even see data protection as an additional hurdle, for example when it comes to remote work.

Social assessment of data protection

In the last few days we have made every effort to explain to you the data protection regulations and measures as well as the special features of the current situation. Finally, we would like to mention the general social attitude towards the topic of data protection and want to point out the important role even in times of the coronavirus.

Already at the beginning of March, the German newspaper FAZ published an article on the results of a survey, which contained the results of a representative survey conducted by the market research company Innofact on behalf of Usercentrics. The result of this study was that a large part of the German population is prepared to accept restrictions on data protection and thus the right to informational self-determination in order to combat the corona crisis. In addition, the majority of the respondents also advocate the expansion of data retention (for example, of flight and travel data) in order to be able to track the spread of the pandemic. Moreover, more than 50% are prepared to disclose their health data voluntarily.

When the Robert-Koch-Institute (RKI) announced that it had received several terabytes of anonymised data from a German telecommunications provider in order to trace movement patterns of the users and thus assess the effectiveness of the measures imposed to date, there were also hardly any voices critical of such data transfer. This may be due to the fact that the data was anonymised. In other countries, however, data has not been transfered anonymously. In China, South Korea and Taiwan, for example, phone-tracking technologies and mobile phone apps were used to break down movement patterns to individuals.

A similar but slightly different way, based on the cooperation of the persons, has been established by the Austrian Red Cross. The Red Cross has developed the app “Stopp Corona” (article in German). Users of the app are supposed to track who they have been in contact with and, in case of an infection, also addthis information in the app to automatically inform the contacts of the last 48 hours about the infection and ask them to isolate themselves. According to the Red Cross, the data processing will take place anonymized. The app is available for Android devices in Austria since Tuesday, 24.03.2020. It remains to be seen whether and with what success this and similar apps can help in the spread of the pandemic.

Are these findings new?

But are these findings really new, or do they just appear in a different light due to reference to the corona crisis?

The majority of the population uses the social media services Facebook and Instagram. In addition, messengers such as WhatsApp continue to enjoy great popularity in society and are just as popular worldwide as Google Maps. What all these services have in common is that they have all been in the media because of conflicts with data protection regulations. Users must therefore be aware that they reveal a great deal about themselves personally, their interests, hobbies, whereabouts, etc. This is willingly accepted in order to take advantage of the supposedly free benefits they gain by using the above-mentioned services. However, the operators of these services are all too happy to be compensated with the voluntarily provided data of users, for example in order to place advertising tailored to the individual.

The realization that personal data is provided more or less voluntarily is therefore no news. In the current situation, the undoubtedly important purpose of combating the pandemic only seems a welcome excuse, because it seems ‘desirable’ to put data protection before a higher goal.

But even if certain measures, especially when data is used anonymously, seem to be useful in combating the corona virus, even now interventions in the informational self-determination of each individual should only be made after careful consideration, so that each person can continue to develop freely within the framework of his or her freedoms and rights. That is why, even in times of the corona crisis, it is important to preserve the data protection requirements of the GDPR and local data protection and other laws which carry the idea of informational self-determination, also and above all when sensitive data such as health data are to be processed.

This blogpost concludes the daily contributions of the Series on Data Protection and Corona. From time to time, we will of course add new contributions from the field to this series and will of course continue to keep you informed about data protection news that have no connection to Corona.

For more up-to-date information (in German) you are welcome to follow us on Twitter.

We wish you only the best, stay healthy and protect yourself and others.

Series on Data Protection and Corona – Part 7: Online Learning Tools and potential Data Protection Concerns

27. March 2020

In the process of the spreading COVID-19 pandemic, more and more schools are closing to keep the school staff and children safe. However, this results in the duty of the parents to keep their children educated and preserving their motivation to learn and study.

Online learning tools and platforms have seen a rise in the past few years, as the demand for additional learning rises, as well as the requirement for the schools and students to adapt to a digitalized process gains in importance. In the wake of the current spread of the Coronavirus, these tools may help parents brave the daunting task of suddenly being in charge of their children’s education.

However, it is important to keep in mind that with online learning tools also comes issues and challenges in regards to the protection of the personal data of the children. Not only are registration data a requirement for the use of the tools, in addition a lot of them need to collect the student’s learning data, e.g. learning time, evaluation of tasks or exams as well as social interactions if they are sharing it with, for example, their class.

In the following, we would like to shed some light on different data protection aspects and things to look out for, in two different constellations. On the one side, the use of independent third party apps or tools and on the other, tools procured or offered by the schools and teachers.

Independent Providers

In the case of independent third party providers, there is a big range of online learning tools available. Each of them has a different array of personal data they collect, and it is very important to read privacy notices if you do not want the personal data of your child potentially used for marketing purposes, or transferred to third countries.

The good thing in regards to third party learning tools is that in most cases, only the e-mail address is required for registration. That allows the option to leave the real names and information of your children blank, instead allowing for the use of pseudonyms to shield from potential unwanted data processing and keep anonymity.

Especially in regards to providers based in Germany, the data protection standards are quite high, and therefore pose less of a threat to the child’s personal data. However, even with high standards in their country of origin, there are tools like Studysmarter, which allow in their privacy notice (available in German) for the learning data of the users to be processed for the enhancement of the tool. Furthermore, many of these online learning tools use applications through Google or Facebook, which likely transfer their data to the USA, and thus might be accessible to the American government.

In most of the cases of third party online learning tools, the third parties are the controllers of the data collected. However, some tools like for example Antolin are processors due to the constellation of the platform’s setup. In such cases, the teacher acts as an admin for the students’ accounts, and keeps control of the data collected. That ensures an additional safeguard in the processing of the children’s personal data, since the teacher controls through instructions and customizable online classrooms what data is processed.

Schools

Opposed to the above, schools have increasingly started to develop and offer their own online learning tools, or collaborate with third parties to provide more individualized online learning options. This leads to the positive fact that, since the school is still the controller of the collected personal data, the same safeguards are in place as during a regular school attendance.

In Germany, in such a case the processing is based on the school’s institutional authority to provide education. Because of that, the legal grounds for the processing are Art.6 I lit.e GDPR, Art.6 III sentence 1 lit.b GDPR which refers to the respective state’s school laws and school data protection laws. Therefore, the data protection in such cases is bound to specialized legal obligations.

However, since the school and the teacher usually are the ones administrating their online learning platforms, there is less chance for the students to stay anonymous. In order to fulfil their educational duty and to grade or help the students in specific cases, the teacher needs to be able to identify each student and the class they belong in. Parents might have to keep an eye on the social exchange with classmates over these learning tools as well, since personal data, which is not necessary for the educational duties of the school, does not fall under their processing competence.

In that regard the Datenschutzkonferenz (DSK) in Germany has released an orientation guide on online learning tools that schools are recommended to follow in order to stay GDPR compliant. The guide touches in detail on the different aspects of the processing of students’ personal data, and gives pointers on how school are supposed to process personal data collected in online learning tools.

Overall, it is important for parents and children to be informed by the controller in the terms of Art.13 GDPR in order to be sure about the type of processing taking place, and make sure the necessary consent has been requested in case of profiling or marketing purposes.

Where possible, it is recommended to give the least amount of personal data required, especially if the online learning tool is not handled by the child’s school but rather by a third party provider. In addition, parents should look out for third country transfers, as the safeguards in other countries do not necessarily compare to the standards in their country of origin.

We also recommend keeping an eye on your child’s usage of the tool and monitoring their handling of their own personal data.

The series on data protection and corona will be continued with the last blogpost of the series on the subject of social assessment of the importance of data protection.

For more up-to-date information (in German) you are welcome to follow us on Twitter.

We wish you all the best, stay healthy and protect yourself and others.

 

Series on Data Protection and Corona – Part 6: Data Sharing Practices to Fight the Corona Pandemic

26. March 2020

The newest developments of public lockdowns in many countries and states show that the Coronavirus is an unprecedented challenge to governments, administrations and law enforcement across the whole world. In an attempt to contain the spread of the pandemic, governments are seeking out all the possible options that are available to them. One promising option may be to make use of existing data by sharing, comparing and evaluating them to gain insights into how to best address the current challenges. It becomes apparent that countries take different approaches to allowing and using data sharing as a means to fight the pandemic.

Today’s blogpost will take a look at how data sharing is practiced around the world and what this might mean for the privacy of individuals.

Data Sharing by Public Authorities to Public Authorities

The Executive Committee of the Global Privacy Assembly (GPA) published a statement on 17 March 2020, calling for the sharing of personal data as necessary by organisations and governments, even across borders.

The GPA is a data protection entity comprising more than 130 international data protection authorities (DPAs) on the national and state level. Among many others, the accredited members include the DPA of Japan, USA, Canada, Mexico, Australia, Israel, Hong Kong, Argentina and all EU countries.

In its statement, the GPA makes clear that the data protection rules will not be a hinderance to effectively tackling the Corona pandemic. In fact, across all member jurisdictions, the data protection laws allow the processing of personal data in the public interest (e.g. Art. 6 para. 1 s. 1 lit. e  and Art. 9 para. 2 lit. i GDPR). In the current crisis, the DPAs all over the world will help facilitate swift and safe data sharing to fight Corona, whilst still maintaining the privacy rights of individuals proportionately.

Data Sharing by Private Entities to Public Authorities

In the meantime, private entities all over the world have started to share personal data with public bodies in an effort to fight the pandemic. The extent of these data sharing practices largely depend on the national data protection laws that the respective countries have in place. Since the level of data protection still varies greatly in different jurisdictions, the data sharing practices vary greatly also.

In several EU countries like Germany and Austria, telecommunications companies have started sharing anonymised mobile location data of customers with governmental agencies in order to trace the movement patterns of mobile phone users. The German governmental health agency Robert-Koch-Institue (RKI) for example, received more than 5 Gigabyte of anonymised data from Deutsche Telekom. The RKI will use the data to model the flows of movement which shall provide the researchers new insights into the spread of the virus.

The European Data Protection Board (EDPB) affirms in its statement from 19 March 2020 that within the jurisdiction of the GDPR, personal data protection rules do not apply to data which has been appropriately anonymised. Even the processing of non-anonymised location data by public authorities is possible if a EU Member State introduces national legislation to safeguard public security pursuant to Art. 15 para. 1 ePrivacy Directive (2002/58/EC). However in this case, a Member State must also put in place adequate safeguards to individual rights such as the right to a judicial remedy, as well as abide by the proportionality principle.

In other countries like Taiwan, South Korea and Israel, telecommunications companies and credit card companies are already sharing non-anonymised mobile location data and payment data with their governments, in order to track cases, cut transmission chains and enforce quarantines.

The authorities in Taiwan, for instance, make use of the mobile location data far more rigorously than the authorities in Western countries, as they have established the so-called “electronic fence” which is fed with data from telecommunications providers. This system monitors the mobile location data constantly and informs police and local officials if people in mandated home quarantine move away from their addresses or turn off their mobile phones. In the event of such an alert, the authorities will contact or visit these people within 15 minutes. Quaratine violators in Taiwan will face a fine of up to 1 Mio Taiwanese Dollars (31.000 Euros).

Israel is mainly using mobile location data to trace people who came in close contact with known Coronavirus carriers, and send them text messages ordering them to self-isolate immediately. However, the authorities shall also track whether a virus carrier is adhering to quarantine rules. Last week, the Israeli government approved of emergency regulations that allow the domestic security agency Shin Bet the processing of non-anonymised location data for a limited period of 30 days, with the permission of the attorney general.

As governments are taking measures against the spread of Corona, some more and some less intrusive to the privacy rights of individuals, time will tell whether the measures have worked effectively in containing the pandemic.

The series on Data Protection and Corona will be continued tomorrow with a blogpost on “Data Protection and Online learning tools”.

For up-to-date information (in German) you are welcome to follow us on Twitter.

We wish you all the best, stay healthy and protect yourself and others.

Series on Data Protection and Corona – Part 5: Data Protection compliant remote work

25. March 2020

The corona virus (SARS-CoV-2) is currently omnipresent. In order to slow down the spread of the virus, many companies, offices and employers are switching to having their staff work remote. But even in times of pandemic crisis and in the home office, the conditions for compliance with existing data protection laws must be in place and need to be considered. The responsibility of the company or employer (as a controller) and thus, if applicable, the personal liability of the management still remains.

For the period working at home, the employer should establish strict and transparent rules to clarify his rights and obligations as well as for his employees, regardless where and on which end device the employees work. Therefore, each employer should take appropriate and proportionate measures in order to make sure, that he and his employees will act in compliance with the requirements of the GDPR during the whole period of state emergency within the EU.

Due to the fact, that data processing at home carries a higher risk of data loss and data breach. It is recommended to consider the following measures below and further, to agree in such measures in writing, especially in order to avoid unnecessray misunderstandings and liability issues:

  • to provide employees with business terminal (mobile) devices for work in the home office, in order to be able to update the devices on regular terms or for setting up firewalls and anti-virus protection and unauthorized access,
  • to prohibit the use of private devices and, as far as possible, to technically prevent this.

The measures above can be implemented in the company or office, further precautions and instructions are required in the employee’s home workplace, such as:

  • the employer should set up a guidline on the handling of documents and how they are to be deconstructed (e.g. shredding and not misued as scap paper),
  • employees should be aware of measures to protect confidential data and information. Third party access, such as privacy filter or a password-protected screen saver in order to avoid “shoulder surfing” etc.,
  • the employee should prevent the viewing and access by third parties, such as aligning the monitor, using a privacy filter or setting up an automatic, password-protected screen saver,
  • the workplace should be in a separate room,
  • employees who do not live alone should always lock their mobile devices or laptops when leaving,
  • business related documents or mails should not be forwarded to private mail accounts or mailboxes,
  • employees should set up secure passwords (the password should contain at least 8 characters, consisting of a combination of letter, numbers and special characters).

The series on data protection and corona will be continued tomorrow with a blogpost regarding the statement of the Global Privacy Assembly on “Data Sharing Practices to Fight the Corona Pandemic”.

For up-to-date information (in German) you are welcome to follow us on Twitter.

We wish you all the best, stay healthy and protect yourself and others.

Series on Data Protection and Corona – Part 4: Processing of health data in context of preventive measures against corona infections

24. March 2020

Stopping the spread of the corona virus as far as possible, or at least slowing it down, is the top priority these days. For this reason, as far as possible many employers instruct their employees to work remote from home in order to reduce the risk of infection. However, this approach does not work for all businesses, such as the pharma industries, utilities (e.g. power plants) or grocery stores, food retailer and supplier. Therefore, there is a strong interest of such businesses that neither the present employees nor visitors (or customer) are infected with the virus.

In terms of infection prevention purposes, information on the state of health of individuals are an important means to help preventing people from getting infected with the virus and thus “flatten the curve”. Such health information fall under the so-called special categories of personal data according to Art. 9 of the EU General Data Protection Regulation (GDPR) and hence are subject to a particularly high level of protection. Therefore, when requesting information about an employee’s or visitor’s health, there are a number of things to be considered.

What are health data?

First, it needs some more clarification on the term ‘health data’: According to Art. 4 No. 15 GDPR, health data are personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.

The term health data thus not only covers disease-specific information about the data subject, such as a viral infection or drug consumption, but already the general statement as to whether someone is healthy or not. Information that may not directly indicate an individual’s state of health in the first place is also to be considered health data if, in fact, the context in which the information is to be used leads to a conclusion about an individual’s health condition.

When can health data be processed?

It remains to be clarified when health data can be processed for infection prevention purposes under the GDPR. First of all, it is very likely that consent to the processing of health data for infection prevention purposes cannot be obtained freely given and would thus be invalid in nearly all practically relevant cases. However, without the consent of the data subject the processing of health data is only permissible in the exceptional cases according to Art. 9 para. 2 GDPR.  In the following this blog post therefore rather focuses on the options that are available without consent regarding the group of employees and visitors.

When is the employer allowed to collect and process health data of employees with regard to the corona virus, according to the GDPR?

Health data can be processed in the context of employment in the non-public sector to the extent that it is necessary for reasons of public interest in the area of public health (Art. 9 para. 2 lit. i) GDPR and local EU member state law, such as section 53 of the Irish Data Protection Act 2018 or § 22 para,. 1 lit. c) of the German Federal Data Protection Act) and/or to the extent that it is necessary for the fulfillment of rights and obligations in the context of the employment (Art. 9 para. 2 lit. b) GDPR together with a local EU member state law, such as the Irish Safety, Health and Welfare at Work Act 2005) as, e.g., the Irish and Hungarian Data Protection Authorities both stated (for the list of authority statements see our previous blog post part 1).

However, the employer has a duty of care, particularly with regard to the protection against the corona virus, which applies not only to the individual employee, but also to all employees as a whole. Accordingly, the employer is obliged to take proportionate measures to protect the health of its employees during working hours. In particular, this also includes measures against diseases such as the corona virus that are  notifiable under the local infection protection laws of EU member states.

Please note that, in accordance with the principle of data minimization, only the information that consists the strictly necessary health data is to be collected and processed. Therefore, it is recommend that employers should make use of other preventive measures (e.g. by teaching employees on infection prevention or providing them with hand disinfection or protective clothing) before considering means of data processing. Moreover, such health data is to be treated strictly confidential, both for the protection of the individual employee and to maintain the industrial peace and the operation of the company. If the employer should process personal data which are not health data, he can – after careful examination – also rely on Art. 6 Para. 1 lit. f) GDPR.

Does the employee have to report an infection?

The employee is also obliged to inform the employer of a corona infection, because of his fiduciary duty to the employer. This principle of loyalty also authorizes the employee to disclose personal data of other individuals in the business environment with whom he has had contact. This disclosure to the employer and the following assessment and storage of such information by the employer can be based on a legitimate interest of the employer under Art. 6 para. 1 lit. f) GDPR as well as on Art. 6 para. 1 lit. c) GDPR.

When is a company allowed to collect and process health data of visitors of its premises?

Since companies regularly welcome visitors and guests, there is also a strong interest of companies in taking precautionary measures to contain the virus. If health data would need to be processed for this purpose, this can be done after careful examination on the basis of Art. 9 para. 2 lit. i) GDPR and, if any, local EU member state law (such as mentioned above). In the case of other measures in which personal data other than health data are processed, the employer may rely on his legitimate interest pursuant to Art. 6 para. 1 lit. f) GDPR (cf. BfDI).

What measures are permitted with regard to the containment of the corona virus?

Examples of permissible measures “against” employees:

  • measures without data protection reference, such as hygiene regulations, general instructions (e.g., to stay at home if symptoms occur), cancellation/postponement of business trips, instruction to work remote from home, regularly inform about relevant news about the virus,
  • request for information on infection in case of justified suspicion,
  • requesting infected employees for information about contacted persons in the company environment,
  • request for information about whether they have been to a risk area after vacation or business trips,
  • processing of such information that have been proactively communicated by the employee, e.g. that there has been contact with a (potentially) infected individual,
  • obtain consent to store emergency contacts and private contact details for notification purposes, in case of emergencies and operational changes due to the corona virus.

Examples of non-acceptable measures “against” employees:

  • mandatory comprehensive questionnaires to the entire workforce (e.g. series of unreasonable surveys),
  • interviewing other workers to see if anyone of the staff has symptoms.

Examples of permissible measures for visitors or guests of the company:

  • measures without data protection reference, such as hygiene regulations, restriction of visiting possibilities, a notice to postpone the visit if having symptoms,
  • request for information on infection in case of justified suspicion,
  • requesting infected visitors or guests for information regarding contacted persons in the company.

Examples of unacceptable actions towards visitors or guests of the company:

  • general (comprehensive) request for health information without justified suspicion.

The series on Data Protection and Corona will be continued tomorrow with a blog post on Data Protection compliant remote work.

For up-to-date information (in German) you are welcome to follow us on Twitter.

We wish you all the best, stay healthy and protect yourself and others.

Series on Data Protection and Corona – Part 3: Information Obligations, Measures and their assessment regarding Data Protection

23. March 2020

In the wake of the currently daily changing information about the COVID-19 virus, companies and employers are facing new challenges. On the one side, keeping their day to day business intact while preventing the spread of the pandemic, and on the other, comply with their obligations in regards to the processing of personal data.

While in the current situation it seems much more important to establish measures to keep the new Coronavirus from spreading, it is as important not to forget the data protection issues arising with such measures. In order to have the implemented measures working, it is to be expected that the employer is processing sensitive data, more importantly health data. However, these sensitive data cannot simply be processed without legal grounds, and following data protection obligations, especially information obligations.

In the following, we would like to inform about how to deal with the information obligations in Art.13 GDPR and potential legal grounds for the processing of personal data, which comes with the measures taken by employers or companies.

Information obligations and measures against employees

In order to fulfill the information obligations in case of employees, it is important to recognize the difference between measures where only general personal data is being collected and processed, and measures which require the collection and processing of sensitive data, in light of the current situation specifically health data.

If an employer asks his employee for information on their last trip or if they have been to a high risk country, the processing would only touch general personal data. The legal basis for the processing of this personal data would be Art. 6 I lit. f GDPR. In such a case, the processing will be based on the balancing of interests in favor of the company and their obligation to ensure employees’ safety.

Concerning measures which collect and process sensitive health data, as for example inquiries about symptoms or fever measurement at the entrance to buildings, the requirements of the GDPR are higher. It is generally not allowed to process health data, unless the law gives an exemption. In Germany, the legal basis for such measures would be Art.9 II GDPR, §26 BDSG. It is also important to note, that these types of measures cannot be made mandatory for the entirety of the staff, as stated by the different supervisory authorities in their statements.

It is important to keep in mind that Art.9 II GDPR is an opening clause, giving the different countries the opportunity to implement exemptions in national laws. Please refer to your country’s supervisory authority for potential exemptions in your country.

Furthermore, the supervisory authorities of different countries have already published a statement on potential measures and their legal basis, a list of which you can find in our first blog post of this series.

Information obligations and measures against third parties

In case of third parties, for example visitors or external clerks, employers cannot default to their obligation to ensure safety in the same way as they can with employees. Measures against third parties are therefore more delicate in their approach.

It is generally not possible to use Art. 9 II lit. a GDPR as legal basis, since the consent cannot be freely given under the aspect of insufficient information. Therefore, in Germany, the collection and processing of general and sensitive personal data in regards to third parties finds its legal basis under Art. 9 II lit. i GDPR, § 22 lit. d BDSG and Art. 9 II lit. g GDPR, §22 lit. c BDSG respectively.

Information necessary for Information Notices

First off, as presented above, it is necessary to differentiate between information obligations and measures against employees, and respective obligations and measures against third parties, e.g. visitors. Each requires a respective information notice in order to keep the different categories of data subjects compliantly informed.

During this ongoing pandemic situation, the different supervisory authorities, and in particular the German Data Protection Commissioner, have made it clear that, while there may be changes in regards to certain processing activities, the information obligations of processors will not become more lenient.

One of the main aspects remains the transparency (Art. 5 I sentence 1 lit. a GDPR), which finds its implementation in Art.13 and Art.14 GDPR. While the measures against the spread of the pandemic play an important role and broaden the processing permission of certain personal data, the data subjects need to be continuously informed about these measures, the processing and their legal grounds.

Overall, it is recommended to keep any information notices short but precise. Due to the nature of the crisis and the ever changing situation, giving the necessary requirements of information on the processor and the nature of the processing helps to prevent confusion and keep everything concise.

In particular, in a first instance of the obligations from Art.13 GDPR, it is necessary to define the purpose of the processing. Due to the health implications and broad risk of the virus, the purpose for the processing consists of the containment of the pandemic. Secondly, there needs to be a legal basis. For measures of processing and legal basis respectively, please refer to the points above. Not to forget, it is required to precisely list the different personal data collected.

If the processing follows the balancing of interests in Art.6 I lit. f GDPR, it is further necessary to present the assessments made. While the data subjects’ interest of non-processing of their personal data stands, the employer’s interest to keep their employees from getting infected and further spreading the virus outweighs the data subjects’ interest in this case.

Furthermore, it is imperative that the personal data collected in these cases are not transferred, neither to third parties, nor to third countries. The nature of these personal data is highly sensitive, and therefore not to be disclosed.

Accordingly, it is to be expected that the retention period for such personal data has to be kept relatively short. In any case, it is recommended that the retention of the collected data should not exceed 8 weeks. This time frame can vary depending on the duration of the pandemic outbreak, and therefore can be adjusted, but a deletion has to occur latest with the end of the pandemic.

Overall, due to the daily changing nature of the situation, it is important to keep up to date with supervisory authorities’ statements and handling of the arising issues. We recommend keeping informed about the different legal opinions of the authorities in regards to certain measures, while these very new circumstances unfold, and potentially adjust information notices as the need arises. You may also find further information on the processing of personal data in connection to the new Coronavirus in our previous blog post.

The series on data protection and corona will be continued tomorrow with a contribution on the subject of the processing of health data to protect from corona infections.

For up-to-date information (in German) you are welcome to follow us on Twitter.

We wish you all the best, stay healthy and protect yourself and others.

Pages: 1 2 Next
1 2