Series on Data Protection and Corona – Part 3: Information Obligations, Measures and their assessment regarding Data Protection

23. March 2020

In the wake of the currently daily changing information about the COVID-19 virus, companies and employers are facing new challenges. On the one side, keeping their day to day business intact while preventing the spread of the pandemic, and on the other, comply with their obligations in regards to the processing of personal data.

While in the current situation it seems much more important to establish measures to keep the new Coronavirus from spreading, it is as important not to forget the data protection issues arising with such measures. In order to have the implemented measures working, it is to be expected that the employer is processing sensitive data, more importantly health data. However, these sensitive data cannot simply be processed without legal grounds, and following data protection obligations, especially information obligations.

In the following, we would like to inform about how to deal with the information obligations in Art.13 GDPR and potential legal grounds for the processing of personal data, which comes with the measures taken by employers or companies.

Information obligations and measures against employees

In order to fulfill the information obligations in case of employees, it is important to recognize the difference between measures where only general personal data is being collected and processed, and measures which require the collection and processing of sensitive data, in light of the current situation specifically health data.

If an employer asks his employee for information on their last trip or if they have been to a high risk country, the processing would only touch general personal data. The legal basis for the processing of this personal data would be Art. 6 I lit. f GDPR. In such a case, the processing will be based on the balancing of interests in favor of the company and their obligation to ensure employees’ safety.

Concerning measures which collect and process sensitive health data, as for example inquiries about symptoms or fever measurement at the entrance to buildings, the requirements of the GDPR are higher. It is generally not allowed to process health data, unless the law gives an exemption. In Germany, the legal basis for such measures would be Art.9 II GDPR, §26 BDSG. It is also important to note, that these types of measures cannot be made mandatory for the entirety of the staff, as stated by the different supervisory authorities in their statements.

It is important to keep in mind that Art.9 II GDPR is an opening clause, giving the different countries the opportunity to implement exemptions in national laws. Please refer to your country’s supervisory authority for potential exemptions in your country.

Furthermore, the supervisory authorities of different countries have already published a statement on potential measures and their legal basis, a list of which you can find in our first blog post of this series.

Information obligations and measures against third parties

In case of third parties, for example visitors or external clerks, employers cannot default to their obligation to ensure safety in the same way as they can with employees. Measures against third parties are therefore more delicate in their approach.

It is generally not possible to use Art. 9 II lit. a GDPR as legal basis, since the consent cannot be freely given under the aspect of insufficient information. Therefore, in Germany, the collection and processing of general and sensitive personal data in regards to third parties finds its legal basis under Art. 9 II lit. i GDPR, § 22 lit. d BDSG and Art. 9 II lit. g GDPR, §22 lit. c BDSG respectively.

Information necessary for Information Notices

First off, as presented above, it is necessary to differentiate between information obligations and measures against employees, and respective obligations and measures against third parties, e.g. visitors. Each requires a respective information notice in order to keep the different categories of data subjects compliantly informed.

During this ongoing pandemic situation, the different supervisory authorities, and in particular the German Data Protection Commissioner, have made it clear that, while there may be changes in regards to certain processing activities, the information obligations of processors will not become more lenient.

One of the main aspects remains the transparency (Art. 5 I sentence 1 lit. a GDPR), which finds its implementation in Art.13 and Art.14 GDPR. While the measures against the spread of the pandemic play an important role and broaden the processing permission of certain personal data, the data subjects need to be continuously informed about these measures, the processing and their legal grounds.

Overall, it is recommended to keep any information notices short but precise. Due to the nature of the crisis and the ever changing situation, giving the necessary requirements of information on the processor and the nature of the processing helps to prevent confusion and keep everything concise.

In particular, in a first instance of the obligations from Art.13 GDPR, it is necessary to define the purpose of the processing. Due to the health implications and broad risk of the virus, the purpose for the processing consists of the containment of the pandemic. Secondly, there needs to be a legal basis. For measures of processing and legal basis respectively, please refer to the points above. Not to forget, it is required to precisely list the different personal data collected.

If the processing follows the balancing of interests in Art.6 I lit. f GDPR, it is further necessary to present the assessments made. While the data subjects’ interest of non-processing of their personal data stands, the employer’s interest to keep their employees from getting infected and further spreading the virus outweighs the data subjects’ interest in this case.

Furthermore, it is imperative that the personal data collected in these cases are not transferred, neither to third parties, nor to third countries. The nature of these personal data is highly sensitive, and therefore not to be disclosed.

Accordingly, it is to be expected that the retention period for such personal data has to be kept relatively short. In any case, it is recommended that the retention of the collected data should not exceed 8 weeks. This time frame can vary depending on the duration of the pandemic outbreak, and therefore can be adjusted, but a deletion has to occur latest with the end of the pandemic.

Overall, due to the daily changing nature of the situation, it is important to keep up to date with supervisory authorities’ statements and handling of the arising issues. We recommend keeping informed about the different legal opinions of the authorities in regards to certain measures, while these very new circumstances unfold, and potentially adjust information notices as the need arises. You may also find further information on the processing of personal data in connection to the new Coronavirus in our previous blog post.

The series on data protection and corona will be continued tomorrow with a contribution on the subject of the processing of health data to protect from corona infections.

For up-to-date information (in German) you are welcome to follow us on Twitter.

We wish you all the best, stay healthy and protect yourself and others.