COVID-19 Legal Update: Principles of lawful data processing in Coronavirus times – Collection and transfer of health data.

23 March 2020 – need2know 

May employers collect and otherwise process information on whether an employee was in a risk area or had direct contact with a sick person?

In many cases, the collection of personal data during the coronavirus pandemic establishes links between individuals and their state of health. However, health data are now subject to special protection under Art 9 GDPR. It is important, in the case of questions relating to employee movement to a risk area, that health data are not only those that directly relate to the physical and mental states of a person. Rather, they are also data from which conclusions can be drawn indirectly about the state of health of a person affected. The context of use in individual cases is taken into account. Since the collection of this information serves to determine the state of health or the suspicion of an infection, it must be assumed that the information would qualify as health data.

In the context of labour law, the legal basis for data processing may be Article 9 paragraph 2 lit h GDPR (processing for the purpose of health care). According to Recital 53 of the GDPR, health care “shall also serve to ensure and monitor health and health warnings”. However, the employer also has a duty of care towards the employees. Since health data may be processed insofar as they are relevant to the specific employment relationship (specifically, the exclusion of health risks at the workplace due to coronavirus infection), Art 9 (1) (b) GDPR can also be considered as a legal basis under this duty of care.

Such data may not be stored beyond the end of the Corona-crisis, unless a specific law requires the continuation of the storage of the data.

If, however, sensitive data of this kind are collected and stored, it must not be overlooked that Art 13 and Art 14 GDPR require the person responsible to provide the data subjects with comprehensive information on the content and scope of the data processing. The information required by Art 13 and 14 GDPR must be provided at the latest at the time of data collection, or better still, immediately before data collection begins.

May employers collect private mobile phone numbers or other contact data of employees in order to be able to warn them or ask them to stay at home in the event of a closure of the company or similar cases on short notice?

The establishment of a communication network to employees outside their presence in the company requires the collection of private contact data. In principle, this data processing can be justified by the fact that the employer has a justified interest under Art. 6 para. 1 lit f GDPR in being able to warn its employees on short notice and not having to wait until they next return to the workplace. However, the disclosure of this data can only be made voluntarily. There is therefore no obligation to disclose such private contact data. Furthermore, the data must be deleted again at the latest after the end of the Coronavirus crisis.

In this case, too, the duty to inform according to Art 13 and 14 GDPR must be observed.

May employers inform employees that a particular employee has fallen ill with the coronavirus, e.g. to excuse possible contact persons from the workplace? May employers, upon request by health authorities, provide the authorities with data on employees who have fallen ill?

The transfer of such information to the relevant competent health authorities can be based on Art 9 para. 1 lit i GDPR. For example, the processing of sensitive data is permitted under lit i leg cit for the purpose of protecting against health risks to the population if there is a national or European regulation serving precisely these purposes.

Under Article 5(3) of the Epidemic Act, the employer is obliged to provide information on suspected cases and infections at the request of the district administrative authority. This reporting obligation to protect against dangers to the population caused by the spread of the coronavirus constitutes such a special national legal rule. The employer can therefore argue a legal basis for passing on health data to authorities.

However, a corresponding right to transfer data from employers to other employees cannot be derived from this. The disclosure of the name of an employee who is ill or of a person suspected of being ill to his or her colleagues cannot in principle be legitimised by any other legal basis in Art. 9 para. 1 GDPR, not least because the employee who is ill is at risk of stigmatisation and an employer’s duty of care would not easily outweigh this.

The necessity of disclosure of the name would also be more than questionable, since measures not requiring mention of the name would usually suffice to contain the risk of infection. Should this not be the case in exceptional cases, since contact is suspected or at least cannot be ruled out across teams, the employer should contact the health authority before disclosing the name of the employee concerned in order to be able to identify and excuse contact persons from the workplace. Alternatively, the infected employee could be asked for a list of contact persons in the company as a less intrusive measure.

What effects does the home office of employees have on data security? Which technical and organisational measures are to be implemented?

The employer faces a particular danger from the coronavirus crisis in that the creation and increased use of home offices means that the employer (as the one responsible) loses full control over the IT infrastructure. As a rule, the same infrastructural security cannot be assumed at the mobile workstation as is found in a fixed operational office environment, especially under circumstances that have led to the creation of countless home workstations on such short notice. In order to prevent data loss and data misuse, those responsible are therefore more strongly required to determine and implement such security measures within the meaning of Art 32 GDPR that create a security situation comparable to an office space.

Apart from instructions to employees on how to behave at home (e.g. not to leave notebooks freely accessible and unsecured at home), an essential technical measure is, for example, that business applications can only be used via a secure VPN remote connection (e.g. Citrix), ideally using token authentication.


Author: Sonja Dürager

Practice Group:
IP/IT/Data Protection

If you would like to receive future issues of need2know follow us on LinkedIn or please send an email to