Data protection and Covid-19: What should be considered?
The COVID 19 pandemic in Germany and Europe is increasingly motivating companies to take defensive measures. This raises the question for employers and also for employees under which circumstances data (in particular health data) may be processed and exchanged.
Can self-reporting and questionnaires be considered legitimate under data protection law as a measure against the further spread and containment of the COVID-19 pandemic?
Obtaining self-disclosures from employees or having employees fill out questionnaires asking about their health status, possible stays in risk areas or contact with demonstrably infected persons constitutes processing of health data. Even if the processing of health data is generally only possible in a restrictive manner, health data can be processed in accordance with data protection regulations for the measures mentioned as examples to contain the COVID 19 pandemic or to protect employees. In addition to the principle of proportionality, the information requirements, the indication of a legal basis for the processing and the granting of data subjects’ rights must be observed.
Initially, health data should only be processed internally, as disclosure of this data to third parties is only permitted in exceptional cases. For example, due to legal obligations or official orders, the disclosure of sensitive data may be permissible at the request of the authority.
Disclosure of personal information about individuals who are shown to be infected or suspected of being infected for the purpose of informing contacts may be lawful in narrow exceptions. Knowledge of identity must be necessary for contact precautions.
As a matter of principle, all data must be deleted immediately after the purpose of processing has ceased, i.e. the end of the pandemic by employers and service providers. In addition, data protection information must be provided to data subjects.
#StayAtHome: What to consider when working from home?
In the wake of the COVID-19 pandemic, much of everyday life has changed very rapidly. This includes working from home. Setting up a home office usually involves a great deal of preparation, for example, in order to ensure that the data protection requirements at the home office are met to the same extent as in the office. Since the employer is deprived of the ability to control and access the workplace by relocating it, employees should be made aware of the following:
- As a rule, telephone conferences should be set up. In view of the interest of individual employees in not sharing their private environment in a professional context, video conferencing should only be necessary in exceptional cases.
- If the IT equipment is provided by the employer, it may generally not be used privately. Private hardware and software may only be used for teleworking and mobile working under certain conditions.
- The study must be lockable. Persons living in the same household as the teleworker must also not have access to company/office documents.
- In the event of loss of personal data or other violations of data protection regulations, the employer must be informed immediately.
- Work-related e-mails must not be diverted to the private mailboxes of mobile workers.
What are the implications of the Covid 19 pandemic for data privacy deadlines?
Resources, both financial and human, may be diverted from normal privacy compliance work due to the pandemic. This causes internal processes to slow down.
According to Art. 12 par.3 GDPR, companies are nevertheless legally obliged to respond to data subjects’ rights after three months at the latest. Furthermore, the obligation to notify data protection breaches pursuant to Art. 33 GDPR a fixed period of 72 hours after the event became known.
The supervisory authorities cannot extend the statutory deadlines across the board, but it should be possible to justify an extension in individual cases by referring to the current situation.