Data protection and Corona (COVID-19) – Quick Guide for medium-sized companies

Validity of GDPR (General Data Protection Regulation)

In principle, all GDPR requirements are still valid. As a reminder, the GDPR provides a legal framework for processing personal data by private and public data processors and, therefore, ensures the protection of personal data and the free movement of data within the European Union and organizations doing business in the EU. Non-compliance can result in fines of up to 20 million euros or up to four percent of annual worldwide group revenue.

In the current COVID-19 crisis, employees’ health data may need to be gathered and forwarded to authorities in order to combat the pandemic effectively. This has to happen in compliance with the data protection regulation which is listed below.

Rules around employer collection of employees’ private contact details

Employees’ current private contact details (mobile phone numbers, email addresses, etc.) may be requested by employers and can be temporarily stored provided the intent, such as faster communication during the pandemic, is clearly defined, and the employees' consent has been obtained. The employer is obliged to delete this information as soon as the pandemic has ended. Employees need to be informed accordingly, especially regarding how long the data may be stored. The storage period should be limited to 8 weeks since the incubation period is currently considered to be 2 weeks and a safety period of 6 weeks should suffice. After 8 weeks, the purpose for retaining the information is no longer valid, unless data has been requested by public authorities for processing in the meantime.

Additional reasons employers may request personal information from employees: an employee visited a defined risk area or had direct contact with someone who tested positive for the virus

The employer may ask for personal information if it is collected to protect the workforce from infection. Examples include where the employees spent their vacations or if they had contact with people who have tested positive for the virus.

Handling of and passing on information in the event an employee has been infected

  • In the workforce
    Mentioning infected employees by name is very strongly discouraged. Employees who have had contact with the infected person, however, should be released from work and, if possible, sent to home office immediately. If those measures cannot be successfully and expediently implemented, the name of an infected person can be given in order to identify the source of infection. This can only happen in absolutely exceptional cases and only after consultation with local health authorities.
  • Transmission of information to authorities
    If authorities request information, e.g. on employees who are ill, the employer is obliged to pass this on accordingly.

For the events sector, if an individual who took part in an event has tested positive, organizers may provide data on those in attendance at the request of health authorities

As soon as an official order or decree is issued, the organization should comply and pass on the requested personal data from attendance logs/systems. However, the purpose has to be clearly defined as necessary to reduce exposure to individuals or the public. If there is no order or decree, but the organization has the consent of the attendees, it is free to share this information with the authorities or not.

Data collection and transfer from service providers (e.g. hospitals, doctors) to health authorities

Health care providers are required to pass on the following patient information, if available, to the public health department:

  • Name and first name
  • Sex
  • Date of birth
  • Primary address
  • Further contact details
  • Diagnosis or suspected diagnosis
  • Date of symptom onset, date of diagnosis and, where appropriate, the date of death, and probable time or time period when infection was contracted
  • Probable source of infection (country, district, city)

Expert Support

Got questions? Contact us.

Share page