The world is struggling with the current outbreak of coronavirus disease (COVID-19). It is clear that coronavirus is a threat to all human beings. It has also become clear that coronavirus is a threat to the health of the world economy and businesses.
On March 11, 2020 the World Health Organization (WHO) characterized the virus outbreak as a pandemic. The stock markets duly crashed. Governments began to prohibit certain events and close down schools. However, it is not exactly clear how big the threat is. Is COVID-19 already a “serious cross-border threa[t] to health” (article 9.2(i) GDPR)? Are German businesses permitted to ask customers, visitors and employees if they suffer from a cough or other symptoms? Are German employers permitted to send employees who have a runny nose home? Who bears the costs if commercial agreements cannot be performed or if events are canceled?
Businesses are looking to create a safe and healthy work environment for their employees, customers and business partners. During the course of the coronavirus pandemic, this will include adopting certain health-related measures. This alert will answer legal questions we have been asked in the past few days and give guidance on whether or not certain measures comply with applicable laws in Germany; many of the answers will also apply in other EU countries.
Data Protection Law
Q: Can a company ask employees and visitors to let the company know if they think they may have been exposed to the virus?
A: Yes. The company can request that it be informed. However, the employer/business cannot force employees, visitors or other individuals to inform the company. Nor can employers force their staff to see a doctor. The company can, however, ask all employees/visitors to answer certain questions (see below).
Generally, questions on health status are considered special categories of personal data that have to be processed with higher caution (article 9 GDPR). The GDPR and German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG; FDPA) permit the processing of such special categories of personal data under certain strict requirements. Coronavirus as such can, for example, be considered a “serious cross-border threat to health” (article 9.2(h) GDPR or article 22.1(c) FDPA) and measures to protect employees may include measures to protect the health of employees (article 9.2(i) GDPR or article 22.1(b) FDPA). However, this does not mean that all measures can be justified on the grounds of “coronavirus”: Measures must, above all, be necessary and reasonable, and, in general, the data must be processed by doctors or other suitably qualified personnel.
Q: Can a company ask employees and visitors to let the company know if they are infected by the coronavirus?
A: Yes. Generally, the employer does not have the right to know what kind of illness an employee has (and for individuals other than staff, the threshold is even higher). However, with coronavirus being highly contagious, employees’ fiduciary duty under employment law requires them, at the very least, to inform their employer if they are infected with the coronavirus in situations where the employee had contact with other employees. Where a works council exists, such reporting obligations could also be regulated under employment agreements.
Q: Can a company ask employees and visitors to answer the following questions before entering company premises: (i) have you stayed in a high-risk region?; (ii) have you had any contact with someone who has tested positive for COVID-19?; and (iii) do you have any symptoms of COVID-19 (such as a headache, runny nose, cough or fever)?
A: Generally yes. In terms of data protection law, such questions can be asked on the basis of article 22.1.1(c) FDPA, provided that it is necessary “for protection against serious cross-border health risks.” Alternatively/additionally, articles 9.2(b) and 9.2(i) GDPR could serve as a legal basis if and because the protection of employees against infection is a duty of the employer under the Occupational Health and Safety Act (Arbeitsschutzgesetz – ArbSchG). Given its spread, coronavirus can be categorized as a “serious cross-border threa[t] to health” within the meaning of article 9.2(i) GDPR. However, it is always important to consider whether such measures are necessary.
In addition, visitors may be required to answer the questionnaire as this also serves to protect employees. “Yes” responses can, to the extent that this is authorized, be further processed until there is full clarity about the visitor’s health status. On the other hand, it is only necessary to document the process and not the questionnaire responses if they are all “No.” Employees and visitors should be informed of this, as required under the GDPR. If a works council exists, co-determination rights (Mitbestimmungsrechte) need to be considered.
Q : Does a company have to inform its employees that a case of coronavirus has occurred in the company?
A: Yes. In particular if the employees are at risk of infection, e.g., if the occurrence is at the same company site or within the same team. This follows from the employer’s duty of care toward their employees. A similar requirement may exist toward business partners under civil law fiduciary duties. However, in general, the company must not reveal the identity of the affected individual or further details of the infection.
Q: Can the employer enter additional data (e.g., home phone numbers, private cell phone numbers or email addresses) into their HR systems to be able to contact employees who are in quarantine?
A: Yes. However, it should be up to the employees to decide whether they want to give their private cell phone number to the employer as this data is particularly sensitive owing to the possibility of it being retained on a permanent basis by the employer.
Q: Can a business screen visitors for coronavirus or coronavirus-like symptoms?
A: Generally no, unless the visitors agree to screening. However, if a visitor refuses to be screened, the business can deny access to its premises on the basis of its right of residence.
Q: Does a company have to inform the public authorities if an employee is infected by coronavirus?
A: No. Only doctors and persons with equivalent medical status have a reporting duty under the German Protection against Infection Act (Infektionsschutzgesetz – IFSG) and the German Coronavirus Ordinance (CoronaVVo).
Please see more FAQ on data protection law and the coronavirus on the website of the Baden-Württemberg data protection supervisory authority and on EU level the Statement of the EDPB Chair on the processing of personal data in the context of the COVID-19 outbreak.