Maintaining the health and safety of workers and taking steps to protect the economic interests of businesses are paramount in organizing the return of workforce to the business.
German employment law as well as special legislation on occupational health and safety require employers to take adequate measures to protect employees from COVID-19 infection. Such measures include information and advice on practices to avoid risks of contagion, instructions on social distancing and hygiene, access restrictions to common areas and facilities, physical barriers, etc.
However, some of the measures intended to counter the risks of the COVID-19 pandemic also involve the collection and processing of personal data, in particular of employees. In this respect, the principles of data protection and the rights of individuals must be respected.
The checklist below is written from a General Data Protection Regulation ('GDPR') and the German Data Protection Act (Bundesdatenschutzgesetz - 'BDSG') perspective; it takes account of official statements published by German data protection authorities and highlights some of the key data protection requirements that businesses should take account of in connection with the collection and processing of personal data in the context of their return to work.
1) Check whether the return to work will change or bring in new ways of processing personal data:
Your response to COVID-19 and returning to work may involve the processing of new personal data for new purposes, existing personal data for new purposes and/or new personal data for existing purposes. In many cases, such new data processes will relate to information about physical and mental health of employees or contact persons which is generally afforded some of the highest levels of protection under the GDPR and the BDSG.
For example the following data will be considered as sensitive health data:
• If your business stores information that an employee shows symptoms of coronavirus;
• If an employee is tested for fever at the company entrance;
• If an employee passes on the name of a potentially infected person to your business;
• If your company evaluates the current state of health or past infections of employees or contact persons through questionnaires.
2) Analyse the data protection requirements that are relevant to the changed or new ways of processing personal data:
Personal data must not be processed without a valid lawful basis, either on the basis of express consent given by the data subject or lawful grounds provided by applicable legislation. In addition, the GDPR and the BDSG require companies to implement specific measures to ensure privacy. Key issues to consider are:
• Obtaining consent for data processing activities:
Please consider that obtaining consent of employees in the context of the COVID-19 crisis may prove burdensome as such consent must be freely given, specific, informed and unambiguous (Art. 4 GDPR).
• Processing of personal data on the basis of lawful grounds:
Lawful grounds that may be applicable under the GDPR and the BDSG include that processing is necessary for the legitimate interests of the organisation controlling the personal data (or a third party) and that processing is necessary for the performance of a task carried out in the public interest (see Article 6(1)(f) and (e) GDPR). For processing special category personal data, relevant lawful grounds include that processing is necessary for carrying out obligations and exercising rights in the field of employment (see Article 9(2)(b) GDPR).
Some German supervisory authorities and the German data protection conference (DSK) in Germany have meanwhile expressed their views on the question of the legality of measures in times of the coronavirus. According to the DSK’s statement, employers are allowed to collect information required to fulfil their safety obligation. For the purpose of occupational health and safety of the workforce, it is deemed justified to collect information on the state of health, in particular, to which persons a sick employee had contact with. The LfDI BW makes it clear that the legal basis for the processing of the necessary data for the purpose of occupational health and safety is Art. 6 para. 1 lit. c GDPR in conjunction with Art. 9 para. 1, para. 4 GDPR and sections 26 para. 3 and 22 para. 1 no. 1 lit. b BDSG.
However, collection of health data is only justified under these provisions for as long as the processing is limited to the purpose of preventing or containing the epidemic in an adequate manner. The adequacy of such data processing needs to be assessed on a case-by-case basis.
• Privacy impact assessments:
Depending on the exact nature of the processing activity, a formal data protection impact assessment may be required under GDPR for activities such as:
• processing of personal data using new (innovative) technologies e.g. tracing apps;
• profiling of workers or other processing operations to make significant decisions about workers; or
• monitoring of workers (e.g. at home or to track their location).
• International transfers of personal data:
Your response to COVID-19 and returning to work may involve new transfers of personal data, e.g. where a central HR team or a COVID-19 response team is installed in another country.
International transfers of personal data outside of the European Economic Area are restricted under the GDPR. Please consider whether the transfer is covered by any existing transfer mechanism that you have in place (e.g. Binding Corporate Rules) or whether new transfer mechanisms (e.g. Standard Contractual Clauses) or other grounds under the GDPR need to be put in place to permit the transfer.
• Due diligence of third parties:
To the extent your return to work strategy may involve personal data being processed by a third party (whether that is a third party technology service provider or support from another part of your group), you should ensure that they are subject to appropriate vendor due diligence and, where necessary, a data processing agreement is in place with them that provides sufficient guarantee with respect to the safeguarding of personal data in accordance with GDPR.
3) Implement measures to mitigate identified data protection risks:
Transparency about the processing of personal data is a central pillar of data protection law.
• Provide appropriate information to workers about how their personal data will be used for COVID-19 data processing activities: You should consider what you have previously told workers about how you will use their personal data and whether additional notice is required to cover your COVID-19 data processing activities. If you are also processing personal data about people connected to your staff, such as household and family members, consider what obligations you may be under to provide them with notice about your processing activities.
• Review the personal data being collected to keep it to a minimum and set retention periods for the data: The personal data you collect should be kept to the minimum that is necessary to satisfy the purpose of the COVID-19 processing activity. You should also, where possible, set retention periods for the data so that it is not kept for longer than is necessary.
• Consider how you will respond to the increased exercise of data subject rights: Despite the strain on resources that may be caused by COVID-19, businesses must continue to comply with subject rights requests. In the event that COVID-19 related changes to working arrangements become contentious, there is also the potential for organisations to receive an increased number of subject rights requests. Consider whether you have the right measures in place to handle rights requests as your organisation returns to work. For example, can you still easily access the personal data the business controls (is the answer the same for personal data held by remote workers or on personal devices), do you have the people or technology available that you would usually rely on to find and locate personal data and assess a request, could you handle a potential influx of subject rights requests, will you need external support (and is that external support itself impacted by COVID-19)?
• Review whether your data security measures are suitable for your new working arrangements: As we see a relaxation of lockdown restrictions, many organisations will continue to rely heavily on remote working or even move towards remote working more permanently.
- Consider whether your security controls are sufficient for a remote working environment. Questions to ask yourself include:
• do you need to security assess the new tools that you have or will rely on for remote working
• what security measures need to be in place to secure staff personal devices
• are staff now more likely to move between home and remote locations with information assets and, if so, what risks does this create
• what processes need to be put in place for the disposal of physical (including paper based) assets when staff work on a remote basis
• will you need to assess homeworking environments for security threats
• what guidance, training and awareness is required to ensure your staff are appropriately informed and understand remote working security risks and their responsibilities?
- It is also important to consider whether your existing approach to breach detection and reporting appropriately takes into account a remote working environment and any new technologies you deploy.
• Consider who may adversely scrutinise your COVID-19 processing activities and address the risks they pose:
- A range of adverse scrutineers may eventually review the decisions you take with respect to COVID-19 data processing activities. These include data protection supervisory authorities, workers, their legal representatives, shareholders and works council/trade unions. Adverse scrutineers can even include external threat actors such as criminal organisations running COVID-19 related phishing scams to gain credentials or other information from workers.
- Trying to view your COVID-19 data processing activities through the eyes of your adverse scrutineers is an important risk mitigation strategy. It can allow you to identify risks that have a greater chance of being realised or the greatest impact on your operations and prioritise them for a response.
4) Document your decision making and the policies and procedures you develop and maintain accountability:
GDPR requires that organisations are able to demonstrate their compliance with its requirements. Maintaining a clear and comprehensive audit trail of all privacy-related analysis and decision-making will help address any GDPR accountability requirements.
Example documentation includes that which is formally required under GDPR (such as privacy notices, data protection impact assessments and records of processing activities) and appropriate policy documentation as required under certain circumstances under the BDSG (e.g. when processing health data for employee health and safety purposes). It can also include the policies and documented procedures that you update and create in response to COVID-19 data processing (such as updates to IT security policies, procedures for collecting COVID-19 health information from staff and new data protection training materials).
If you would like to understand what your business needs to consider from a data perspective please view our regulatory checklist >
If you would like to understand what your business needs to consider from an employment perspective please view our employment checklist >