In the following article, data protection expert Mareike Vogt from Tüv Süd Sec-IT explains how health data should be processed in the event of a corona infection in accordance with the requirements of the EU GDPR. A checklist shows how data protection can be observed. Many companies are considering appropriate measures to protect employees from a Corona infection initiate, for example, by taking general temperature measurements. Sensitive data is collected in the form of health data, which may only be processed in accordance with the requirements of the EU GDPR.
Data collection requires a legitimate purpose
“A legitimate purpose is required for every data collection, which is fulfilled by the processing. However, an increased temperature is not yet confirmation of an infection with Covid-19. It is therefore questionable what informative value the employee’s temperature has and whether this measure makes sense at all, ”explains Mareike Vogt from Tüv Süd Sec-IT. According to Article 9 (1) of the EU GDPR prohibits the processing of special categories of personal data, such as health data. However, the legislature has specific exceptions under which the processing of particularly sensitive data is possible.
This concerns, for example, the specific consent of the person concerned as well as legal requirements of labor law or processing to protect the vital interests of the person concerned or another natural person. In combination with a legal basis from Art. 6 Para. 1 EU GDPR, companies therefore also need one of the requirements of Art. 9 EU GDPR for the processing of health data.
Data protection: Correct behavior in the event of illness
In principle, employees are initially not obliged to inform their employer of the reason for their incapacity for work. Due to the Infection Protection Act, however, the doctor is already obliged to report a suspicion and a Illness from Covid-19 to communicate. This then initiates further measures and can consequently also contact the employer of the infected person. If the employee himself or the health department informs him of a Covid 19 disease, the name of the infected employee may not be communicated to the rest of the workforce.
However, it should be clarified which colleagues he was in contact with and which measures must be taken in terms of the employer’s duty of care. That could also be the case at times Return to the home office mean. The responsible health department takes care of further investigations in accordance with Section 25 of the Infection Protection Act. For this purpose, the company can be asked to transmit personal data of employees to the health department.
The following is a checklist for the implementation of EU GDPR-compliant data processing:
- What is the data required for? and what should be achieved with the processing? Can the purpose be achieved with alternative measures?
- Which data are used to fulfill the purpose needed? Is it necessary to collect particularly sensitive data?
- Is a legal basis available for data collection?
- When processing personal data based on a legal requirement, a retention period can be associated with it.
- The company’s data protection officer Include early if a new data processing measure is planned.
Founded in 1866 as a steam boiler revision association MOT South today a global company. More than 25,000 employees at over 1,000 locations in around 50 countries ensure the optimization of technology, systems and know-how. They contribute to making technical innovations such as Industry 4.0, autonomous driving or renewable energies safe and reliable. (sg)