German Federal Data Protection Act

by Tim Wybitul, Dr. Wolf-Tassilo Böhm, Isabelle Brams, Dr. Tarik Arabi, Joachim Grittmann, Valentino Halim

Effective measures to combat data risks resulting from COVID-19 include processing personal data, but companies must balance privacy rights and employee health.

German data protection authorities have published initial guidance to companies that process personal data, outlining how they should protect their employees and their businesses from risks resulting from COVID-19. Under the EU General Data Protection Regulation (GDPR), health data or other information about virus infections is treated as sensitive data according to Art. 9(1) GDPR. Such sensitive data may only be processed if the controller meets strict requirements with regard to such processing. Such data processing may be lawful if the processing is necessary for carrying out the controller’s obligations in the field of employment law. Obviously, employers have a fiduciary duty to protect their employees from exposure to COVID-19, however, the respective use cases and the potentially applicable provisions of the GDPR are complex and challenging. Moreover, employers in Germany need to observe additional requirements stipulated in the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG). Companies should also observe respective guiding principles deriving from well-established German case law with regard to employee data privacy.