The Data Protection Conference (DSK), the body of the independent German data protection supervisory authorities of the Federal Government and the Länder, have commented on the topic of Corona and data protection.
Processing of health data
Although the processing of health data is only possible in a restrictive manner, data can be collected and used in accordance with data protection for various measures to contain the Corona pandemic or to protect employees. In doing so, the principle of proportionality and the legal basis must always be observed.
For example, the following measures to contain and combat the Corona pandemic may be considered legitimate under data protection law:
Collection and processing of personal data (including health data) of employees by the employer or serviceor in order to prevent or contain the spread of the virus among employees in the best possible way. This includes, in particular, information on the cases:
- where an infection has been detected or where there has been contact with a demonstrably infected person.
- where a stay took place during the relevant period in an area classified as a risk area by the Robert Koch Institute (RKI).
collection and processing of personal data (including health data) of guests and visitors, in particular to determine whether these
- infected themselves or were in contact with a demonstrably infected person.
- have been in an area classified as a risk area by the RKI during the relevant period.
On the other hand, the disclosure of personal data of persons who have been demonstrably infected or suspected of being infected for the provision of contact persons is only lawful if the knowledge of the identity for the precautionary measures of the contact persons is is exceptionally necessary.