Privacy and Corona – DSK makes recommendation

Privacy and Corona – DSK makes recommendation

The Data Protection Conference (DSK), the body of the independent German data protection supervisory authorities of the Federal Government and the Länder, have commented on the topic of Corona and data protection.

Processing of health data

Although the processing of health data is only possible in a restrictive manner, data can be collected and used in accordance with data protection for various measures to contain the Corona pandemic or to protect employees. In doing so, the principle of proportionality and the legal basis must always be observed.

For example, the following measures to contain and combat the Corona pandemic may be considered legitimate under data protection law:

personal data

Collection and processing of personal data (including health data) of employees by the employer or serviceor in order to prevent or contain the spread of the virus among employees in the best possible way. This includes, in particular, information on the cases:

  • where an infection has been detected or where there has been contact with a demonstrably infected person.
  • where a stay took place during the relevant period in an area classified as a risk area by the Robert Koch Institute (RKI).

collection and processing of personal data (including health data) of guests and visitors, in particular to determine whether these

  • infected themselves or were in contact with a demonstrably infected person.
  • have been in an area classified as a risk area by the RKI during the relevant period.

On the other hand, the disclosure of personal data of persons who have been demonstrably infected or suspected of being infected for the provision of contact persons is only lawful if the knowledge of the identity for the precautionary measures of the contact persons is is exceptionally necessary.

Fines rise sharply

Fines rise sharply

The implementation of the GDPR and the increased number of official audits leads to ever-increasing fines.

High penalty for German real estate group

According to the old BDSG, fines were limited to a maximum of 300,000 EURO. Now, up to 20 million EURO can be due after the GDPR – or up to four percent of the world’s annual turnover.

Even if the full fine framework has not yet been used, the fines are rising sharply: the highest fine in Germany was imposed on the real estate company Deutsche Wohnen. In November last year, the Berlin Data Protection Authority issued a fine of 14.5 million EURO for the unauthorised storage of tenant data within the Group.

Fines imposed have quadrupled

Although spectacular fines such as those shown above have hardly occurred so far, there is a trend: the number of reported infringements and fines has increased sharply in the last six months. In 2018, the authorities had issued “only” 40 fines. In the past year, more than 185 fines were imposed.