The Data Protection Conference (DSK), the body of independent German federal and state data protection supervisory authorities, has commented on the topic of coronavirus and data protection.

Processing of health data

Even if the processing of health data is generally only possible on a restrictive basis, data can be collected and used for various measures to contain the coronavirus pandemic or to protect employees in compliance with data protection regulations. The principle of proportionality and the legal basis must always be observed.

For example, the following measures to contain and combat the coronavirus pandemic can be considered legitimate under data protection law:

personal data

Collection and processing of personal data (including health data) of employees by the employer or principal in order to prevent or contain the spread of the virus among employees in the best possible way. This includes, in particular, information on the cases

• in which an infection has been detected or contact with a demonstrably infected person has taken place.
• in which a stay in an area classified as a risk area by the Robert Koch Institute (RKI) took place during the relevant period.

Collection and processing of personal data (including health data) of guests and visitors, in particular to determine whether they

• are infected themselves or have been in contact with a demonstrably infected person.
• have stayed in an area classified as a risk area by the RKI during the relevant period.

In contrast, the disclosure of personal data of persons who are demonstrably infected or suspected of being infected in order to inform contact persons is only lawful if knowledge of the identity is exceptionally necessary for the precautionary measures of the contact persons.