The Data Protection Conference (Datenschutzkonferenz, DSK), the body of independent German data protection supervisory authorities of the federal and state governments, have expressed their views on the topic of Corona and data protection.

Processing of health data

Even if the processing of health data is in principle only possible in a restrictive manner, data can be collected and used for various measures to contain the Corona pandemic or to protect employees in accordance with data protection law. The principle of proportionality and the legal basis must always be observed.

For example, the following measures to contain and combat the Corona pandemic can be considered legitimate under data protection law:

personal data

Collection and processing of personal data (including health data) of employees by the employer or principal in order to best prevent or contain the spread of the virus among employees. This includes, in particular, information on cases

in which an infection has been detected or there has been contact with a demonstrably infected person.
in which a stay in an area classified as a risk area by the Robert Koch Institute (RKI) took place during the relevant period.

Collection and processing of personal data (including health data) of guests and visitors, in particular to determine whether they are

are infected themselves or have been in contact with a demonstrably infected person.
have stayed in an area classified as a risk area by the RKI during the relevant period.

In contrast, the disclosure of personal data of persons who are demonstrably infected or suspected of being infected for the purpose of informing contact persons is only lawful if knowledge of the identity is exceptionally necessary for the precautionary measures of the contact persons.