The pandemic is prompting German federal and state governments to take increasingly drastic measures in order to contain Covid-19. Many employers are wondering what kind of measures they themselves can take to prevent spreading within their own company. Which data are they allowed to collect from their employees and customers? Is it that simple for employees to just work from home? Many companies need to act quickly and take effective measures right now against the spread of the corona virus. But companies should take the following data protection aspects into account:
Am I, as an employer, allowed to collect and process employee health data in connection with Covid-19?
Although employers have an obligation to protect the health of their employees, this does not constitute a right to extensive collection and storage of health data. Generally speaking, employers have to limit the collection of health data to the necessary information only.
For example, it may be considered necessary and therefore permissible if the employer inquires whether the employees have visited risk areas and have experienced typical symptoms of corona. Employers should make sure to interview their employees confidentially. They should avoid interviewing in the presence of colleagues in order to avoid stigmatizing the (potentially) sick person.
If an infection has been detected, only those employees who have a legitimate interest in it should be informed. For example, the human resources department or colleagues who had direct contact with the infected person. Any further disclosure of health data is not necessary and therefore not allowed.
Is it permissible as a company to collect contact information from visitors or customers in connection with Covid-19?
Visitors or customers of a company can be asked to fill out a form requesting contact details and information about visits to certain countries. It should be noted here that the collected contact and health data may only be used to take further protective measures, but not for other purposes, such as email marketing. In addition, this data must be deleted as soon as the health risk does no longer exist.
Is it possible to carry out fever checks on employees and customers?
Even in this time of crisis, employers should refrain from forcing employees and visitors to take part in so-called fever checks, as is currently the case at numerous airports. Fever checks on employees are generally not permitted. According to the current state of medical knowledge, fever checks are to be deemed an unsuitable measure, since people who have been infected with the corona virus do not necessarily get a fever and an elevated body temperature in turn does not necessarily allow the conclusion that a person is infected with the corona virus.
However, employers can procure fever checking devices and make them available to employees of the company as well as visitors for voluntary fever measurement. It is up to them what conclusions employees or visitors draw from such measurements relating to the corona virus and whether they inform the employer or the company about the result.
How can companies guarantee data security for work done from home?
In order to curb the corona pandemic, it makes sense to have employees work from home. For this, many companies have to quickly create infrastructure that enables employees to work remotely without a drop in performance.
The employer, as the one responsible, is bound to take technical and organizational measures that provide an appropriate level of data security. The employer has to set up an IT infrastructure through which employees can access the company server from home via a secure remote desktop connection (VPN). In addition, employees must be provided with all necessary IT equipment (laptops, telephones, printers, etc.) that guarantee a smooth workflow and are equipped with up to date anti-virus software.
In addition, employees need to be contractually prohibited from using private hardware and software in order to avoid the loss of work results and to prevent data breaches. Another matter to be regulated in a home office guideline is raising the awareness of employees when dealing with business documents outside the company premises. For example, no printouts should be made on home printers and no physical documents should be stored at home if, for example, they cannot be locked away securely from third parties.
We provide counsel on data protection requirements
Are you currently facing the challenges described? Our experts in data protection law will be happy to advise you and help you to react to the new circumstances quickly and in accordance with data protection regulations. Feel free to contact us via e-mail or telephone (+49 69 76 75 77 80)!