Are employers allowed to process and disclose health data of employees in the context of a COVID-19 crisis management?


Due to the ongoing developments in connection with COVID-19, almost all companies have to take appropriate crisis management measures in order to comply with the new legal requirements imposed by governments.

However, both the Austrian Data Protection Authority and the European Data Protection Board stressed in their communications to the public that even in these exceptional times, controllers must ensure personal data remains protected. In particular, the GDPR stipulates strict rules for controllers and processors about processing health data.

1. Principles related to personal data processing

The data minimization principle and the purpose limitation principle must always be obeyed, even in the context of crisis management. Personal data (e.g. of employees) may only be processed to the extent necessary and for specified, explicit and legitimate purposes. In addition, transparent information on the processing activities must be provided to the respective data subjects.

We recommend implementing additional security measures and confidentiality policies to prevent third parties gaining unauthorized access to data processing activities in connection with health data. Regarding the accountability of the controller, data processing operations – even if they occur during emergency situations – and the considerations raised during the decision-making process must be adequately documented.

2. Legal basis for processing employee health data in case of infection

If an employee has tested positive for COVID-19, the employer must decide whether any personal data is disclosed in communications with internal or external parties (including authorities).

Most employment laws provide for a “duty of care” of the employer vis á vis the employees. Accordingly, the employer must organize the work environment in such a way that the life and health of the employee is protected to the greatest extent possible. The employer must inform the employees about COVID-19 cases in order to protect them from any health dangers. Considering the danger arising in connection with COVID-19 cases, it will not be enough to indicate an unspecified health risk. We are of the opinion that employers will be obliged to explicitly name the COVID-19 risk. The “duty of care” involves protective measures which – under certain limited circumstances – may involve the disclosure of names of infected employees. Whether the names can be disclosed must be assessed on a case by case basis. Employers must always obey the data minimization principle and only disclose as much information as necessary in the particular case.

Article 9(2)(b) of the GDPR serves as the legal basis if "processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law". However, this only applies if national legislation or a collective agreement under national law provides adequate safeguards for the fundamental rights and interests of the respective data subjects.

The “duty of care” in combination with Article 9(2)(b) of the GDPR constitute the legal basis for processing and disclosing employee health data within the framework of corona crisis management to prevent the spread of the disease.

Article 9(2)(b) of the GDPR contains a “necessity criterion”. It means that, due to the exceptional nature of the provision, Article 9(2)(b) of the GDPR must be interpreted strictly. The data processing and disclosure of employees' health data must be necessary to exercise the employer´s care vis á vis the employees and thereby prevent their infection. If processing or disclosing health data is not necessary to protect the other staff members, it is forbidden.

In addition, Article 9(2)(b) of the GDPR requires the controller to implement appropriate safeguards to protect the fundamental rights and interests of the data subjects. In the context of data processing during the course of internal or external communication, the controller may implement additional security measures, introduce confidentiality guidelines or establish procedures to enable data subjects to exercise their rights of objection, correction and deletion (e.g. if an alleged COVID-19 infection turns out to be a common influenza).

3. Case by case decisions

Each individual case must be assessed to determine whether an infected person’s name ought to be shared with work colleagues. In some situations it may be necessary to communicate the name to other employees, for example, to find out about other (potentially) infected persons who have been in close contact with the infected person.

Regardless of the outcome of a decision-making process, processing such data requires the employer to inform employees of the emergency data processing operations being carried out in accordance with Article 13 of the GDPR. It may therefore be necessary to adapt existing data protection policies.

Health data collected in connection with COVID-19 crisis management measures must be deleted as soon as they are no longer necessary for the protection of other staff members.