Coronavirus and data protection Questions for employees, reporting obligations and risks when working from home

Many companies are currently requesting employees' private telephone numbers. According to the Baden-Württemberg State Commissioner for Data Protection and Freedom of Information (LfDI), this is only permitted with the consent of the employees. The telephone numbers will also have to be deleted after the end of the pandemic.

Against the background of the duty of care under employment law and the Occupational Health and Safety Act, employees returning from vacation may be asked whether they have been in a risk area and, if so, who they have been in contact with.

The name of an employee who has contracted the coronavirus may only be disclosed to the other employees as a last resort if no other measures can be taken to protect the other employees.

If health authorities request information about customers, visitors or event participants, care should be taken to ensure that an official order has been issued. This can - if lawful - constitute a legal basis for data transfer. As such transfers will often not be included in the company's general privacy policy, this should be adapted in advance.

The Infection Protection Act (IfSG) may result in reporting obligations, in particular for doctors, hospitals and laboratories, with the contents of Section 9 IfSG (e.g. name of the person concerned and suspected diagnosis).

When working from a home office, technical and organizational measures (TOM) must be taken to ensure the protection of personal data. If you have entered into an order processing contract as a contractor, you must ensure that the agreed TOMs are also complied with in the home office. It should also be noted that some technical changes may violate contractual obligations. For example, the use of some video telephony solutions could violate confidentiality agreements with customers or suppliers. In addition, a data protection design is required for the video telephony solution.