Global menu

Our global pages


Coronavirus - Data processing in times of the COVID-19 crisis - Germany

  • Germany
  • Coronavirus - Country overview
  • Coronavirus - Data and Cyber Security issues


What is going on?

On 30 January 2020, the WHO announced an international health emergency due to the progressing spread of the coronavirus. In the meantime, the spread was explicitly classified a pandemic. A large number of countries have closed their borders and companies significantly cut back on their activities in order to avoid the spread and infections. Due to official instructions, companies are partly forced to fully shut down. Closed down factories due to quarantines have led to a high loss of production for a large number of companies.

All of this has put a severe strain on interna-tional trade relations, mainly due to supply shortages, interrupted transport routes and short-term cancellations of events, employees working short of their capacity, loss in revenue and possibly existential risks for companies.

On top of these issues, companies must deal with the risk of infection in their own organisations and find ways to handle the information flow to their workforce to delay the rapid spread of the virus as long as possible and to help reducing the pressure on the health care system.

To what extent could I be affected?

A large number of companies are currently considering to what extent they may process personal data of employees, guests and visitors in order to be able to implement particular measures in connection with the coronavirus.

What do I need to know from a legal perspective?

| Are companies permitted to examine their employees, guests and visitors to determine whether they are infected with the coronavirus?

Principally no. In case of doubt, the companies should contact the competent health authority instead of collecting health data at their own discretion or against the data sub-jects' will (e.g. through measuring the temperature). In exceptional cases other approaches are possible if the data subject agrees on a voluntary basis.

| Are companies permitted to ask their employees, guests and visitors whether they had recently been to risk areas or had contact with any person that was verifiably infected?


| Are companies permitted to inform their employees, guests and visitors that a certain person is verifiably infected and that they could be a contact person?

Only as last resort. Due to a risk of stigmatisation, companies should undergo a three-stage process:

  • 1st stage: companies should warn such persons on a department or team level who were in direct contact with the infected person (without naming the infected person)
  • 2nd stage: companies should contact the competent health authorities and ask for their decisions
  • 3rd stage: companies should warn other persons (including naming the infected person)

| Are companies permitted to collect their employees' private contact data in order to be able to contact them in case protection measures must be taken (such as closure of the business)?

According to the Data Protection Officer of the Federal State of Baden-Wuerttemberg, this is only permissible with the employees' consent. We, in contrast, believe that in this exceptional situation companies may collect private contact details of employees who do not have a business mobile phone also without their permission. Companies may then contact the employees via their private contact details if both of the following preconditions are met at the same time:

  • The protection measure must be taken so quickly (e.g. late at night) that it was not possible to contact the employees via their business contact details and;
  • the protection measure is so crucial (e.g. closure of the business) that it would not be acceptable to only contact the employees the next day via their business contact details.

What can I do now and what is there to observe?

| What must companies observe when their employees are working from home?

One of the most important preventive measures against the spread of the coronavirus is social distancing. Therefore, a large number of companies have decided to have their employees work from home. Principally, data protection laws do not exclude work from home. When work is transferred into the employee's private environment, however, the companies' capability to influence and control decreases and simultaneously the risk of an unauthorised disclosure of and/or an unauthorised access to personal data by third parties increases (data breaches which might trigger a notification obligation with the competent supervisory authority). As a result, companies should take adequate measures to ensure data protection when working from home and when documents and data carriers are transported between the business premises and homes.

| Which measures can companies take in order to ensure data secu-rity when working from home?

The Federal Commissioner for Data Protection and Freedom of Information in particular recommends the following measures:

  • employees' access to sensi-tive personal data only with a PIN and a hardware-based trust anchor (two-factor authentication)
  • connection exclusively via a so called virtual private network (VPN)
  • encryption of the data (end-to-end security) incl. storage encryption on the mobile device
  • locking USB and other connections
  • no connection of printers
  • no private use of the IT equipment provided for work, regular trainings/education of the employees with regard to a use of mobile equipment ensuring data security and the compliance with data protection laws

| Which measures can companies take to ensure data security during the transport of documents and data carriers between the business premises and homes?

The Federal Commissioner for Data Protection and Freedom of Information in particular recommends the following measures:

  • data carriers must always be transported encrypted and paper documents in closed containers;
  • data carriers and documents may never be left unattended.

| Can companies take additional measures to monitor employees working from home?

No. For monitoring measures applied to employees working from home, the same standards must principally be maintained as with employees regularly working on the business premises. Companies with works councils must first consult the works council in any case.

| Are companies obliged to enter in-to a separate agreement regarding work from home with the employees?

Yes, we recommend the conclusion of an agreement. From a data protection perspective, this agreement should in particular regulate the respective responsibilities, the relevant data protection measures and the control and access rights of the company with regard to the employee's home. Companies with works councils must first consult the works council in any case.

Helpful resources

Write to us at