Data Protection in Germany during Covid-19

• PROCESSING OF HEALTH DATA AND GEOLOCATION » 

• Pan-European COVID-19 mobile application approach » 

• TELEWORKING » 
  

• DATA PROTECTION OBLIGATIONS » 

• WEBSITES PROTECTION » 

• COUNTRY SPECIFICS » 

Currently, there are no general legal obligations in Germany to collect health data (temperature measurements) for access to facilities. With regard to contact tracing, regulations have been issued in some federal states that provide for the collection of data in certain areas (restaurants) and can be regarded as a legal basis within the meaning of the GDPR. In addition, occupational health and safety regulations recommend the documentation of visitors and their contact details to enable contact tracking; in this case the legal basis under data protection law is unclear.

Individual GPS tracking is not used because it is deemed unsuitable. Anonymised mobile phone localisation data were used by the German epidemic control agency to understand the slowing or acceleration of population movements.

Mandatory temperature measurements of employees, suppliers or visitors are controversial in terms of data protection. Since the highest risk of infection already exists two days before symptoms appear, and since the illness, with the risk of further infection, sometimes occurs completely without symptoms, temperature measurements appear to be of only limited use and may therefore not be necessary. At best, they can be considered as supplementary measures and especially if local events (either in the affected company or in the region) show an increased risk of infection. Supervising authorities are currently investigating supermarkets that have used thermal scanners for all visitors.

The German government supports the Pan-European Privacy-Preserving Proximity Tracing Initiative (PEPP-PT), in which, among others, two leading German scientific institutes are involved. The Corona app, based on a decentralized software architecture, is being developed by Deutsche Telekom and SAP. Interoperability with other European solutions is to be worked to achieve. The app is to be optional for German citizens, comply with the applicable data privacy regulations and ensure a high level of IT security. It will also have an anonymous, cross-national exchange mechanism for travel between countries. In terms of functionality, the app will record which smartphones have come close to each other and store the epidemiologically relevant contacts of the past three weeks. Users are to be warned if it turns out that they were next to infected persons. 

Technically, this will be done via Bluetooth ID exchange between mobile phones. Part of the tracking data will be stored in the smartphone, another part will be distributed to several independent servers, each of which will receive only a small amount of sensitive information. This is to prevent data misuse. However, there are still concerns about data protection law, and there is still no official data protection impact assessment. Supplementing laws regarding liability or to strengthen the free consent for the use of the app are not considered now.

There are no specific German regulations regarding data protection when teleworking. Therefore, the general measures apply. Companies have to take into account the changes of operations and adjust their risk assessments, policies, processing register etc. accordingly.

There are no statutory changes regarding data protection obligations.

Some of the regional German Supervising Authorities at the moment generally accept the use of personal devices of employees for video conferencing or messaging between employees as well as towards customers, provided that at least certain privacy requirements are fulfilled (password protected devices, data minimisation, etc.). The commitment, which applies only to certain branches and regions, has already be prolonged, now until 14 June 2020.

Other Supervising Authorities stated not to issue fine notices in ongoing fine proceedings for the time being in order to ease the burden on companies and tradespeople in the current process of adapting to the numerous changes resulting from the corona crisis.

Some health authorities on request gave lists with the contact details of infected persons to police services, which was considered by all the regional Supervisory Authorities to be an unjustified processing of health data under the GDPR.

Identity theft occurred on a larger scale during the 1st phase of state support measures. It was relatively easy for companies to apply for subsidies or loans via websites operated by federal states, which were granted quickly. Since identity verification was initially neglected, fraudsters took advantage of these support services by demanding by demanding (and receiving) payments for existing companies themselves.

There are currently no specific changes in German privacy law.