Out of the home and into the office: data protection and going back to work

Stefan Hessel

The situation with coronavirus has improved somewhat and restrictions are now being lifted. But the lifting of these restrictions is creating new requirements and many companies are asking how they can go beyond their legal obligation to protect customers and employees from the coronavirus. Data protection law plays a key role in this regard as well.

In recent weeks, the coronavirus pandemic has forced many companies to send their employees home or cease to operate altogether. Each stage of the process was accompanied by questions of data protection law from the time the first restrictions were adopted, including the assignment of employees to work from home, statements from data protection authorities about video conferencing software and detailed questions about processing contracts and data protection inspections. Some of the strict measures which had been taken to combat coronavirus have now been withdrawn and the lifting of restrictions is expected to continue. Nevertheless, things are not yet back to normal and the virus is still not under control for good. Accordingly, there are many requirements associated with the lifting of the restrictions, such as collection and processing of contact information in the restaurant and hotel industry and requirements with regard to occupational health and safety. Moreover, many companies would like to go beyond what is required by law in protecting their customers and employees. Precautionary measures frequently require processing personal data, regardless of whether they are required by law or taken on a voluntary basis. As a result, data protection law is no less relevant now that the lockdown has ended.

In addition to guidelines for specific industries, which differ considerably in some cases from State to State, notices issued by the data protection authorities are particularly relevant for companies right now. A good starting point for the fundamental considerations in this regard is provided by the resolution of the German Data Protection Conference on data protection principles in combating the coronavirus pandemic (PDF / only in german), which was adopted on 3 April 2020. This document makes it clear that just having a legal basis for data processing is not enough. Rather, the GDPR requires companies to notify data subjects and guarantee their rights, aside from other duties.

That errors can be made in the present situation, especially in industries where compliance with data protection law tended to be a marginal issue, is acknowledged in the latest notices (only in german) from the office of the Data Protection Commissioner of the State of Mecklenburg-Lower Pomerania. Fortunately, these notices demonstrate a strong disposition to be practical and lead us to expect that the current situation will be taken into account in assessing inadvertent data protection breaches. The object of the notices is to help controllers implement and comply with the Ordinance of 8 May 2020 of the State of Mecklenburg-Lower Pomerania on the Transition after the Coronavirus Protection Measures (PDF / only in german). In accordance with § 8(3) of this Ordinance, event organizers are required to keep lists of those attending their events, including the name, address and telephone number of everyone present. The data protection authority will be providing controllers with forms and templates, customized for each specific industry, which will allow them to implement the necessary measures while complying with their duty to notify data subjects. Documents are available for hairdressers, tanning and nail salons, cosmetics institutions and all other body care services (only in german), for cafés, restaurants and other food businesses (only in german), and for event organizers (only in german). The Saarland data protection authority has also published templates of data privacy notices (only in german) for the collection of customer data in the restaurant industry, together with the Independent Data Protection Center of Saarland.

The office of the Commissioner for Data Protection and Freedom of Information of the State of North Rhine-Westphalia has also issued notices lately (only in german) to help businesses implement that State's Coronavirus Protection Ordinance (only in german). It is evident from these notices that, to the extent that the Ordinance requires the processing of personal data, this processing can be performed based on Article 6(1) Sentence 1(c) of the GDPR, i.e. based on a legal obligation, meaning that it is not necessary to obtain the consent of the data subject. This applies for restaurants as well as for craft and service businesses. The office of the Commissioner has also issued notices concerning technical and organizational data protection measures. For example, lists must be replaced every time new guests come in and can only be transmitted through secure channels. Similar information has been published by the Hessian data protection authority (only in german) as well.

The declaration from the Hamburg Commissioner for Data Protection and Freedom of Information is particularly encouraging in light of the problems currently weighing upon the economy. In its coronavirus FAQs (only in german), under the heading "fines," the Commissioner's office announced that no fines will be levied for the time being in order to avoid creating further problems for businesses. Also in its FAQs, the Commissioner's office addresses the issue of registering customers by name (heading: "Do customers have to be registered by name?"). It states that, to the extent that such measures are required under Hamburg's Coronavirus Ordinance, businesses may do so based on Article 6(1)(c) of the GDPR (legal obligation). But even outside the scope of the Ordinance, the Commissioner's office takes the view that registration can be performed based on a legitimate interest (Article 6(1)(f) of the GDPR).

Additional notices from data protection authorities may be expected in the coming days and weeks. Aside from the new opinions from the data protection authorities, the same requirements apply as at the beginning of the pandemic, particularly for voluntary measures.

[May 2020]