Data Protection Academy » Data Protection News » Data protection compliance during coronavirus pandemic

A scientist in protective clothing looks at the coronavirus

Data protection compliance during coronavirus pandemic

“Wir stehen am Anfang einer Epidemie” so Bundesgesundheitsminister Jens Spahn in den Medien. Es handele sich dabei um seine persönliche Einschätzung, wie er betonte. Problematisch ist, dass nachdem die Infektionskette nicht nachvollzogen werden kann, die aufgetauchten Fälle in keinem Zusammenhang stehen und Personen, die erkrankt sind, zuvor Veranstaltungen besucht haben. So ist zu erwarten, dass sich weitaus mehr Personen bereits infiziert haben, als bisher vermutet. Der Data protection of your company must be respected, despite coronavirus pandemic.

Where is the connection between data protection and Coronavirus?

If the coronavirus continues to spread, it is likely that employees will become ill. Those responsible must be legally (Article 32 GDPR and the § SECTION 64 BDSG) ensure that data protection-compliant processing is ensured through the use of suitable technical and organisational measures - even in the event of illness of the responsible employee or even managing director.

In the event of an epidemic (the occurrence of an infectious disease in a certain limited area of distribution) or even a pandemic (a widespread epidemic affecting entire regions or countries; a large-scale epidemic), those responsible must pay particular attention to two factors:

  • Maintenance and fulfilment of the Rights of data subjects in the time defined by law
  • Measures that ensure or maintain IT security in the company, especially with regard to Data breaches and other disturbances which limit the security of the processing of personal data. All this also with regard to the security of operational and business data (BI).

The deadlines for fulfilling the obligations are precisely defined. If you now think that none of this is necessary because you only do business with companies, please bear in mind that people whose data you are processing work everywhere. Your own employees are in particular focus.

What can controllers do?

Over the next few weeks, controllers must expect the coronavirus to spread further. Employers in particular are required to continuously monitor the situation and evaluate it for their own company's employees and customer contact. It makes sense to take concrete measures now.

General protective measures to prevent the spread of the coronavirus in your company


Employees who were in Asia

If employees have been in Asia for the last four weeks, either privately or on business, the possibility of working from their home office should be considered. According to current assumptions, the incubation period is approximately five days. In a small number of affected persons, the first symptoms were observed after approximately 12 days after infection. To be on the safe side, working from the home office for 14 days is recommended.

Missions and other external appointments

Insofar as this is not absolutely necessary, current digital communication should be predominantly digital. Only instruct your employees to attend external appointments in exceptional cases.

Office collaboration

Good hand hygiene and the temporary renunciation of shaking hands are important measures to avoid infection or further spread. Equip your offices with disinfectants and raise awareness of this topic.

External Data Protection Officer

You are welcome to contact us as external data protection officer (DPO) order. We also offer individual consulting services as well as audits and will be happy to provide you with a non-binding offer. You can find more information about our external data protection officers on our website.

Data protection measures that managers must now implement

In the event of a data breach or failure to provide information to a data subject in a timely manner in order to safeguard his or her rights as a data subject, the supervisory authority would ask you, when stating the reason, which is the existence of an epidemic or pandemic, whether you have taken organisational and technical measures in advance to counter this danger.

To prepare for such a case, you must document the measures taken. There are processing activities and technical and organisational measures specifically for this case that will help you to argue with the supervisory authorities.

Our data protection experts have developed emergency, epidemic/pandemic or vaccination plans and checklists. Robin Data customers can access these documents free of charge, either as a processing activity or TOM in the software or on request from their data protection officer.

More about this in our privacy community: Corona, data protection and restriction of public life / influenza

Free Download

Sensibilisieren Sie Ihre Mitarbeiter und Kollegen mit dem Posters “Hygienemaßnahmen am Arbeitsplatz”

Download now free of charge: Poster-Hygiene-Infections-Workplace-Robin-Data

Robin Data Poster Hygiene measures at the workplace during the pandemic

Caroline Schwabe
Latest posts by Caroline Schwabe (see all)

This might interest you too:

Smart Home Privacy Concerns

Smart Home applications: Find out why the benefits in everyday life often involve data protection risks and how you can protect yourself.

Data protection and data security while working from home

What do employers and employees need to be aware of? Concrete tips on data protection and advice on data security.
Picture of Thomas Ulrich on Pixabay

Federal Council increased duty to appoint data protection officer to 20 persons

On 20 September, the Federal Council decided that a company data protection officer only needs to be appointed if the number of employees exceeds 20.