Data protection and vaccinations

Especially with the debate over Corona vaccinations, the vaccination card is becoming more and more important and many are getting the feeling that it is becoming a "ticket to freedom." The bet is that the vaccination card will allow access to public events, summer vacations, and even getting out of the home office.

But how should the presentation of the vaccination certificate be assessed from a data protection perspective?

Proof of vaccination to the employer

May the employer ask to see the vaccination certificate or proof of a specific vaccination?

The vaccination record contains many personal data and, in particular, health datawhich fall under Art. 9 GDPR and therefore require special protection.

In principle, the employer may only process data that is necessary for the employment relationship. In fact, since the introduction of the Measles Protection Act (this is based on Art. 9 II lit. i DSGVO), there is an obligation in some professions to provide proof of vaccination against measles. But this does not mean that the employer may view the entire vaccination record or copy the relevant page. In this case, other solutions (such as inspection and written confirmation by two HR staff) should be used to ensure data minimization and purpose limitation.

In any case, the Employers in a dilemma between the obligation to provide evidence and data protection and should consult the respective data protection officer on a case-by-case basis.

Can the employer require other vaccinations?

Vaccinations other than against measles are not yet mandatory in Germany. Accordingly, the employer may not demand these as proof.

Even to allow workers vaccinated against Covid-19, for example, to work in an on-site office rather than a home office would require a change in the law, according to the current situation.

Handling Corona Tests

The special protection of Art. 9 GDPR also applies to corona tests/rapid tests and their results. It must therefore be ensured that the results are stored securely and destroyed as quickly as possible, and that only those persons who absolutely need to have access to them (for example, the employees entrusted with safekeeping or the company doctor) are given access, entirely in accordance with the "need-to-know principle".

If a test is positive, this may also only be communicated anonymously.

Especially in the topic Corona and data protection there is still a lot in motion and it is essential to regularly consult with the data protection officer. Vaccination cards and data must always be handled very carefully.