Federal Data Protection Commissioner Ulrich Kelber has now presented his activity report for 2021. In particular, he warned here against the overly light handling of health data due to the developments of the Corona pandemic.

Legal regulation on the processing of health data such as vaccination status.

First of all, the Federal Data Protection Commissioner states that in view of the Corona pandemic, it is necessary to establish legal regulations for the processing of health data such as vaccination and recovery status or test results. The guideline for this is Art. 9 II DSGVO. The requirements of the GDPR must also be complied with in the private sector.

If there is no such legal basis, the only possible justification for processing this data is the consent of the data subject. Particularly in employment relationships, problems arise in the context of this because of the imbalance of power with regard to voluntariness. Statutory regulations would create legal clarity, legal certainty and uniformity here.

The Federal Data Protection Commissioner, Ulrich Kelber, intends to continue advising the federal ministries involved on this goal and to work toward a legal regulation.

Health data must not become tickets

Many pandemic control measures have caused health data to become quasi entry tickets. The control of health data such as vaccination and convalescence status or test results constitutes a processing of health data and is only permissible under special conditions and special protection measures for data subjects according to Art. 9 GDPR.

The Federal Data Protection Commissioner criticizes in particular the fact that he was not involved in the decisions on the relevant regulations. In addition, the explanatory memorandum to the drafts did not address Article 9 of the GDPR. On the positive side, however, he emphasizes that digital solutions for proof partially mitigate the risks. He demands that there should have been an additional "flanking requirement to ensure confidentiality by the controllers".

Even if the pandemic situation as such could constitute an exceptional situation within the meaning of Art. 9 II GDPR, the reference to it was missing. In addition, there would be a risk that the easy handling of health data would become more frequent as a result.

Handling of health data in test centers

The progression of the pandemic has also meant that the tests required in many places are no longer carried out only by physicians, or at least under their supervision. If health data are processed by third-party testing centers, those affected were initially no longer protected by professional confidentiality. The Federal Data Protection Commissioner saw a gap here that needed to be closed. After all, the test providers not only process the name, address and health data obtained through the test, but in the event of a positive test, there is also an obligation to notify the relevant health authority. It is not known to what extent all test centers also work in compliance with data protection, especially since there have already been a few mishaps.

It was not until the Federal Data Protection Commissioner pointed this out in November 2021 that the test centers were also obliged to maintain confidentiality.

Review of health data in the workplace

Regulations such as 3G in the workplace were also introduced in part to combat the pandemic. Here, too, health data was processed on a large scale. Employers suddenly found themselves with a large and heavy responsibility. They must carefully consider what data collection is necessary and when, and how it is to be processed and stored. Many fundamental principles of data protection law must be observed. For example, it is regularly not necessary to store data in the event of a visual inspection prior to entry to the workplace. Otherwise, this data must also be deleted as soon as its purpose has ceased to apply, which is not necessarily the case only after the maximum storage period of six months (Section 28b III 9 IfSG).

It was also confronted with the problem that vaccination certificates, which had never been designed as forgery-proof IDs, suddenly took on precisely this function, and forgeries therefore quickly emerged.


Even if the processing of personal data in the form of health data is clearly necessary more often in the pandemic, the Federal Data Protection Commissioner urges caution. Handling health data too easily would run counter to a basic idea of the GDPR. In particular, he calls for health data not to become an "entry ticket" in the long term.

Do you have questions about data protection in your company? Our team of experts will be happy to assist you!

DSB buchen