Federal Data Protection Commissioner: Caution with health data

Federal Data Protection Commissioner Ulrich Kelber has now presented his activity report for 2021. In particular, he warned here against the overly light handling of health data due to the developments of the Corona pandemic.

Legal regulation on the processing of health data such as vaccination status.

First of all, the Federal Data Protection Commissioner states that in view of the Corona pandemic, it is necessary to establish legal regulations for the processing of health data such as vaccination and recovery status or test results. The guideline for this is Art. 9 II DSGVO. The requirements of the GDPR must also be complied with in the private sector.

If there is no such legal basis, the only possible justification for processing this data is the consent of the data subject. Particularly in employment relationships, problems arise in the context of this because of the imbalance of power with regard to voluntariness. Statutory regulations would create legal clarity, legal certainty and uniformity here.

The Federal Data Protection Commissioner, Ulrich Kelber, intends to continue advising the federal ministries involved on this goal and to work toward a legal regulation.

Health data must not become tickets

Viele Maßnahmen der Pandemiebekämpfung haben bewirkt, dass Gesundheitsdaten quasi zu Eintrittskarten geworden sind. Die Kontrolle von Gesundheitsdaten wie Impf- und Genesenenstatus oder Testergebnis stellt eine Verarbeitung von Gesundheitsdaten dar und ist gemäß Art. 9 DSGVO nur unter besonderen Voraussetzungen und besonderen Schutzmaßnahmen für Betroffene zulässig.

Der Bundesdatenschutzbeauftragte kritisiert hierbei insbesondere, dass er bei den Entscheidungen zu den entsprechenden Verordnungen nicht beteiligt wurde. Außerdem sei in der Begründung zu den Entwürfen nicht auf Art. 9 DSGVO eingegangen worden. Positiv hebt er aber hervor, dass digital solutions zum Nachweis die Risiken teilweise mildern. Er fordert, dass es zusätzlich eine „flankierende Maßgabe zur Wahrung der Vertraulichkeit durch die Kontrollierenden“ hätte geben müssen.

Even if the pandemic situation as such could constitute an exceptional situation within the meaning of Art. 9 II GDPR, the reference to it was missing. In addition, there would be a risk that the easy handling of health data would become more frequent as a result.

Handling of health data in test centers

Das Fortschreiten der Pandemie hat auch dazu geführt, dass die vielerorts benötigten Tests nicht mehr nur durch Ärzte oder zumindest unter deren Aufsicht durchgeführt werden. Werden Gesundheitsdaten von dritten Teststellen verarbeitet, sind die Betroffenen zunächst nicht mehr durch die berufliche Schweigepflicht geschützt gewesen. Der Bundesdatenschutzbeauftragte sah hier eine Lücke, die es zu schließen galt. Schließlich verarbeiten die Testanbieter nicht nur Name, Adresse und die durch den Test erlangten Gesundheitsdaten, sondern besteht bei einem positiven Test auch die Pflicht zur Meldung an das zuständige Gesundheitsamt. Dabei ist nicht bekannt, inwiefern alle Testzentren auch datenschutzkonform arbeiten, zumal es bereits einige Pannen gab.

It was not until the Federal Data Protection Commissioner pointed this out in November 2021 that the test centers were also obliged to maintain confidentiality.

Review of health data in the workplace

Regulations such as 3G in the workplace were also introduced in part to combat the pandemic. Here, too, health data was processed on a large scale. Employers suddenly found themselves with a large and heavy responsibility. They must carefully consider what data collection is necessary and when, and how it is to be processed and stored. Many fundamental principles of data protection law must be observed. For example, it is regularly not necessary to store data in the event of a visual inspection prior to entry to the workplace. Otherwise, this data must also be deleted as soon as its purpose has ceased to apply, which is not necessarily the case only after the maximum storage period of six months (Section 28b III 9 IfSG).

It was also confronted with the problem that vaccination certificates, which had never been designed as forgery-proof IDs, suddenly took on precisely this function, and forgeries therefore quickly emerged.

Conclusion

Even if the processing of personal data Data in the form of health data is necessary much more frequently during the pandemic, the Federal Data Protection Commissioner urges caution. Dealing too lightly with Health data would be a basic idea of the GDPR run counter to this. In particular, he demands that health data must not become an "entry ticket" in the long term.

Do you have questions about data protection in your company? Our team of experts will be happy to assist you!