Data protection and vaccinations

Especially with the debate over Corona vaccinations, the vaccination card is becoming more and more important and many are getting the feeling that it is becoming a "ticket to freedom." The bet is that the vaccination card will allow access to public events, summer vacations, and even getting out of the home office.

But how should the presentation of the vaccination certificate be assessed from a data protection perspective?

Proof of vaccination to the employer

May the employer ask to see the vaccination certificate or proof of a specific vaccination?

The vaccination certificate contains a lot of personal data and especially health data, which fall under Art. 9 GDPR and thus require special protection.

In principle, the employer may only process data that is necessary for the employment relationship. In fact, since the introduction of the Measles Protection Act (this is based on Art. 9 II lit. i DSGVO), there is an obligation in some professions to provide proof of vaccination against measles. But this does not mean that the employer may view the entire vaccination record or copy the relevant page. In this case, other solutions (such as inspection and written confirmation by two HR staff) should be used to ensure data minimization and purpose limitation.

In any case, the employer is in a dilemma between the obligation to provide evidence and data protection and should consult the respective data protection officer on a case-by-case basis.

Can the employer require other vaccinations?

Vaccinations other than against measles are not yet mandatory in Germany. Accordingly, the employer may not demand these as proof.

Even to allow workers vaccinated against Covid-19, for example, to work in an on-site office rather than a home office would require a change in the law, according to the current situation.

Handling Corona Tests

The special protection of Art. 9 GDPR also applies to corona tests/rapid tests and their results. It must therefore be ensured that the results are stored securely and destroyed as quickly as possible, and that only those persons who absolutely need to have access to them (for example, the employees entrusted with safekeeping or the company doctor) are given access, entirely in accordance with the "need-to-know principle".

If a test is positive, this may also only be communicated anonymously.

Particularly on the subject of Corona and data protection, there is still a lot going on and it is absolutely essential to consult regularly with the data protection officer. In any case, vaccination cards and data must be handled with great care.