It happens that individual employees in companies are absent due to illness. This results in personal data. What needs to be communicated to whom in these cases? How else should the data of the employee on sick leave be handled? You can find out here.

Information of the certificate of incapacity for work included on all four pages:

  • Health insurance company or payer,
  • Name, address, date of birth and insured number of the person with the disease,
  • Cost Object Identifier,
  • Physician number and name of certifying physician,
  • Dates of issuance of the certificate, determination, and the beginning and expected end of incapacity for work,
  • Initial or follow-up certificate,
  • is work the cause (yes/no),
  • Transit doctor assigned (yes/no).

On the first, third and fourth pages are additionally noted:

  • up to six illnesses or symptom complexes that can justify incapacity for work (coded according to ICD-10), but not in the case of certificates from the dentist;
  • Status of the insured,
  • Operating site number,
  • Accident as cause (yes/no),
  • Supply condition (yes/no),
  • Rehabilitation services required (yes/no),
  • gradual reintegration (yes/no),
  • other special measures,
  • Sick pay case (yes/no), final certificate (yes/no), if applicable.

On the second page (for the employer), the designation of the illness or its symptoms is missing for reasons of health data protection and medical confidentiality.

How may the employer handle sick leave?

If the employer receives a sick note, it must be handled in the same way as other personal data collected during the employment relationship: The employer must indicate which data it processes (Art. 13, 14 GDPR) and these must be deleted when the purpose of collection ceases to apply. A sick note may only be kept until the employee's claims to sick pay, for example, have been settled.  

In addition, the sick note contains health data (only the information that a person is ill is sufficient), i.e. personal data of a special category (Art. 9 I GDPR). Thus, the data is subject to special protection. This must be expressed in the handling of the data: Sick notes are not to be copied and they are to be disposed of properly so that no more data is recognizable. In addition, employees' health data must not be passed on to third parties. Secure communication channels must also be used to transmit sick notes.

What may the employer ask?

In principle, the employer has a legitimate interest in receiving information about when and for how long an employee will be absent (Section 32 I 1 BDSG). In addition, employees are entitled to continued payment of remuneration in the event of illness. For this situation, Section 5 of the Continuation of Remuneration Act (Entgeltfortzahlungsgesetz - EntgFG) creates the regulation that the employee must inform the employer immediately (i.e. without culpable hesitation) if he or she is unable to work and for how long this is expected to remain the case.

As a rule, a medical certificate must be submitted only after the third day of absence, but the employment contract may stipulate otherwise.

An exact reason for the absence does not have to be stated here from a legal point of view.

To whom may the employer disclose the illness?

In most companies, an illness also means that a replacement must be found for the sick colleague. If a team is affected, it usually has to reschedule entire processes. Any statements about the employee's state of health made by the employer to colleagues or other third parties are not permitted under data protection law. An exception to this may exist if the sick employee has consented. In addition, such processing of health data may be necessary for the fulfillment of obligations under the employment contract.

Colleagues must also be careful not to disclose information about the sick employee's health to customers, for example.


In the event of an employee's illness, a lot of particularly sensitive data is generated, which must be handled with appropriate care. It is not only the employer who must maintain an overview; the other employees must also be appropriately trained in data protection law.

DSB buchen