Germany Covid Update

Background

At the end of last year, the Federal Government amended § 28b of the Infection Protection Act (“IfSG”). The aim of the legal regulation was that employees (m/f/d) may only enter workplaces in which physical contact with each other or with third parties cannot be ruled out if the employees have been vaccinated, recovered or tested (“3G”).

According to § 28b IfSG old version (old version), the employees had to carry a proof of vaccination, a proof of recovery or a test certificate, keep it available for inspection or have deposited it with the employer. § 28b IfSG a.F. obliged employers to monitor compliance with the 3G regulations on a daily basis and to document them regularly; the employer was obliged to provide the competent authority with information on how to carry out its monitoring task.

• § 28b IfSG a.F. provided that the collected data was to be deleted at the latest at the end of the sixth month after their collection. These regulations were limited until 19 March 2022. What to do with the remaining data?

Data processing on the basis of § 28b IfSG a.F.

A proof of vaccination, a proof of recovery or a test certificate are special categories of personal data according to Art. 9 para. 1 GDPR, as these are health data. The processing of health data is only possible to a limited extent, for example on the basis of consent. Article 9(2)(i) GDPR gives national legislators the opportunity to create a legal basis for the processing of health data if this is necessary for reasons of public interest in the field of public health, such as protection against serious cross-border health hazards.

The German legislator has also made use of this. In § 28b Abs. 3 IfSG a.F. it was clarified that health data, including data on vaccination, sero- and test status, may be processed by the employer in order to monitor and regularly document compliance with the 3 G measures. This legal basis has now disappeared, because it was limited until 19 March 2022.

The German legislator also made it clear that the provisions of general data protection law remain unaffected, so that the admissibility of further processing is measured in particular according to the GDPR.

Deletion required

In principle, personal data may only be processed for as long as this is necessary for the respective purpose. Consequently, this means that personal data must be deleted when there are no longer any purposes for which they are to be processed. Data retention is not permitted.

The German legislature had clearly stipulated in § 28b sec. 3 IfSG old version that the relevant health data may only be processed for the purpose of compliance with the 3 G measures. This purpose has now disappeared. Nor is any other legal basis of Article 9 (2) GDPR relevant to justify the processing of health data. Supplementary purposes for which this personal data would continue to be processed are also missing.

Consequently, personal data collected to control and monitor compliance with 3G regulations must be deleted. This deletion must be carried out in compliance with data protection regulations, i.e. in such a way that the personal data concerned cannot be recovered. How this can be implemented depends on whether the personal data is recorded digitally or on paper.

• 28b Abs. 3 IfSG a.F., which provided for a deletion period after 6 months, also does not speak against this immediate deletion obligation. According to the wording, this was a maximum retention period, which must nevertheless be measured against the previously general principles (no data retention).

Result

If you still keep 3G proofs of your employees, they must be deleted or destroyed as soon as possible and permanently.

By Johannes Fischer, MELCHERS, Germany, a Transatlantic Law International Affiliated Firm.  

For further information or for any assistance please contact germany@transatlanticlaw.com

Disclaimer: Transatlantic Law International Limited is a UK registered limited liability company providing international business and legal solutions through its own resources and the expertise of over 105 affiliated independent law firms in over 95 countries worldwide. This article is for background information only and provided in the context of the applicable law when published and does not constitute legal advice and cannot be relied on as such for any matter. Legal advice may be provided subject to the retention of Transatlantic Law International Limited’s services and its governing terms and conditions of service. Transatlantic Law International Limited, based at 42 Brook Street, London W1K 5DB, United Kingdom, is registered with Companies House, Reg Nr. 361484, with its registered address at 83 Cambridge Street, London SW1V 4PS, United Kingdom.