What can employers ask when doing the background check

Information from the data protection authority on the coronavirus (Covid-19)

Due to the current epidemic, the question arises for companies, authorities and also for employees under which circumstances data (especially health data) can and may be processed and exchanged.

As an introduction, the data protection authority points out that data on infections with the coronavirus (Covid-19) and suspected cases are among those sensitive data for which data protection law provides special protection.

However, data protection law also provides that this health data can be used to the extent necessary to contain the spread of the virus and to protect fellow human beings. This includes, in particular, the collection of data from people who have been found to be infected or who are suspected of having come into contact with an infected person or staying in a risk region.

In the context of labor law, it should be noted that every employer has an obligation to care for his employees, including the exclusion of health risks in the workplace. Against this background, the processing of health data can be based on Article 9 (2) (b) GDPR in conjunction with the relevant provisions on the duty of care (processing for the purpose of fulfilling obligations under labor and social law). For the transmission of health data to the health authorities, Article 9 (2) (i) GDPR in conjunction with Section 10 (2) GDPR provides a corresponding legal basis (processing for reasons of public interest in the area of ​​public health). Furthermore, upon request of the district administrative authorities, the employer may also be obliged to provide information (on suspected cases and infections) in accordance with Article 9 (2) (i) GDPR in conjunction with Section 5 (3) Epidemics Act 1950. You can find further information in our FAQ. Please contact the health authorities if you have any questions about who should be reported to any infections or suspected cases.

In order to prevent risks, it is also permissible for employers to inquire about the private mobile phone number of the employees and to save it temporarily in order to be able to warn them about an infection in the company or in the authority so that they do not have to appear at the workplace. However, the employees cannot be forced to make this announcement. The data protection authority provides a sample form on its website for collecting private contact data from employees for free use.

The data processing must be carried out in compliance with the purpose limitation principle in accordance with Article 5 (1) (a) GDPR. Use of the health data for purposes other than preventive health care, containment of the virus and therapeutic treatment is therefore not permitted. In addition, reference should be made to the principle of storage limitation in accordance with Article 5 (1) (e) GDPR. At the end of the epidemic, data that will no longer be necessary (such as the employees' private contact details in particular) must therefore be deleted. Due to the fact that more and more home offices are used, the security requirements according to Art. 5 Para. 1 lit.f in conjunction with Art. 32 para. 1 GDPR. In particular, employers should point out to their employees that hardware (such as work laptops and work cell phones) must be kept safe and that a protected WLAN connection with a strong password (ideally also an encrypted VPN connection) must be used (if available) and that increased attention should be given to phishing messages with allegedly new information about the coronavirus. The data protection authority provides a more detailed information sheet on the subject of data security and home office on its website.

Questions and answers about data protection and COVID-19

As of November 23, 2020

  1. Can an employer ask its employees whether they have been in a risk region or whether they have had contact with infected people?
  2. If an employer asks his employees orally about their state of health, data protection law does not apply. Is that correct?
  3. Can an employer order that all employees must take a temperature measurement ("fever measurement") before entering the company?
  4. Can an employer order that all employees have to carry out a PCR test?
  5. Can an employer submit data on infection cases to health authorities?
  6. Can an employer collect the private contact details of employees in order to be able to inform them at short notice of a suspicious event or an infection in the workplace?
  7. Can an employer tell the workforce the specific names of individuals who have been infected with the coronavirus (COVID-19)?
  8. How does data protection law relate to labor law in the context of COVID-19?
  9. I am suspected of being infected or I am infected. What data can the health authorities process about me?
  10. Do entrepreneurs who have organized mass events (trade fair, theater, sporting event, etc.) have to transmit visitor data to the health authorities?
  11. Which data can a mayor use to support citizens in his municipality in the current exceptional situation?
  12. As a data subject, do I have to participate in the so-called "screening programs"?
  13. Can participation in events that involve a confluence of large crowds be made subject to the condition that I, as the person concerned, have to prove that I have used a contact tracing app ("contact diary app")?
  14. What do you have to consider from a data protection point of view when using a home office?
  15. Are communication providers allowed to make the movement profiles of cell phone users available to the government in order to contain the spread of infections?
  16. Do I have to provide public security organs with information about a (possible) infection with SARS-CoV-2?
  17. When entering a restaurant, do I have to provide the operator of the restaurant with my contact details for possible contact tracing by the responsible health authority?
  18. Is it permissible for the responsible health authority to collect my contact details in Viennese restaurants for possible contact tracing?
  19. What guidelines has the European Data Protection Board published so far on data protection and COVID-19?

1. Can an employer ask its employees whether they have stayed in a risk region or whether they have had contact with infected people?

Employers have a duty of care due to labor law provisions (both in the private and in the public sector) and must ensure that health risks in the workplace are excluded. In any case, the prevention of infections and the containment of the spread of viruses in the workplace are also part of excluding health risks.

Against this background, the survey of the state of health by the employer (responsible person) can be based in particular on the fulfillment of the labor law duty of care in accordance with Article 9 (2) lit. b GDPR. However, the data processing must always be carried out in compliance with all principles according to Art. 5 Para. 1 GDPR.

The Ministry of Social Affairs offers further information on risk areas and infection case numbers at:

https://www.sozialministerium.at/Themen/Gesundheit/Uebertragbare-Krankheiten/Infektionskrankheiten-A-Z/Neuartiges-Coronavirus.html

2. If an employer asks his employees orally about their state of health, data protection law does not apply. Is that correct?

No.

It should be noted that the basic right to secrecy in accordance with Section 1 (1) GDPR, unlike the GDPR, also applies to verbal communications. This means that data protection requirements must be complied with, regardless of whether the employee's data is collected electronically, in the form of physical questionnaires (file system) or orally.

3. Can an employer order that all employees must take a temperature measurement ("fever measurement") before entering the company?

This is primarily a labor law issue (see question 8). From a data protection point of view, there are generally more lenient means for collecting health data (i.e. checking the state of health), especially since fever is only one of several possible symptoms for a possible infection with COVID-19 and the course of the disease can also take place entirely without symptoms.

It must therefore always be questioned whether more lenient means are available to achieve the goal, such as switching to home office, questioning the employee (see question 1), observing safety distances, wearing a mask or providing disinfectants.

As part of their duty of loyalty to their employer, employees also have to take the initiative and report suspected infection. The workforce can be made aware of this.

An exception can exist if an examination obligation (suitability and follow-up examination) is legally stipulated. This can be the case for activities within the meaning of Section 49 of the Employee Protection Act where there is a risk of an occupational disease.

4. Can an employer order that all employees have to carry out a PCR test?

This, too, is primarily a question of labor law (see question 8). From a data protection point of view, it should be noted that such rapid tests, unlike fever measurements (see question 3), are in any case more suitable for determining the state of health of people.

The implementation of such rapid tests can in principle be based on Article 9 (2) (b) GDPR in conjunction with the respective labor law provisions on the duty of care. This can then be permissible if it can be proven that infections have already occurred in the company and it is actually necessary to check the state of health to prevent further spread of the infection.

It always applies that there must be objective reasons and that such measures are not carried out arbitrarily.

5. Can an employer submit data on infection cases to health authorities?

For the transmission of information about specific cases of infection to the health authorities, Article 9 Paragraph 2 lit. i GDPR in conjunction with Section 10 Paragraph 2 DSG standardizes a corresponding legal basis. The current epidemic can be viewed as a disaster in accordance with Section 10 (1) DSG.

In addition, upon request by the district administrative authorities, the employer may be obliged to provide information on suspected cases and infections in accordance with Article 9 (2) (i) GDPR in conjunction with Section 5 (3) of the 1950 Epidemic Act.

Please contact the health authorities if you have any questions about who should be reported to any infections or suspected cases.

6. May an employer collect the private contact details of employees in order to be able to inform them at short notice of a suspicious event or an infection in the workplace?

In order to prevent risks, it is permissible for employers to request the private contact details of their employees and to save them temporarily in order to be able to warn them at short notice about suspicion or an infection at the workplace so that they do not have to appear at the workplace. However, the employees cannot be forced to make this announcement.

The data protection authority provides a sample form on its website for collecting private contact details from employees. The sample form covers all data protection requirements, in particular the information requirements according to Art. 13 GDPR.

7. Can an employer tell the workforce the specific names of individuals who have been infected with the coronavirus (COVID-19)?

Data about infections and suspected cases are among those sensitive data for which data protection law provides special protection. In particular, the aim is to prevent individual persons from being stigmatized in the workplace due to suspicion or an infection.

At the same time, however, data protection law provides that data on the state of health can be used to the extent necessary to contain the spread of the virus and to protect fellow human beings.

In line with the principle of data minimization in accordance with Art. 5 (1) (c) GDPR, it must therefore be carefully considered in individual cases whether it is necessary to provide the workforce with the specific names of individuals who have become infected or with the general information that an infection has occurred in the workplace, which can be resolved. Individual naming of infected persons can prove to be permissible if it is necessary to ascertain who had contact with these persons before the infection became known.

8. How does data protection law relate to labor law in the context of COVID-19?

According to Art. 88 GDPR there is the possibility ("opening clause") for the national legislator to standardize more specific regulations to guarantee the protection of rights and freedoms with regard to the processing of personal employee data in the employment context.

Against this background, it should be noted with questions 1-7 (see above) that in addition to the provisions of the GDPR and the DSG, the relevant labor law provisions of the ArbVG (and, if applicable, the AVRAG) may apply.

For example, the business owner has to listen to the works council in accordance with § 92a Paragraph 1 ArbVG "in good time in all matters relating to safety and health protection and consult with it". This applies in particular to the cases of § 92a Paragraph 1 Z 1 ArbVG, where - simplified formulated - new technologies for the (systematic) collection of health data of employees are introduced. Thus, the works council must before the introduction of (systematic) measures to contain SARS-CoV-2 (fever measurement, PCR tests, contact tracing, etc.) The data protection authority recommends documenting the involvement of the works council.

In addition, it should be noted that according to Section 96 (1) ArbVG, the consent of the works council is required in certain cases.

This is the case with the introduction of personnel questionnaires to survey the state of health of employees in accordance with Section 96 (1) Z 2 ArbVG (e.g. questions about staying in risk areas and symptoms of illness).

The introduction of "control measures and technical systems for the control of employees, insofar as these measures (systems) affect human dignity" is also subject to approval pursuant to Section 96 (1) no.3 ArbVG. The data protection authority initially takes the view that the systematic assessment of the state of health ( If no works council has been set up, the consent of the employee is required in accordance with Section 10 AVRAG.

The admissibility of such measures (see in particular questions 3 and 4) can therefore only be assumed if the data protection and labor law conditions are complied with.

9. I am suspected of being infected or I am infected. What data can the health authorities process about me?

Health data can be used to the extent necessary to contain the spread of the virus and to protect those around you.

According to Art. 9 Paragraph 2 lit. i GDPR in conjunction with Section 4 Paragraph 4 Epidemic Act 1950, the health authorities may process the following categories of data from you:

  • Data for the identification of sick people (name, gender, date of birth, social security number and area-specific personal identification according to § 9 E-GovG),
  • the clinical data relevant for the notifiable illness (history and course of the illness) and laboratory data,
  • Data on the patient's environment, insofar as they are related to the notifiable illness, and
  • Data on the precautionary measures taken.

In order to protect your data, Section 4 of the Epidemic Act 1950 stipulates special security requirements that the health authorities must adhere to.

10. Do entrepreneurs who have organized mass events (trade fair, theater, sporting event, etc.) have to transmit visitor data to the health authorities?

At the request of the district administrative authorities, organizers are obliged to provide information on suspected cases and infections in accordance with Art. 9 Paragraph 2 lit. i GDPR in conjunction with Section 5 Paragraph 3 Epidemic Act 1950. The obligation to provide information also includes the transmission of visitor data to the extent necessary. This provision of information can be relevant in particular if the exit restrictions should be tightened again in the future.

11. What data may a mayor use to support citizens in his municipality in the current exceptional situation?

With the 3rd COVID-19 Act, Federal Law Gazette I No.23/2020 adapted the Epidemic Act 1950 and introduced a further legal basis for data processing.

Section 3a Epidemic Act 1950 now standardizes that the district administrative authority is authorized to notify the mayor of the name and the necessary contact details of a person who is affected by a separation measure under the 1950 Epidemic Act because of COVID-19 and who lives in his municipality, if and to the extent that it is necessary for care is absolutely necessary for this person with the necessary health services or with goods or services for everyday use.

This legal basis is to be interpreted in the light of the data protection principles of Art. 5 GDPR, which is also expressed in Section 3a Paragraph 3 to Paragraph 4 of the 1950 Epidemic Act. Accordingly, data processing for other purposes is prohibited and the data must be deleted immediately if its processing is no longer necessary. In addition, suitable data security measures must be taken in accordance with Art. 32 Paragraph 1 GDPR.

Finally, it should be pointed out that this legal basis, in accordance with Section 50 (8) of the 1950 Epidemic Act, will expire on December 31, 2020 and is therefore limited in time.

12. Do I, as the person concerned, have to take part in the so-called "screening programs"?

With the 16th COVID-19 Act, Federal Law Gazette I No. 43/2020, the legislature again amended the Epidemic Act 1950.

Section 5a of the Epidemic Act 1950 (as amended by Federal Law Gazette I No. 43/2020) now standardizes that the federal minister responsible for the health system, insofar as this is for assessing the control measures already taken, for planning the further control strategy, for the protection of certain people particularly affected by the pandemic Groups of people or to ensure the functionality of the health system is necessary, can carry out screening programs. To put it simply, these screening programs aim to determine the incidence of infections within certain regions or population groups.

According to the express wording of Section 5a (3) of the 1950 Epidemic Act, participation (and the associated data processing) is only permitted with the express consent of the persons concerned in accordance with Article 9 (2) (a) GDPR.

So this means that you don't have to attend screening programs if you don't want to. Failure to take part must not result in you being discriminated against in any way by an authority.

13. Can participation in events that involve a confluence of large crowds be made subject to the condition that I, as the person concerned, have to prove that I have used a contact tracing app ("contact diary app")?

No.

According to Section 15 (1) (2) of the Epidemics Act as amended by Federal Law Gazette I No. 43/2020, participation in such events can be tied to compliance with certain prerequisites or requirements.

However, § 15 para. 3 leg. Cit. expressly states that such officially ordered prerequisites or requirements may not include the use of contact tracing technologies.

14. What should be considered from a data protection point of view when using a home office?

From a data protection point of view, when working from home, the data security requirements in accordance with Art. 32 Para. 1 GDPR must be observed.

The data protection authority provides a corresponding information sheet on its website. It is suggested that employers share this information sheet with their employees.

15. Are communications providers allowed to make the movement profiles of cell phone users available to the government in order to contain the spread of infections?

This is permissible according to Art. 9 e-DSRL in conjunction with § 102 Para. 1 No. 1 TKG 2003, provided that only data without personal reference ("anonymous data") is transmitted. Based on this anonymous data, movement flows can be analyzed and, consequently, the extent to which the Appropriate anonymization techniques must be used to ensure that conclusions about specific persons are no longer possible or only possible with disproportionately high effort.

In the present context and according to the current national legal situation, the forwarding of an individual movement profile that can be assigned to a specific person is only possible on the basis of the consent of the specific person, which can be revoked at any time, in accordance with Art. 9 e-DSRL in conjunction with Section 102 (1) No. 2 TKG 2003 .

16. Do I have to provide organs of the public security service with information about a (possible) infection with SARS-CoV-2?

In accordance with Section 28a, Paragraph 1b of the Epidemic Act as amended by Federal Law Gazette I No. 103/2020, the health authorities can use the organs of the public security service to collect the following information from people who are sick, suspected of being sick or suspected of being contagious:

  • the collection of identity data (name, place of residence),
  • inquiring about any symptoms of the disease and
  • the collection of contact details (telephone number, email address)

In addition, the organs of the public security service are authorized to carry out ZMR queries for this purpose.

This data collected by the organs of the public security service may only be processed for the purpose of contacting the person concerned and must be deleted after transmission to the responsible health authority.

17. When entering a restaurant, do I have to provide the operator of the restaurant with my contact details for possible contact tracing by the responsible health authority?

First of all, it should be noted that the scope of the GDPR is fulfilled, provided that the guest protocols are structured according to certain characteristics (file system) within the meaning of Art. 4 no. 6 of the regulation. At the latest when the guest protocols are sent to the health authorities (in the case of a confirmed infection), the scope of the GDPR can be assumed in any case.

Regardless of the scope of the GDPR, unstructured guest protocols are also subject to the scope of the fundamental right to secrecy according to Section 1 (1) GDPR, which must be interpreted in the light of the GDPR.

It should also be noted that the prohibition principle in accordance with Art. 9 Para. 1 GDPR applies to such matters. This is because the information about a possible infection of a certain group of visitors represents a potentially sensitive date and from this point in time at the latest (at least also) an offense of Art. 9 Para. 2 GDPR must be fulfilled.

In any event, such contact tracing cannot (solely) be based on legitimate interests in accordance with Article 6 (1) (f) GDPR.

Likewise, such contact tracing cannot be based on Art. 9 (1) (c) GDPR, since, in the opinion of the data protection authority, this fact presupposes an immediate risk and other facts come into consideration (see recital 46 GDPR).

In any case, consent in accordance with Article 9 (1) (a) GDPR is considered, provided that access to the restaurant is not denied when the contact details are refused, otherwise no voluntary consent can be assumed.

Another possibility is the creation of a qualified legal basis in national law in accordance with Article 9 (2) (i) GDPR, on the basis of which the above-mentioned data is collected by the operator of the restaurant.

It should be noted that this legal basis must provide for appropriate and specific measures to safeguard the rights and freedoms of the data subject in accordance with the express regulation text of Article 9 (2) (i) GDPR. Furthermore, the legal basis must be clear and precise and its application must be foreseeable for those subject to the law (see recital 41 GDPR).

A national standard has to meet these requirements in order to be used as a qualified legal basis in accordance with Article 9 (2) (i) GDPR for such data processing.

18. Is it permissible for the responsible health authority to collect my contact details in Viennese restaurants for possible contact tracing?

For the Vienna area, on the basis of Section 5 (3) of the Epidemic Act, the ordinance of the City of Vienna regarding the provision of information for contact tracing in connection with suspected cases of COVID-19 (Vienna Contact Tracing Ordinance) was announced.

In the provision mentioned, it is stipulated, among other things, that the operators of operating facilities in the catering trade must provide the responsible health authorities with the following information on request:

  • First name Last Name
  • Phone number
  • E-mail address
  • Table number

In the meantime, the data protection authority has ruled on November 19, 2020, GZ: 2020-0.743.659 (not legally binding) as part of a complaint procedure against a Viennese innkeeper that Section 5 (3) of the Epidemic Act in conjunction with Section 1 (2) (e) of the Vienna Contact Tracing Ordinance does not represent a sufficiently precise legal basis for the collection of the above-mentioned data categories by restaurants, in accordance with the requirements of Art. 9 Para. 2 lit. i GDPR:

The obligation to provide information for operators of catering establishments provided for in Section 5 (3) of the Epidemic Act in conjunction with Section 1 (2) (e) of the Vienna Contact Tracing Ordinance contains neither clear nor precise rules for the scope and application of this measure. In particular, the circumstances for those affected are when there is an interference with the constitutional or legal provisions in §1 DSG or Art. 8 EU-GRC. The right to data protection, guaranteed under primary law, and whether this data must be disclosed is not clearly evident. In addition, the cited provisions contain an obligation to provide information to the responsible health authority, but not an obligation to collect data from the persons concerned.

The cited decision of November 19, 2020 is not legally binding. We therefore ask for your understanding that a full publication of the decision is not currently planned. However, here you will find the legal assessment that the data protection authority made in the context of the decision.

Persons who consider that their rights have been violated by such data collection have the opportunity to lodge a complaint with the data protection authority.

19. What guidelines has the European Data Protection Board published so far on data protection and COVID-19?

In its guidelines 04/2020 on the use of location data and instruments for identifying contact persons in connection with the COVID-19 outbreak, the European Data Protection Committee made statements on the subject of location data and anonymization on the one hand (see question 12) and on the other hand recommendations and functional requirements for so-called "Corona apps" (electronic contact diaries) formulated.

In addition, in its guidelines 3/2020 on the processing of health data for the purpose of scientific research in connection with the outbreak of COVID-19, the European Data Protection Committee made statements on the relationship between the fundamental right to data protection and the freedom of science according to Art. 13 EU-GRC.

Both guidelines are currently available in English.

Documents