Employers obliged to process vaccination status of employees

These new changes relate to a number of different areas of daily life. From a data protection perspective, the so called 3G rule – which is to be applied by German employers – is of specific interest. Under this rule, only employees who have been vaccinated, tested or recovered from a Corona infection (geimpft, getestet, genesen) may be admitted to the work place. Employers have to verify the status of their employees when they are entering the premises and must also document this accordingly.

This is in sharp contrast to the data protection situation so far which made it, at least following the view taken by German data protection authorities, impossible for employers to query their employees about their vaccination status (with the exception of certain facilities, such as nursing homes for the elderly or schools). The regulation now clearly states that to the extent necessary to comply with these new obligations, the employer may process its employees personal data for this purpose, including data on vaccination, sero and testing status in relation to COVID-19.

As a consequence, employers must now not only verify the status of their employees, but also consider amending their register of processing activities as well as, depending on the wording so far, amend their employee privacy declaration. The provision is initially valid until 19 March 2022.

For companies and employers, however, there is one important point of legal uncertainty:

On the one hand, the legislator has expressly stipulated that personal data collected under the 3G rule must be deleted at the latest at the end of the sixth month after it was collected, “whereby the provisions of general data protection law remain unaffected”. On the other hand, violation of monitoring obligations itself constitutes an administrative offence that can be sanctioned with a fine of up to €25,000. Since the statute of limitations for the offence does not expire until three years have elapsed, the employer may be in need of proof when finding itself exposed to administrative offence proceedings for breach of monitoring duties after the six-months deletion period has expired.

In order to avoid this, the employer would have to keep the data longer, namely up to three years after the expiry of the regulation. In principle, it is recognised that deletion can be waived if retention is necessary for the assertion, exercise or defence of legal claims on the part of the processing company. Moreover, the law also provides that the provisions of general data protection law remain unaffected. However, it is doubtful whether such a long retention period of up to three years is compatible with the clearly formulated statutory retention period of six months. A corresponding limitation regulation in the Infection Protection Act would therefore have been necessary. Since this is currently lacking, companies are advised to retain the data until there is clear communication on this, either by the data protection authorities or by legal regulation.

For general information on the rules applying in the workplace and the return of the work from home obligation please check our Germany Covid-19 updates.