Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Schleswig-Holstein: ULD published information page on processing of employees' COVID-19 data

The Schleswig-Holstein data protection authority ('ULD') published, on 24 November 2021, an information page on the processing of vaccination, serostatus, and test status of employees in relation to COVID-19. In particular, the ULD provided an overview of the changes to the Infection Protection Act of 20 July 2000 as amended entered into force on the 24 November 2021.

In addition, the ULD outlined the status, as of 24 November 2021, of the Supplementary Provisions according to the Schleswig-Holstein Ordinance to Combat the Coronavirus SARS-CoV-2 (Corona Control Ordinance - Corona Control Ordinance) of 20 November 20 2021 ('Corona-BekämpfVO'). Specifically, the ULD highlighted, among other things, that for employees in restaurants or accommodation establishments, who work in areas with regular guest contact, there are obligations to submit test, vaccination, or recovery certificates in accordance with Section 7(1)(3) and Section 17(1)(3) of CoronaBekämpfVO.

Furthermore, the ULD highlighted important information about the processing of employees' health data in relation to COVID-19, including the following:

  • as a result of the collection of personal employee data, the employer must provide the employees with the mandatory information in accordance with Article 13(1) and Article (2) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR');
  • the procedure for processing the vaccination, serostatus, and test status must be documented in a list of processing activities, pursuant to Article 30 of the GDPR; and
  • only the employer, the company or department management and, if necessary, persons entrusted with the processing of the data or specifically authorised for this purpose, may access employees' health data.

You can read the information page, only available in German, here.