Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Germany: Federal guidelines on 3G regulation under the amended Infection Protection Act - Key takeaways Part one
Following the approval of the German Federal Parliament ('Bundestag') and the Federal Council ('Bundesrat'), the Infection Protection Act of 20 July 20001 ('IfSG') was amended, with the new rules coming into effect on 24 November 2021, and some additional regulations on 1 January 2022. The new rules, introduced by the Law Amending the Infection Protection Act and Other Laws on the Occasion of the Repeal of the Determination of the Epidemic Situation of National Scope of 22 November 20212 ('the Law'), will apply nationwide until 19 March 2022, regardless of whether a nationwide epidemic is identified or not. This period can be extended by three months only with a resolution from the Bundestag. In addition, the new rules serve as the legal basis for restrictions on fundamental rights and protective measures. In particular, the newly drafted Section 28(b) of the IfSG introduces the so-called 3G regulation at the workplace, which imposes an obligation on employees to present proof of COVID-19 vaccination, recovery, or test status. In addition, in order to better protect vulnerable groups, employers, employees, and visitors in certain facilities and establishments, such as hospitals, prevention, and rehabilitation facilities, must get tested.
This article is Part one of a two-part Insight on the amended IfSG and outlines the newly drafted Section 28(b) of the IfSG, as well as the guidelines and frequently asked questions ('FAQs') provided at the federal level. Part two will discuss the guidelines and FAQs by the German State data protection authorities.
The Law amending the Infection Protection Act
Section 28(b)(1)
The new Section 28(b)(1) of the IfSG stipulates that employers and employees may only enter workplaces where physical contact between employers and employees, or with third parties, cannot be ruled out, if they have been vaccinated against, recovered from, or tested negative against COVID-19, whereby they must carry a vaccination, recovery, or test certificate, keep it available for inspection, or have it deposited with the employer. Employers and employees are exempted from this only if they take a test or obtain a vaccination offered in the workplace (Section 28(b)(1) of the IfSG).3
Section 28(b)(2)
Section 28(b)(2) of the IfSG provides that employers, employees, and visitors in certain facilities and establishments under Section 23(3) of the IfSG, such as hospitals, preventive care, or rehabilitation facilities (provided that no medical care comparable to hospitals is provided there), day clinics, and doctor's offices, and under Section 36(1) No. 2 and 7 of the IfSG, such as inpatient facilities and outpatient care services, may only enter such facilities and establishments if they have been tested and carry a test certificate with them.
In addition, Section 28(b)(2) of the IfSG provides that persons treated, cared for, nursed, or accommodated in or by the facilities and establishment, as well as accompanying persons who enter the facility or establishment only for an insignificant period of time shall not be deemed to be visitors within the meaning of Section 28(b)(2) of the IfSG. Furthermore, Section 28(b)(2) of the IfSG does not apply to visitors who enter the facility or establishment only for an insignificant period of time as part of an emergency response or for other reasons without contact with the persons treated, cared for, nursed, or accommodated in the facilities and establishments (Section 28(b)(2) of the IfSG).
Section 28(b)(3)
Section 28(b)(3) of the IfSG stipulates that all employers, as well as the management of the facilities and establishments referred to in Section 28(b)(2) must monitor compliance with the obligations under Sections 28(b)(1) and 28(b)(2) on a daily basis by means of documentary checks, and document such compliance on a regular basis. All employers and employees, as well as visitors to the facilities and establishments referred to in Section 28(b)(2) of the IfSG must produce appropriate proof on request (Section 28(b)(3) of the IfSG).
In addition, Section 28(b)(3) of the IfSG provides that the employer, and the management of the establishments and facilities referred to Section 28(b)(2) of the IfSG, may process personal data of employers, employees, visitors, and guests, including data on vaccination, serostatus, and test status with regard to COVID-19, insofar as it is necessary to fulfil their obligation to monitor compliance with various provisions of Section 28(b) of the IfSG. The data may also be used to adapt the company's hygiene concept on the basis of the risk assessment under the Occupational Health and Safety Act (Section 28(b)(3) of the IfSG).
Furthermore, Section 28(b)(3) of the IfSG provides that companies must implement appropriate and specific measures to safeguard the data subject's interests when processing special categories of data in accordance with Section 22(2) of the Federal Data Protection Act of 30 June 2017 (implementing the GDPR) as amended ('BDSG').4
Definitions
2G/2G plus/3G/3G plus rules
2G stands for an individual's status of being vaccinated against or having recovered from COVID-19.5
2G plus refers to an individual's status of being vaccinated against or having recovered from COVID-19, and, in addition, being able to present a current negative test (rapid or PCR test).
3G stands for an individual's status of being vaccinated against, having recovered from, or tested negative for COVID-19.
3G plus stands for an individual's status of being vaccinated against, having recovered from, or tested negative for COVID-19 with a PCR test.
Workplaces
The Federal Ministry of Labour and Social Affairs updated, on 16 December 2021, its frequently asked questions on workplace infection control6 ('the Workplace Infection Control FAQs'). In particular, Question 1.1.2. of the Workplace Infection Control FAQs states that the term 'workplace' in Section 28(b)(1) of the IfSG is initially based on the definition of the term in Section 2 of the Workplace Ordinance of 12 August 20047 ('ArbStättV'). Thus, workplaces include, among other things, work rooms or other places in buildings on the site of an establishment, places outdoors on the site of an establishment, and places on construction sites, provided that they are intended for the use as workstations (Section 2(1) of the ArbStättV).
In addition, Question 1.1.2. of the Workplace Infection Control FAQs highlights that the concept of 'workplace' introduced in the context of the Occupational Health and Safety Act must be interpreted broadly in the context of Section 28(b) of the IfSG. Hence, it is irrelevant from the employees' perspective whether or not a workplace belongs to their own employer. As a result, employees and employers must also carry a 3G certificate with them each time they enter another employer's workplace for operational reasons (Section 1.1.2. of the Workplace Infection Control FAQs).
Employees
Question 1.1.3. of the Workplace Infection Control FAQs states that the term 'employees' is based on the definition in Section 2(2) of the Occupational Safety and Health Act of 7 August 19968 ('ArbSchG'). Thus, the concept of 'employees' covers workforce employees, persons employed for the purpose of their vocational training, and persons similar to employees within the meaning of Section 5(1) of the Labour Court Act of 3 September 19539 ('ArbGG'), excluding home workers and those equal in law to home workers. The concept of 'employees' also includes civil servants, judges, soldiers, and those employed in workshops for persons with disabilities. The term 'employee' is to be interpreted broadly in the context of Section 28(b) of the IfSG, and also applicable to persons who work in a similar capacity in the company or facility, such as individuals on volunteer service and voluntary workers (Question 1.1.3. of the Workplace Infection Control FAQs).
Physical contact
Question 1.1.4. of the Workplace Infection Control FAQs clarifies that the possibility of physical contact exists if a workplace contact with other persons cannot be ruled out, even if no direct physical contact actually arises. However, physical contact with other persons can be ruled out, for example, if individual employees of cleaning companies clean other employers' workplaces after working hours and no other persons are present in the workplace (Question 1.1.4. of the Workplace Infection Control FAQs). In addition, outdoor contacts and encounters are not considered contacts within the meaning of Section 28(b)(1) of the IfSG if there is a minimum 1.5 meters distance that does not result in direct physical contact (Question 1.1.4. of the Workplace Infection Control FAQs).
Federal FAQs and Guidelines
Federal Government FAQs
The Federal Government ('Bundesregierung') updated, on 14 December 2021, its frequently asked questions on all-important information for employees with respect to the new 3G rules10 ('the Employee FAQs'). In particular, the Employee FAQs clarify that under the Law access to the workplace is now only allowed to employees with 3G status, which the employer must inform the employees about. Hence, before entering the workplace, proof of vaccination, recovery status, or a valid negative test must be presented to and checked by the employer.11
The Employee FAQs emphasise that the data on vaccinated, recovered, or tested status may be processed by employers to fulfil their control and documentation obligations, while also serving to better adapt operational processes and hygiene concepts. However, the Employee FAQs highlight that the data may not be stored in the long term.
In addition, the FAQs highlight that both the employer and employee may face fines for violations of the new 3G rules under the Law, which can also have consequences for employees under labour law. Furthermore, the Employee FAQs highlight that employees in care facilities and integration assistance, who have been vaccinated against or have recovered from COVID-19, must in addition present proof of a negative rapid test, self-test, or PCR test, which also applies to visitors and persons who enter the facilities for professional reasons, such as parcel deliverers, craftspersons, or therapists.
Federal Ministry of Labour and Social Affairs FAQs
The Workplace Infection Control FAQs state, among other things, that vaccination, recovery, and test certificates are subject to special protection as health data, with Section 28(b) of the IfSG obliging employers to check such certificates in order to verify and document that employees comply with the obligation to carry or deposit a 3G certificate (Question 1.1.15. of the Workplace Infection Control FAQs). Hence, to the extent that it is necessary for this purpose, the employer may request and document personal data, such as the employee's name and the existence of a valid COVID-19 status certificate, including its expiry date. However, the provision does not entitle employers to collect or process other health data on employees (Question 1.1.15. of the Workplace Infection Control FAQs).
In addition, the employers' verification obligations and their right to process the health data on employees that they receive as a result, do not mean that they have a right to detailed information on vaccination or recovery status (Question 1.1.11. of the Workplace Infection Control FAQs). The Workplace Infection Control FAQs also emphasise that the employer may only process the vaccination, recovery, and test certificates insofar as this is necessary for the purpose of checking the certificates or when revising their workplace hygiene policies (Question 1.1.15. of the Workplace Infection Control FAQs).
Furthermore, the employer must comply with data protection rules, in particular with the requirement to implement appropriate and specific measures to safeguard the data subject's interests in accordance with Section 22(2) of the BDSG (Question 1.1.15. of the Workplace Infection Control FAQs). These measures include, among other things, technical and organisational data security measures, such as restricting unauthorised access to the data (Question 1.1.15. of the Workplace Infection Control FAQs). The principle of purpose limitation under Article 5(1)(b) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') is also applicable, hence, processing for any other purpose is not permitted (Question 1.1.15. of the Workplace Infection Control FAQs).
Question 1.1.13. of the Workplace Infection Control FAQs highlights that in order to comply with the principle of data minimisation pursuant to Article 5(1)(c) of the GDPR, it is sufficient to 'tick off' the first name and last name of each employee on a list for the day their certificate is checked once they have presented the required certificate. In addition, if an employee presents a vaccination certificate, it is sufficient to verify and document its existence only once (Question 1.1.13. of the Workplace Infection Control FAQs). The same generally also applies to individuals with recovered status. However, in this case it must also be noted that if the recovered status expires before 19 March 2022, then the respective persons must either present a vaccination certificate once, or present a test certificate every working day. Hence, employers should also document the expiry date of recovered status certificates (Question 1.1.13. of the Workplace Infection Control FAQs).
With respect to self-tests carried out under the employer's supervision, Question 1.1.19. of the Workplace Infection Control FAQs notes that for the documentation of testing, it is sufficient to document the first and last names of the individuals supervising the tests and the test subjects together with the date and time of testing.
With respect to retention periods, Question 1.1.14. of the Workplace Infection Control FAQs clarifies that there is no minimum retention period, however, the data must be deleted no later than six months after it has been collected.
Employers who fail to comply with the GDPR may face fines and claims for damages (Question 1.1.15. of the Workplace Infection Control). In addition, Section 73(2) of the IfSG provides for a range of fines of up to €25,000 for violations of the obligation to check and carry COVID-19 status certificates under Section 28(b) of the IfSG (Question 1.1.21. of the Workplace Infection Control).
Alexandra From Privacy Analyst
[email protected]
1. Available at: http://www.gesetze-im-internet.de/ifsg/BJNR104510000.html (only available in German)
2. Available at: https://www.bgbl.de/xaver/bgbl/start.xav#__bgbl__%2F%2F*%5B%40attr_id%3D%27bgbl121s4906.pdf%27%5D__1638261257804 (only available in German)
3. See also Question 1.1.8. of the Federal Ministry of Labour and Social Affair's Workplace Infection Control FAQs of 29 November 2021 at: https://www.dataguidance.com/legal-research/questions-and-answers-workplace-infection, and an updated version on 16 December 2021 at: https://www.bmas.de/DE/Corona/Fragen-und-Antworten/Fragen-und-Antworten-ASVO/faq-corona-asvo.html (only available in German)
4. Available at: https://www.dataguidance.com/legal-research/federal-data-protection-act-30-june-2017
5. See the Federal Ministry of Health's FAQs on current regulations at: https://www.zusammengegencorona.de/informieren/alltag-und-reisen/aktuelle-regelungen/#id-7cab0cb0-1004-5466-a5d2-306629830136, and the Bavarian State Ministry of the Interior on the topics of sport and integration at: https://www.innenministerium.bayern.de/miniwebs/coronavirus/faq/index.php (both only available in German)
6. See the Workplace Infection Control FAQs of 29 November 2021 at: https://www.dataguidance.com/legal-research/questions-and-answers-workplace-infection, and an updated version on 16 December 2021 at: https://www.bmas.de/DE/Corona/Fragen-und-Antworten/Fragen-und-Antworten-ASVO/faq-corona-asvo.html (both only available in German)
7. Available at: https://www.dataguidance.com/legal-research/workplace-ordinance-12-august-2004-arbst%C3%A4ttv
8. Available at: https://www.dataguidance.com/legal-research/act-implementation-measures-occupational
9. Available at: https://www.gesetze-im-internet.de/arbgg/ (only available in German)
10. Available at: https://www.bundesregierung.de/breg-de/themen/coronavirus/informationen-fuer-arbeitnehmer-in-der-corona-pandemie-1821408; see also the Bundesregierung's press release from 25 November 2021 at: https://www.bundesregierung.de/breg-de/suche/infektionsschutz-arbeitsplatz-1983894 (both only available in German)
11. See also Question 1.1.8. of the Workplace Infection Control FAQs.