• Insights

Data protection aspects of the COVID-19 pandemic in Austria

Written by
Schima Mayer Starlinger, a modern, service-oriented law firm in Austria.
The Austrian data protection authority has announced that health data of employees infected with COVID-19 may be disclosed to the extent necessary to protect other employees from infection. 

A question that is increasingly arising for companies in Austria during the COVID-19 pandemic is whether the identity of an infected employee in a company may or must be disclosed at the request of other employees. This could be required in particular if another employee claims to be immunosuppressed (and therefore at increased health risk) or to live with someone who is immunosuppressed.

According to Austrian law, an employer, under its duty of care towards its employees, is generally obliged to inform the staff about all infections that have occurred in the company, especially if there is a potential danger of infection for other employees. Whether the specific identity of the infected person may or even must be disclosed in order to fulfil the duty of care is examined on a case-by-case basis and must be assessed based on the details of the particular situation. Since the employer does not know in detail which other employees have been in direct contact with the infected person, all employees of the company must usually be informed about the infection – and possibly also about the identity of the infected employee.

If an employee approaches the employer and asks for the identity of the infected employee, for example because he or she lives with someone who has an underlying disease or belongs to a risk group in connection with COVID-19, the privacy interests of the infected employee under data protection law and the personal interests of the employee who made the inquiry must always be weighed up against each other, because the data at issue are health data of the employee which are specially protected under the General Data Protection Regulation.

However, the Austrian data protection authority announced in a recently published guideline that the health data of infected employees may be used to the extent necessary to contain the further spread of the COVID-19 virus and to protect other people. This includes in particular the collection of data from persons who have been diagnosed as positive or who are suspected of having contracted the virus through direct contact with an infected person. On the basis of this guideline, we therefore believe that, in the context of the COVID-19 pandemic, the employer is in principle entitled to disclose the health data of infected or potentially infected employees in order to contain the further spread of infection and to protect other employees from infection.