Do you need legal help? Contact us.
Almost all schools test their students in class with so-called corona rapid tests. But are these tests even compliant with data protection regulations? This quick test is usually carried out in a class group. Each student tests himself and shows the result to the teacher. If a student tests positive for the corona virus, he will be immediately separated from the other students and can / must be picked up. But how does this change class cohesion? On the one hand, children - like many adults - do not know what a "positive test result" means. On the other hand, it seems unknown to many that one is only contagious for a certain time (if at all). It follows that a student who tested positive is exposed to a high risk of bullying and social exclusion.
This article is not intended to go into the usefulness of such tests. The following article deals purely with the associated data protection problems and concerns.
The processing of health data is regulated in Art. 9 of the General Data Protection Regulation (GDPR). Art. 9 GDPR provides for increased legality requirements compared to Art. 6 GDPR general processing ban (Art. 9 Para. 1 GDPR) in combination with strict requirements for admissibility (Art. 9 Para. 2 and 3 GDPR) exist. The legislature has anchored this increased need for protection in Article 9, as it
"Are by their nature particularly sensitive with regard to fundamental rights and freedoms and (...) in connection with their processing considerable risks for the fundamental rights and freedoms can arise" P. 51 Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data, on the free movement of data and on the repeal of Directive 95/46 / EC (General Data Protection Regulation)
As a result, processing is only permitted under significant conditions.
Regardless of whether the school or the Ministry of Culture deems rapid corona tests to be necessary, these require the consent of the student concerned or, if applicable, their legal guardian. If this consent is missing, the test (and the associated processing) is also inadmissible!
The problem with the matter, however, is that the schools will refuse classroom teaching in the event of refusal. The student is thus referred back to distance teaching.
Something else must apply if the student agrees to a test but does not want unauthorized third parties - like his classmates - to know the result. In this case it is the task of the school to find a way how this permissible data protection goal can be met! If the school refuses to allow the student concerned access to face-to-face lessons under these conditions, this would be illegal!
In any case, you should do the following:
- Revocation of the declaration of consent for testing
- Submission of a conditional declaration of consent that the test may only be carried out if no unauthorized third party can gain knowledge of the result
- Request to submit the data protection concept (including the technical organizational measures)
- Request to appoint the school's data protection officer
- Deadline Set the school to submit nos. 3 and 4 for one week
You are welcome to use the following sample letter.
Ladies and Gentlemen,
our child (NAME, ADDRESS) is your student.
The reason for our letter is the corona rapid tests carried out on your premises. As part of these quick tests, the students have to carry out one in a class and then show the result to the teacher. This approach comes across massive data protection concerns. In particular, it does not seem necessary for all classmates to know the results of the tests - but this inevitably happens.
As part of these tests, health data are collected and processed. According to Art. 9 Paragraph 1, 4 No. 15 GDPR, such data belong to the special categories of personal data. Art. 9 GDPR lays down special, restrictive admissibility requirements for the processing of selected data categories which, due to their inherent informative content, can already entail particular risks for the data subject during processing. The processing of these categories of personal data (also: sensitive, better: sensitive data), which have been declared as particularly worthy of protection by the regulatory authority, is subject to a strict ban (Paragraph 1) unless one of the exceptions standardized in Paragraph 2 is relevant. The permissions listed in Paragraph 2 set additional requirements for the processing of the data categories mentioned in Paragraph 1 (Gola DS-GVO / Schulz, 2nd edition 2018, DS-GVO Art. 9 Rn. 1).
According to Article 5 (1) (c), personal data must be appropriate, substantial and limited to what is necessary for the purposes of processing; the principle is collectively referred to here as "data minimization".
(Kühling / Buchner / Herbst, 3rd edition 2020, GDPR Art. 5 Rn. 55). This is apparently not the case with the tests carried out in your home.
Such tests in the form you carry out also violate Recital 75 GDPR:
The risks to the rights and freedoms of natural persons - with varying degrees of probability and severity - can arise from the processing of personal data leading to a physical, material or immaterial Schaden could lead, especially if the processing zu a discrimination, identity theft or fraud, financial loss, a Reputation damageng, loss of confidentiality of personal data subject to professional secrecy, unauthorized cancellation of pseudonymization or other significant economic or social disadvantages can lead if the data subjects are deprived of their rights and freedoms or prevented from doing so, to control the personal data concerning themn, if personal data showing racial or ethnic origin, political opinions, religious or ideological beliefs or membership of a trade union, and genetic data, Health data or data relating to sex life or criminal convictions and criminal offenses or related security measures are processed when personal aspects are assessed, in particular when aspects that affect work performance, economic situation, Health, personal preferences or interests relating to reliability or behavior, whereabouts or change of location, analyzed or forecast in order to create or use personal profiles when personal data of vulnerable natural persons, in particular data from children, processed or when the processing involves a large amount of personal data and a large number of data subjects.
We therefore revoke the consent to data collection in the context of such testsas long as you have not submitted a corresponding data protection concept. Simultaneously we request the submission a suitable data protection concept.
Farther we urge you, us the technical and organizational measures on data protection in the context of these tests as well as the Contact details of your data protection officer to name.
To present this information, we have chosen the May 18.05.2021, XNUMX reserved. If a final statement is not available by this time, we will hand over the matter to the state data protection officer and a lawyer.
Mit freundlichen Grüßen