Implementation of the new “3G rules” at the workplace by the employer in Germany

On 18th November 2021, the German Parliament passed the “Act Amending the Protection against Infection Act and other Laws on the occasion of the Repeal of the Determination of the Epidemic Situation of National Significance.” The Act obliges employers, with regards to § 28b para. 2 Sentence 1 IfSG, to monitor compliance with the “3G rules” in the workplace. At first glance, this obligation does not suggest any major difficulties, since simple entry checks can theoretically be carried out. However, on a closer look, as is so often the case, data protection problems arise.

Although the employer is now authorized to process personal health data due to § 28b para. 3 sentence 3 IfSG, this does not yet entitle him to check the vaccination status. Such a right is only provided for medical and social institutions, so that the vaccination status is still considered to be particularly worthy of protection according to Art. 9 of the GDPR. This gives rise to numerous problems, some of which will be answered below.

How do I find out the vaccination status of my employees, if I am not allowed to ask them?

In order to implement the 3G regulations reasonable and effectively, the vaccination status of employees must be learned without having to ask them. Although several notable voices are already calling for a corresponding right to information, an interim solution is needed until then.

To circumvent the problem of the employer’s lack of the right to ask questions, we recommend preparing individual declarations of consent for employees. Although there are legal risks of invalidity here as well, since the view is sometimes held that processing consent is not possible under employment law (in this respect, there is a relationship of superiority and subordination that always excludes the voluntary nature of consent). Nevertheless, based on the current legal situation, we assume that getting consent is the lower-risk model compared to direct inquiry.

Employees who do not consent to sharing their immunization status will then be required to provide a test result on a daily basis.

In addition, do I need to be shown the original vaccination certificate or is it sufficient if the employee shows me the vaccination certificate on his or her cell phone?

The app check of the digital certificate is sufficient. The new § 28b para. 1 s. 1 IfSG refers in the matter of certificates to the definitions of the so-called COVID-19- Protective Measures- Exception Regulation (zu deutsch: Schutzmaßnahmen-Ausnahmeverordnung (SchAusnahmV)).

According to § 2 No. 3, 5, 7 SchAusnahmV, proof of vaccination, convalescence and testing is also possible in digital form. The certificates can be checked using the “CovPass app”. According to the RKI, this app deletes the data immediately after the check, which is why the use of the CovPass app is recommended from a data protection perspective. The German Federal Ministry of Health has set up an FAQ on digital proof of vaccination (, which links to the website, among others. On the second website, the section “Questions about the CovPass app” contains instructions on how to use the app.

How may I document the certificates?

A list must be prepared that records the names and the respective vaccination or convalescent status of the employees who voluntarily communicated their status as part of the consent process. However, due to the principle of data minimization and earmarked data, this should be limited to a note of the validity period and not, for example, the entire vaccination or recovery card should be copied or scanned. When the validity period runs off, the respective status must be checked again. Employees must carry their respective certificates with them while working to prove their status in the event of an inspection.

For those employees who do not voluntarily communicate their status, a checklist must be prepared on which the names and the regular test result are “checked off” daily.

How long must and may the data be saved?

According to the new §28b para. 3 IfSG, data must be deleted no later than the end of the sixth month after it was collected.

What are the fines?

According to § 73 para. 2 IfSG, there is a fine of up to 25,000.00€ for each case of non-compliance, so the checks should not be taken lightly!

What do I do if an employee does not want to provide proof?

Such an employee is initially not allowed to enter the company. This may result in further consequences (no continued payment of wages, further actions up to a warning and termination), which, however, would have to be examined and evaluated in each individual case. It is to be expected that numerous court decisions will lead to more clarity in this area in the near future.