Sick Leave Management for German SMBs: Legal Requirements & Software

Digital sick notes in Germany: what's been legally required since 2023, how the eAU works, and which software handles sick leave in a GDPR-compliant way.

9 Min. Lesezeit

Wichtige Erkenntnisse

  • Germany's electronic sick certificate (eAU) replaced the paper 'yellow slip' for most statutory health insurance employees in 2023.
  • SMBs without a payroll system face special challenges integrating the eAU process — dedicated HR software bridges this gap.
  • Sick leave data is health data under GDPR and requires stricter handling: minimal collection, role-based access, and a DPA.
  • A solid internal process (receive, document, capacity-plan, close out) prevents confusion and legal gaps.
  • TodayOff's sick leave workflow integrates eAU processing, enforces data protection, and keeps everything audit-ready.

Sick Leave Management for German SMBs: Legal Requirements & Software Solutions

Digital sick notes became reality in Germany in 2023 — at least for the majority of employees covered by statutory health insurance. For many small and mid-sized businesses, the transition happened quickly and raised practical questions: What exactly changed? What are employers' obligations? How do I handle digital sick notes in a GDPR-compliant way? And which software actually handles this process correctly?

This article answers all four questions — practically, without legal jargon, and with concrete recommendations for day-to-day operations.

The Electronic Sick Certificate: What Changed Since 2023

The End of the Paper Certificate

Until the end of 2022, the process was clear if cumbersome: employees went to the doctor, received a paper certificate of incapacity for work (Arbeitsunfähigkeitsbescheinigung, or AU) — the famous "yellow slip" (gelber Schein) — and handed or mailed it to their employer. For companies, that meant collecting paper, filing it, and manually entering it into HR records.

Since 1 January 2023, employers are required to actively retrieve the electronic certificate of incapacity (eAU) from the health insurer. The process works like this:

  1. The doctor reports the incapacity electronically directly to the employee's statutory health insurer.
  2. The health insurer makes the eAU data available digitally.
  3. The employer — or their payroll system — retrieves this data.

This means: employees are formally no longer required to hand their employer a paper certificate. They only need to report their incapacity — when it started, how long it's expected to last, and whether they saw a doctor. The official certificate arrives digitally via the health insurer.

What Still Applies — and What Hasn't Changed

Important for small businesses: some things have not changed:

  • Employees still have a duty to notify their employer. They must promptly inform their employer that they are unwell and for how long they expect to be off.
  • Privately insured employees are exempt from the eAU process. Paper certificates remain the standard for them (for now).
  • Foreign sick certificates — for example, when an employee falls ill while on vacation abroad — are not transmitted electronically.
  • The employer's internal documentation obligation remains: you must maintain a traceable record of when each employee was on sick leave.

The Challenge for Small Businesses Without a Payroll System

The eAU retrieval is technically tied to the German social security reporting system (DEÜV), which is typically handled through a payroll software or a tax advisor. For small businesses that outsource payroll, this means: your tax advisor retrieves the eAU — but your internal HR management usually only gets a delayed notification.

The solution: internal sick leave tracking that runs in parallel with the official eAU process. Employees report their illness internally — through your HR software — and the employer records the status. The official eAU runs through the tax advisor. Both channels complement each other.

Processing Sick Leave Correctly: The Internal Process for SMBs

Regardless of the electronic certificate process, every business needs a clear internal workflow for handling sick leave. A well-structured process prevents misunderstandings, reduces administrative burden, and ensures audit-proof documentation.

Step 1: Receive the Sick Notice

The employee calls in sick — ideally through a defined channel (HR software, direct message to their manager, or phone). Importantly, the channel should be consistent and binding for everyone. A WhatsApp message to a team lead that never makes it into the system is not an audit-proof notification.

Best practice: HR software with a mobile app, through which employees can submit a sick notice in seconds. Their manager is automatically notified, the calendar updates, and the record is created automatically.

Step 2: Internal Documentation and Capacity Planning

Once the sick notice is in, two things need to happen: the absence is logged in the system (including expected duration), and the manager can plan accordingly. Who's available to step in at short notice? Which tasks need to be redistributed?

Good HR software shows current team availability in real time — without back-and-forth, without manual spreadsheet updates.

Step 3: Return and Closeout

When the employee returns, the sick leave entry is closed out. The system automatically calculates the total sick days for the year (relevant for continued pay obligations, payroll cost accounting, and statistical reporting). Managers can immediately see at a glance who has been absent more than average — without any manual analysis.

GDPR and Health Data: Special Obligations

Sick notes fall under sensitive personal data as defined by Article 9 of the GDPR. Health data is subject to heightened protection — and that has concrete implications for your choice of HR software.

What SMBs Need to Keep in Mind on Data Protection for Sick Leave

1. Data minimization: You may only collect what's necessary for processing. The medical diagnosis is generally not required and should not be entered into HR software. Start date, expected end date, and the fact of incapacity — that's all your operational HR management needs.

2. Access restrictions: Not everyone in the company should be able to access health-related data. HR software must support role-based access controls: managers see absences for their direct reports, but not diagnostic details or records from other teams.

3. EU data storage: Health data may not be stored on servers outside the EU unless appropriate standard contractual clauses and supplementary safeguards are in place. The simpler path: software that operates exclusively on EU servers.

4. Data processing agreement (DPA): You must have a data processing agreement (Auftragsverarbeitungsvertrag, AVV) in place with every SaaS provider that has access to your employees' personal data. Reputable providers make this agreement available as standard.

5. Deletion periods: Health data must be deleted after a defined period — typically after the employment relationship ends, plus applicable statutory retention periods. Your HR software should support this process.

Red Flags When Evaluating Software

  • Data stored on US servers with no demonstrable safeguards
  • No DPA available, or only upon request
  • No role-based access controls
  • No deletion function or option for employee data

How TodayOff Handles Sick Leave

TodayOff was built specifically for the requirements of European SMBs — and that explicitly includes the correct, GDPR-compliant handling of sick leave.

The Sick Leave Workflow in TodayOff

From the employee's perspective: An employee opens the TodayOff app (iOS or Android), taps "Submit sick leave," enters the start date and expected end date, and submits. The manager receives an immediate notification. The team calendar updates. The entire process takes under a minute.

From the manager's perspective: The manager sees the sick leave notification in the dashboard, can add a response, and adjust team planning directly. All absences — vacation, sick leave, special leave — are visible in a single unified view.

From the HR perspective: The HR admin has access to all sick leave records across the company, can generate reports by time period or team, and export data for payroll. All entries are stored with a tamper-proof timestamp.

Data Protection Architecture

  • EU data storage: TodayOff hosts all customer data on European servers via Supabase EU
  • GDPR-compliant from day one, with no additional configuration required
  • Data processing agreement (DPA) provided as standard
  • Role-based access controls: No employee data is visible without the appropriate permissions
  • No diagnoses: TodayOff stores no medical details — only absence status and dates

Integration with the eAU Process

TodayOff complements the eAU process on the internal side: while the official eAU retrieval runs through your payroll system or tax advisor, TodayOff ensures that your internal communication, capacity planning, and documentation are complete and traceable. Both systems coexist — without redundancy, without gaps.

Frequently Asked Questions About Digital Sick Leave for SMBs

Does an employee still have to give me a paper certificate? For employees covered by statutory health insurance: no, not anymore. The official certificate runs digitally. You should, however, still require employees to report their incapacity internally — through your defined channels.

What do I do if someone has private health insurance? Privately insured employees still receive a paper certificate and submit it to their employer. Your HR system should be able to handle both variants.

How long do I need to keep sick leave records? There is no single statutory retention period specifically for sick certificates. In practice, sick leave documentation is often retained for the duration of the employment relationship. Payroll records relevant for tax purposes are subject to a 6-year retention requirement. If in doubt, consult your tax advisor.

Am I allowed to analyze how frequently employees are sick? Yes, for your own HR purposes (workforce planning, statistics), this is generally permissible. What matters: the analysis must be purpose-bound, handled confidentially, and limited to what's necessary. Analyzing individual absence frequency without a specific reason can become legally problematic in an employment law context — legal advice is recommended here.

Conclusion: Digital Sick Leave Requires Digital Processes

The introduction of the eAU was a major first step — but it only addresses the official transmission channel. The internal process within your organization remains the employer's responsibility: fast reporting channels, clean documentation, and GDPR-compliant data storage.

For small businesses, the solution isn't a monolithic HR suite that also covers recruiting, performance management, and payroll. The solution is a lean, specialized tool that handles absences — including sick leave — cleanly, operates in a GDPR-compliant way, and can be up and running without any IT effort.

Related articles: Affordable HR Tools: The Best Value for Small Businesses | HR Digitization for SMBs: The 3 Phases

Manage sick leave digitally — GDPR-compliant, mobile, and from day one. Start for free, no credit card required. → https://app.todayoff.de