Protection of employee data, processing of health data in the employment relationship within the framework of a national legal mandate
The processing of personal employee data - including health data - is permissible under data protection law if this is done within the framework of a legal mandate, whereby a mandate under national law is sufficient in this case. This was recently clarified by the Federal Labor Court (judgment of June 20, 2024 - 8 AZR 253/20).
Facts of the case
The ruling of the Federal Labor Court is based on the following facts:
The defendant Medizinischer Dienst Nordrhein (North Rhine Medical Service) carries out medical assessments on behalf of the statutory health insurance funds, among other things, to eliminate doubts about the incapacity to work of persons insured under the statutory health insurance scheme, even if the assignment concerns its own employees. In the latter case, according to the provisions of a service agreement concluded between the defendant and the staff council and a service directive issued by the defendant, a limited number of employees in a special unit set up in Düsseldorf and Duisburg (so-called "special case" organizational unit) are permitted to process the (health) data of the employees concerned using a blocked area of the defendant's IT system and to gain access to the electronic archive after completion of the assessment order. Access to the data takes place through the use of personalized software certificates and may only take place within assigned access rights, which are based on the tasks to be completed. The service directive also stipulates, among other things, that certain employees (assistants and experts) of the "Special Case" organizational unit in Duisburg - named in an "access concept" - are responsible for the employees at the Düsseldorf location. According to the service agreement, the employees of the IT department set up at the defendant across all locations in Düsseldorf, to which nine employees belonged during the period in dispute, are also entitled to access - again exclusively for the performance of their tasks.
The plaintiff most recently worked as a system administrator and "helpdesk" employee in the defendant's IT department. He had been on uninterrupted sick leave since November 2017. From May 2018, he received sick pay from his statutory health insurance fund. In June 2018, the latter commissioned the defendant to prepare an expert opinion to dispel any doubts about the plaintiff's inability to work. A doctor employed by the defendant, who belonged to the "Special Cases" organizational unit in Duisburg, prepared an expert opinion containing the diagnosis of the plaintiff's illness. Before preparing the report, the doctor obtained information about the plaintiff's state of health by telephone from the doctor treating him. After the plaintiff became aware of the telephone call via his attending physician, he contacted a colleague from the IT department who, at his request, researched the report in the archive, took photos of it with her cell phone and then sent the photos to the plaintiff using a messenger service.
In his claim, the plaintiff demanded payment of non-material damages from the defendant on the basis of Art. 82 (1) GDPR, among other things, on the grounds that the processing of his health data by the defendant was unlawful. The expert opinion should have been prepared by a different medical service; in any case, the expert was not authorized to obtain information from his attending physician by telephone. The security measures surrounding the archiving of the report were also inadequate. The unlawful processing of his health data had caused him certain - more detailed - concerns and fears. At second instance, the plaintiff also claimed material damages by way of an action for performance and a declaratory judgment in the form of a loss (of earnings) that he had suffered or would suffer in the future on the grounds that knowledge of the telephone conversation between the expert and his treating doctor had led to an extension of his incapacity to work.
The lower courts dismissed the claim. The plaintiff's appeal to the Eighth Senate of the Federal Labor Court was unsuccessful.
Reasons for the decision
The processing of health data by a medical service that has been commissioned by a statutory health insurance fund to prepare an expert opinion to eliminate doubts about the incapacity to work of an insured person may also be permissible under Article 9(2)(h) GDPR if the insured person is one of the medical service's own employees. An employer who, as a medical service, processes health data of its own employee is not obliged to ensure that no other employee has access to this data.
The basic requirements for a claim for damages under Art. 82 para. 1 GDPR, which - cumulatively - consist of a breach of the GDPR, material and/or non-material damage suffered by the data subject and a causal link between the damage and the breach, are not met. There is already no breach of the provisions of the GDPR. The processing of the plaintiff's health data by the defendant was permissible overall under EU law. It complied with the requirements of the European Court of Justice from the preliminary ruling of December 21, 2023 (- C-667/21 - [Krankenversicherung Nordrhein]), which the Senate requested by order of August 26, 2021 (- 8 AZR 253/20 (A) -). The processing was necessary for the preparation of the expert opinion commissioned by the statutory health insurance fund, which has its basis in national law, to eliminate doubts about the plaintiff's incapacity to work within the meaning of Art. 9 para. 2 letter h GDPR. This also applies to the telephone conversation between the defendant's expert and the plaintiff's attending physician. The data processing also satisfied the guarantees of Art. 9 para. 3 GDPR, as all employees of the defendant who had access to the plaintiff's health data were subject to a professional duty of confidentiality or, in any case, to social secrecy, which the defendant's employees must also observe among themselves. In the aforementioned provisions, EU law does not contain any requirement that, in a case such as the present one, another medical service must be commissioned to prepare the expert opinion or that it must be ensured that no other employee of the commissioned medical service has access to the data subject's health data. Corresponding restrictions on (health) data processing, which the member states may introduce or maintain in accordance with Art. 9 para. 4 GDPR, are not contained in national (German) law. The data processing by the defendant was also lawful in other respects. It fulfilled the general conditions for lawful processing of Art. 6 GDPR, which is applicable in addition to Art. 9 GDPR. Moreover, the organizational and technical measures taken by the defendant with regard to the performance of its statutory duties as a medical service to protect the health data of its own employees complied with the principles of integrity and confidentiality enshrined in Union law. This was to be assumed all the more as the only proven case of unauthorized access to an employee's health data processed by the defendant as a medical service was due to an initiative of the data subject himself - in this case the plaintiff.
Note for the practice
Beyond the particular case constellation due to the defendant employer, the general conclusion that can be drawn from the decision of the Federal Labor Court is that the processing of personal employee data - including health data - is permissible under data protection law if this is done within the framework of a legal mandate, whereby a mandate under national law is sufficient here. Of course, the general data protection requirements for the organization of operational processes must be complied with.
The court's comment that the only unauthorized access to the plaintiff's health data was made on his initiative, namely by the plaintiff's colleague from the IT department, who researched the expert opinion outside of her role in the employment relationship, took photos of it with her cell phone and then sent the photos to the plaintiff using a messenger service, is perfectly correct, but nevertheless noteworthy.
28th June 2024