- MDK verarbeitet Health data zur Beurteilung der Arbeitsfähigkeit, muss jedoch Sicherheitsmaßnahmen einhalten.
- Art. 9 Abs. 2 lit. h DSGVO erlaubt Processing von Gesundheitsdaten nur unter Einhaltung strenger Voraussetzungen.
- Die Haftung nach Art. 82 DSGVO hängt nicht von Verschulden ab, sondern soll lediglich Ausgleich für Schäden bieten.
An employee in the IT department of the Medical Service of the North Rhine Health Insurance Fund (MDK) had become unfit for work. The Expert opinion on incapacity for work had been drawn up by the same MDK, with the help of information from the attending physician. When the employee found out about this from his doctor, he asked a colleague in the IT department to take photos of the report for him.
The employee then sued for damages on the grounds that the report should have been prepared by a different medical service so that his colleagues did not have access to health data and that the security measures for archiving the report on his opinion were inadequate.
The Düsseldorf Labor Court and the second instance, the Düsseldorf Regional Labor Court, dismissed the case. The Federal Labor Court then referred a number of questions to the ECJ (Judgment Case C‑667/21).
Content
ToggleRequirements pursuant to Art. 9 para. 2 lit. h GDPR (preventive healthcare, occupational medicine, etc.)
The first question related to the permissibility of Art. 9 para. 2 lit. h GDPR. Accordingly, the processing of health data is permitted if it serves a purpose according to lit. h (preventive healthcare, occupational medicine, etc.), if it is based on EU or national law and if the guarantees according to Art. 9 para. 3 are complied with (processing of specialist personnel with professional secrecy). In contrast, the GDPR does not stipulate, according to the ECJ, that Art. 2 lit. h only applies if the processing is carried out by a neutral third party and not by the employer:
58 In the light of the foregoing, and without prejudice to the answers given to the second and third questions, the answer to the first question must be that Art. 9 para. 2 letter h GDPR must be interpreted as meaning that the exception provided for in that provision, subject to the proviso that the data processing in question meets the conditions and safeguards expressly prescribed in point (h) and in Article 9(3), applies to situations is applicablein which an office for medical assessment Health data of one of your employees processed not as an employer, but as a medical serviceto assess the employee’s ability to work.
TOMs for the exclusion of work colleagues
Article 9(2)(h) also does not require the exclusion of colleagues of the person to be assessed from the assessment, unless a Member State has legislated accordingly on the basis of Article 9(4). However, the present Federal Labor Court must examine whether the MDK has reasonable Safety measures which may require such a separation.
Relationship between Art. 9 para. 2 and Art. 6 GDPR
More interesting than the previous questions is the relationship between Art. 9 para. 2 and Art. 6 GDPR. It must be assumed that Art. 6 para. 1 provides an exhaustive list of cases in which processing is lawful. This means that the processing of health data (and other special category data) must not only comply with the requirements of Art. 9 para. 2, but also those of Art. 6:
79 In the light of the foregoing, the answer to the third question is that Article 9(2)(h) and Article 6(1) of the GDPR must be interpreted as meaning that a decision based on the first provision must be Processing of health data is only lawful if it not only complies with the requirements arising from this provision, but also also fulfills at least one of the legality requirements specified in Art. 6 (1).
The ECJ does not state this in such general terms, but its statements can only be understood as meaning that Art. 6 GDPR must also be fulfilled for any processing of special data.
More points
Furthermore, the ECJ confirms the Case law in the case of Deutsche Wohnenaccording to which the claim for damages under Art. 83 GDPR does not have a punitive function, but only a compensatory function. This also means that the severity of the fault is not to be taken into account when determining the claim for damages, even for non-material damage:
103 Consequently, the answer to the fifth question is that Article 82 GDPR must be interpreted as meaning that, on the one hand, the liability of the controller is dependent on the existence of a fault attributable to him. Fault depends, that is suspectedif he does not prove that the act that caused the damage is not attributable to him, and that Art. 82 on the other hand does not require that the degree of that fault be taken into account in assessing the amount of damages awarded as compensation for non-material damage on the basis of that provision will.