Takea­ways (AI):
  • MDK ver­ar­bei­tet Health data zur Beur­tei­lung der Arbeits­fä­hig­keit, muss jedoch Sicher­heits­maß­nah­men einhalten.
  • Art. 9 Abs. 2 lit. h DSGVO erlaubt Pro­ce­s­sing von Gesund­heits­da­ten nur unter Ein­hal­tung stren­ger Vor­aus­set­zun­gen.
  • Die Haf­tung nach Art. 82 DSGVO hängt nicht von Ver­schul­den ab, son­dern soll ledig­lich Aus­gleich für Schä­den bieten.

An employee in the IT depart­ment of the Medi­cal Ser­vice of the North Rhi­ne Health Insu­rance Fund (MDK) had beco­me unfit for work. The Expert opi­ni­on on inca­pa­ci­ty for work had been drawn up by the same MDK, with the help of infor­ma­ti­on from the atten­ding phy­si­ci­an. When the employee found out about this from his doc­tor, he asked a col­le­ague in the IT depart­ment to take pho­tos of the report for him.

The employee then sued for dama­ges on the grounds that the report should have been pre­pared by a dif­fe­rent medi­cal ser­vice so that his col­le­agues did not have access to health data and that the secu­ri­ty mea­su­res for archi­ving the report on his opi­ni­on were inadequate.

The Düs­sel­dorf Labor Court and the second instance, the Düs­sel­dorf Regio­nal Labor Court, dis­missed the case. The Fede­ral Labor Court then refer­red a num­ber of que­sti­ons to the ECJ (Judgment Case C‑667/21).

Requi­re­ments pur­su­ant to Art. 9 para. 2 lit. h GDPR (pre­ven­ti­ve heal­th­ca­re, occu­pa­tio­nal medi­ci­ne, etc.)

The first que­sti­on rela­ted to the per­mis­si­bi­li­ty of Art. 9 para. 2 lit. h GDPR. Accor­din­gly, the pro­ce­s­sing of health data is per­mit­ted if it ser­ves a pur­po­se accor­ding to lit. h (pre­ven­ti­ve heal­th­ca­re, occu­pa­tio­nal medi­ci­ne, etc.), if it is based on EU or natio­nal law and if the gua­ran­tees accor­ding to Art. 9 para. 3 are com­plied with (pro­ce­s­sing of spe­cia­list per­son­nel with pro­fes­sio­nal sec­re­cy). In con­trast, the GDPR does not sti­pu­la­te, accor­ding to the ECJ, that Art. 2 lit. h only applies if the pro­ce­s­sing is car­ri­ed out by a neu­tral third par­ty and not by the employer:

58 In the light of the fore­go­ing, and wit­hout pre­ju­di­ce to the ans­wers given to the second and third que­sti­ons, the ans­wer to the first que­sti­on must be that Art. 9 para. 2 let­ter h GDPR must be inter­pre­ted as mea­ning that the excep­ti­on pro­vi­ded for in that pro­vi­si­on, sub­ject to the pro­vi­so that the data pro­ce­s­sing in que­sti­on meets the con­di­ti­ons and safe­guards express­ly pre­scri­bed in point (h) and in Artic­le 9(3), applies to situa­tions is appli­ca­blein which an office for medi­cal assess­ment Health data of one of your employees pro­ce­s­sed not as an employer, but as a medi­cal ser­viceto assess the employee’s abili­ty to work.

TOMs for the exclu­si­on of work colleagues

Artic­le 9(2)(h) also does not requi­re the exclu­si­on of col­le­agues of the per­son to be asses­sed from the assess­ment, unless a Mem­ber Sta­te has legis­la­ted accor­din­gly on the basis of Artic­le 9(4). Howe­ver, the pre­sent Fede­ral Labor Court must exami­ne whe­ther the MDK has rea­sonable Safe­ty mea­su­res which may requi­re such a separation.

Rela­ti­on­ship bet­ween Art. 9 para. 2 and Art. 6 GDPR

More inte­re­st­ing than the pre­vious que­sti­ons is the rela­ti­on­ship bet­ween Art. 9 para. 2 and Art. 6 GDPR. It must be assu­med that Art. 6 para. 1 pro­vi­des an exhaus­ti­ve list of cases in which pro­ce­s­sing is lawful. This means that the pro­ce­s­sing of health data (and other spe­cial cate­go­ry data) must not only com­ply with the requi­re­ments of Art. 9 para. 2, but also tho­se of Art. 6:

79 In the light of the fore­go­ing, the ans­wer to the third que­sti­on is that Artic­le 9(2)(h) and Artic­le 6(1) of the GDPR must be inter­pre­ted as mea­ning that a decis­i­on based on the first pro­vi­si­on must be Pro­ce­s­sing of health data is only lawful if it not only com­plies with the requi­re­ments ari­sing from this pro­vi­si­on, but also also ful­fills at least one of the lega­li­ty requi­re­ments spe­ci­fi­ed in Art. 6 (1).

The ECJ does not sta­te this in such gene­ral terms, but its state­ments can only be under­s­tood as mea­ning that Art. 6 GDPR must also be ful­fil­led for any pro­ce­s­sing of spe­cial data.

More points

Fur­ther­mo­re, the ECJ con­firms the Case law in the case of Deut­sche Woh­nenaccor­ding to which the cla­im for dama­ges under Art. 83 GDPR does not have a puni­ti­ve func­tion, but only a com­pen­sa­to­ry func­tion. This also means that the seve­ri­ty of the fault is not to be taken into account when deter­mi­ning the cla­im for dama­ges, even for non-mate­ri­al damage:

103 Con­se­quent­ly, the ans­wer to the fifth que­sti­on is that Artic­le 82 GDPR must be inter­pre­ted as mea­ning that, on the one hand, the lia­bi­li­ty of the con­trol­ler is depen­dent on the exi­stence of a fault attri­bu­ta­ble to him. Fault depends, that is suspec­tedif he does not pro­ve that the act that cau­sed the dama­ge is not attri­bu­ta­ble to him, and that Art. 82 on the other hand does not requi­re that the degree of that fault be taken into account in asses­sing the amount of dama­ges award­ed as com­pen­sa­ti­on for non-mate­ri­al dama­ge on the basis of that pro­vi­si­on will.

AI-gene­ra­ted takea­ways can be wrong.