Data Protection Within an Organization itself.

 Data Protection Requirements in Art. 6 and 9 GDPR.

Tobias Vößing

Data Protection Within an Organization itself.

Blog: Labor Law - Article from 16.03.2021
Access to sensitive data should only be granted to those who need it to perform their tasks – even within the company itself.

Facts of the Case

The plaintiff employed by the defendant medical service had been ill and continuously unfit for work since November 22, 2017. He had been receiving sick pay since May 24, 2018. On June 6, 2018, the plaintiff’s health insurance company instructed the defendant to obtain an expert report to settle any doubts regarding the plaintiff’s inability to work. The defendant complied with this request.
The plaintiff requests the defendant to pay compensation of EUR 20,000. The claim arises, among other things, because a doctor had received information from the plaintiff’s personal physician for the creation of the expert report by telephone and without the plaintiff’s prior agreement.

Judgement

According to the Higher Labor Court Düsseldorf (ref: 12 Sa 186/19), the claim is unjustified. There is no claim arising from art. 82 section 1 GDPR or § 823 section 1 German Civil Code in conjunction with art. 2 section 1, art. 1 section 1 of the German Constitution.
The medical service of the health insurance company is entitled, upon request by a health insurance company, to have a doctor employed by the medical service prepare an expert report on an insured member’s incapacity to work. This also applies if the member received sick pay from the health insurance company and was an employee of the medical service.
The processing of the plaintiff’s personal data in conjunction with the creation of the expert report was necessary to fulfill a legal obligation within the meaning of art. 6 section 1 sentence 1 lit. c GDPR. This arises from article 275 section 1 sentence no. 3 lit. b Social Security Code V.

Protection of Private Personal and Social Information also Required Internally

According to Article 276 Paragraph 2 Sentence 7 of book V of the German Social Security Code, technical and organizational measures must ensure that the private social data is only accessible to those who need it to fulfill their tasks. This specific provision to protect the private social information includes the obligation to ensure, even within the funding agency, that the private social data is only accessible to or passed on to authorized persons. This provision demands an employee-oriented approach. The health insurance company’s medical service is not a “unit of competence” in terms of data protection law, but must be considered in an employee-oriented, differentiated way.

Consequences in Practice

The considerations of the judgment regarding the conceptualization of access can be applied to hospitals, nursing homes and other facilities in the health care sector. The judgement provides guidance on the security precautions to be observed. The particular confidentiality of health data must be takin into account in organizational measures.

Newsletter

Stay up-to-date with the latest news!
Would you like to be informed whenever a new post is published in our labor law blog #LaborLaw by Buse? You wish to know which topic we are going to report on next? Then sign up for our newsletter here:

Works Council Issued Warning for Violation of Works Constitution Act Obligations.

Blog: Labor Law
Works Council Issued Warning for Violation of Works Constitution Act Obligations. Higher Labor Court Baden-Wuerttemberg Confirms possibility of warnings under Works Constitution Act (Ref.: 8 TaBV 3/19).
02.02.2021
Tobias Grambow

Works Council has no Right of Co-Determination in Union Actions.

Blog: Labor Law
Works Council has no Right of Co-Determination in Union Actions. Both employers and works councils are excluded from trade union actions. This is according to a recent decision of the Federal Labor Court (Case No.: 1 ABR 41/18).
29.12.2020
Jan Tibor Lelley

Blog: Labor Law
Works council elections 2022: Determining the elected candidates. Every candidate has to have equal access opportunities.
24.05.2022
Tobias Grambow

Betriebsratswahlen 2022 - Ende der Amtszeit.

Blog: Labor Law
Works council elections 2022 – End of term.
A works council’s term of office generally comes to an end after four years – What exceptions are there?
01.02.2022
Tobias Grambow

Works council elections 2022 – digital, hybrid or analog?

Blog: Labor Law
Works council elections 2022 – digital, hybrid or analog? Is it permitted to hold a works council election using voting software?
01.03.2022
Tobias Grambow

Works council elections 2022 – Appointing the election committee.

Blog: Labor Law
Works council elections 2022 – Appointing the election committee. The works council is generally responsible – Are there exceptions?
25.01.2022
Tobias Grambow
Let’s connect

Do you wish to receive information on recent developments of law, invitations to events or seminars from us? We hereby request your explicit consent.

…Declaration of Consent

BUSE

About us
List of partners
Contact
Imprint
Privacy Policy

 

Arrange a meeting

We can discuss your request directly in a personal meeting. We ensure absolute discretion and professional and honest advice.

…to our offices

© BUSE · Rechtsanwälte Steuerberater Partnerschaftsgesellschaft mbB