Data Protection Within an Organization itself.

 Data Protection Requirements in Art. 6 and 9 GDPR.

Tobias Vößing

Data Protection Within an Organization itself.

Access to sensitive data should only be granted to those who need it to perform their tasks – even within the company itself.

Facts of the Case

The plaintiff employed by the defendant medical service had been ill and continuously unfit for work since November 22, 2017. He had been receiving sick pay since May 24, 2018. On June 6, 2018, the plaintiff’s health insurance company instructed the defendant to obtain an expert report to settle any doubts regarding the plaintiff’s inability to work. The defendant complied with this request.
The plaintiff requests the defendant to pay compensation of EUR 20,000. The claim arises, among other things, because a doctor had received information from the plaintiff’s personal physician for the creation of the expert report by telephone and without the plaintiff’s prior agreement.


According to the Higher Labor Court Düsseldorf (ref: 12 Sa 186/19), the claim is unjustified. There is no claim arising from art. 82 section 1 GDPR or § 823 section 1 German Civil Code in conjunction with art. 2 section 1, art. 1 section 1 of the German Constitution.
The medical service of the health insurance company is entitled, upon request by a health insurance company, to have a doctor employed by the medical service prepare an expert report on an insured member’s incapacity to work. This also applies if the member received sick pay from the health insurance company and was an employee of the medical service.
The processing of the plaintiff’s personal data in conjunction with the creation of the expert report was necessary to fulfill a legal obligation within the meaning of art. 6 section 1 sentence 1 lit. c GDPR. This arises from article 275 section 1 sentence no. 3 lit. b Social Security Code V.

Protection of Private Personal and Social Information also Required Internally

According to Article 276 Paragraph 2 Sentence 7 of book V of the German Social Security Code, technical and organizational measures must ensure that the private social data is only accessible to those who need it to fulfill their tasks. This specific provision to protect the private social information includes the obligation to ensure, even within the funding agency, that the private social data is only accessible to or passed on to authorized persons. This provision demands an employee-oriented approach. The health insurance company’s medical service is not a “unit of competence” in terms of data protection law, but must be considered in an employee-oriented, differentiated way.

Consequences in Practice

The considerations of the judgment regarding the conceptualization of access can be applied to hospitals, nursing homes and other facilities in the health care sector. The judgement provides guidance on the security precautions to be observed. The particular confidentiality of health data must be takin into account in organizational measures.